Opened 6 years ago
Closed 4 years ago
#8003 closed defect (fixed)
Division by zero at libavcodec/aaccoder.c
Reported by: | Suhwan | Owned by: | |
---|---|---|---|
Priority: | normal | Component: | undetermined |
Version: | git-master | Keywords: | ubsan |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | no |
Description
Summary of the bug:
There's a division by zero at libavcodec/aaccoder.c:554 and 556.
How to reproduce:
% ffmpeg_g -y -r 14 -i tmp.wmv -map 0 -c:v:14 mpeg1video -c:v zmbv -disposition:s:19 v210 -disposition:s flv -aframes 10 -ab 45 -ac 9 -b:v 292k -strict 1 tmp_.mov ffmpeg version N-94185-gca576833e4 Copyright (c) 2000-2019 the FFmpeg developers built with clang version 9.0.0
s->lambda is zero.
543 static void search_for_pns(AACEncContext *s, AVCodecContext *avctx, SingleChannelElement *sce 544 { 545 FFPsyBand *band; 546 int w, g, w2, i; 547 int wlen = 1024 / sce->ics.num_windows; 548 int bandwidth, cutoff; 549 float *PNS = &s->scoefs[0*128], *PNS34 = &s->scoefs[1*128]; 550 float *NOR34 = &s->scoefs[3*128]; 551 uint8_t nextband[128]; 552 const float lambda = s->lambda; 553 const float freq_mult = avctx->sample_rate*0.5f/wlen; 554 const float thr_mult = NOISE_LAMBDA_REPLACE*(100.0f/lambda); 555 const float spread_threshold = FFMIN(0.75f, NOISE_SPREAD_THRESHOLD*FFMAX(0.5f, lambda/100 556 const float dist_bias = av_clipf(4.f * 120 / lambda, 0.25f, 4.0f); 557 const float pns_transient_energy_r = FFMIN(0.7f, lambda / 140.f);
Attachments (2)
Change History (5)
by , 6 years ago
Attachment: | gdb_log_8003 added |
---|
by , 6 years ago
comment:2 by , 4 years ago
Patch avoiding the floating point divisions by 0 is on the ffmpeg-devel mailing list. https://lists.ffmpeg.org/pipermail/ffmpeg-devel/2021-May/280730.html
How this would allow a Denial of Service in reality is not clear.
comment:3 by , 4 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
FFmpeg Version: 4.2
Many division by zero bugs are triggered.