Opened 4 years ago
Closed 2 years ago
#8003 closed defect (fixed)
Division by zero at libavcodec/aaccoder.c
| Reported by: | Suhwan | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | undetermined |
| Version: | git-master | Keywords: | ubsan |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
Summary of the bug:
There's a division by zero at libavcodec/aaccoder.c:554 and 556.
How to reproduce:
% ffmpeg_g -y -r 14 -i tmp.wmv -map 0 -c:v:14 mpeg1video -c:v zmbv -disposition:s:19 v210 -disposition:s flv -aframes 10 -ab 45 -ac 9 -b:v 292k -strict 1 tmp_.mov ffmpeg version N-94185-gca576833e4 Copyright (c) 2000-2019 the FFmpeg developers built with clang version 9.0.0
s->lambda is zero.
543 static void search_for_pns(AACEncContext *s, AVCodecContext *avctx, SingleChannelElement *sce
544 {
545 FFPsyBand *band;
546 int w, g, w2, i;
547 int wlen = 1024 / sce->ics.num_windows;
548 int bandwidth, cutoff;
549 float *PNS = &s->scoefs[0*128], *PNS34 = &s->scoefs[1*128];
550 float *NOR34 = &s->scoefs[3*128];
551 uint8_t nextband[128];
552 const float lambda = s->lambda;
553 const float freq_mult = avctx->sample_rate*0.5f/wlen;
554 const float thr_mult = NOISE_LAMBDA_REPLACE*(100.0f/lambda);
555 const float spread_threshold = FFMIN(0.75f, NOISE_SPREAD_THRESHOLD*FFMAX(0.5f, lambda/100
556 const float dist_bias = av_clipf(4.f * 120 / lambda, 0.25f, 4.0f);
557 const float pns_transient_energy_r = FFMIN(0.7f, lambda / 140.f);
Attachments (2)
Change History (5)
by , 4 years ago
| Attachment: | gdb_log_8003 added |
|---|
by , 4 years ago
comment:2 by , 2 years ago
Patch avoiding the floating point divisions by 0 is on the ffmpeg-devel mailing list. https://lists.ffmpeg.org/pipermail/ffmpeg-devel/2021-May/280730.html
How this would allow a Denial of Service in reality is not clear.
comment:3 by , 2 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.



FFmpeg Version: 4.2 (git master)
Many division by zero bugs are triggered.
ffmpeg version N-94906-gcb8d6a4e3e Copyright (c) 2000-2019 the FFmpeg developers built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final) configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-usan libavutil 56. 35.100 / 56. 35.100 libavcodec 58. 56.101 / 58. 56.101 libavformat 58. 32.104 / 58. 32.104 libavdevice 58. 9.100 / 58. 9.100 libavfilter 7. 58.102 / 7. 58.102 libswscale 5. 6.100 / 5. 6.100 libswresample 3. 6.100 / 3. 6.100 Guessed Channel Layout for Input Stream #0.1 : mono Input #0, asf, from 'tmp.wmv': Metadata: encoder : Lavf57.66.105 Duration: 00:00:05.63, start: 0.000000, bitrate: 647 kb/s Stream #0:0: Video: wmv2 (WMV2 / 0x32564D57), yuv420p, 560x320, SAR 1:1 DAR 7:4, 30 fps, 30 tbr, 1k tbn, 1k tbc Stream #0:1(eng): Audio: wmav2 (a[1][0][0] / 0x0161), 48000 Hz, mono, fltp, 128 kb/s Stream mapping: Stream #0:0 -> #0:0 (wmv2 (native) -> zmbv (native)) Stream #0:1 -> #0:1 (wmav2 (native) -> aac (native)) Press [q] to stop, [?] for help [aac @ 0x9399480] Bitrate 45 is extremely low, maybe you mean 45k The bitrate parameter is set too low. It takes bits/s as argument, not kbits/s libavcodec/aaccoder.c:554:56: runtime error: division by zero libavcodec/aaccoder.c:556:48: runtime error: division by zero [mov @ 0x9389400] Using MS style video codec tag, the file may be unplayable! Output #0, mov, to 'tmp_.mov': Metadata: encoder : Lavf58.32.104 Stream #0:0: Video: zmbv, bgr0, 560x320 [SAR 1:1 DAR 7:4], q=2-31, 292 kb/s, 14 fps, 14336 tbn, 14 tbc Metadata: encoder : Lavc58.56.101 zmbv Stream #0:1(eng): Audio: aac (LC) (mp4a / 0x6134706D), 48000 Hz, mono, fltp, 0 kb/s Metadata: encoder : Lavc58.56.101 aac frame= 166 fps=6.0 q=-0.0 Lsize= 9258kB time=00:00:11.78 bitrate=6434.9kbits/s speed=0.429x video:9255kB audio:0kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: 0.024679% [aac @ 0x9399480] Qavg: 0.000