Opened 5 years ago

Closed 5 years ago

#8237 closed defect (invalid)

Division by zero at libavfilter/af_adeclick.c

Reported by: Suhwan Owned by:
Priority: normal Component: undetermined
Version: git-master Keywords: ubsan
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:
There are 2 Division by zero at libavfilter/af_adeclick.c:684,228

Breakpoint 1, uninit (ctx=0x611000000900) at libavfilter/af_adeclick.c:684
684	           s->nb_samples, 100. * s->detected_errors / s->nb_samples);
(gdb) print s->nb_samples
$1 = 0
(gdb) bt
#0  uninit (ctx=0x611000000900) at libavfilter/af_adeclick.c:684
#1  0x000000000110cde1 in avfilter_free (filter=0x611000000900) at libavfilter/avfilter.c:771
#2  0x0000000001174600 in avfilter_graph_free (graph=0x7fffffffdb20) at libavfilter/avfiltergraph.c:126
#3  0x00000000006e02d0 in init_complex_filtergraph (fg=0x60a000000040) at fftools/ffmpeg_filter.c:377
#4  0x00000000005173c9 in init_complex_filters () at fftools/ffmpeg_opt.c:2102
#5  ffmpeg_parse_options (argc=<optimized out>, argv=<optimized out>) at fftools/ffmpeg_opt.c:3324
#6  0x000000000081bc75 in main (argc=23, argv=0x7fffffffe138) at fftools/ffmpeg.c:4872
(gdb) c
Continuing.

libavfilter/af_adeclick.c:684:53: runtime error: division by zero
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavfilter/af_adeclick.c:684:53 in 
libavfilter/af_adeclick.c:228:25: runtime error: division by zero
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavfilter/af_adeclick.c:228:25 in

How to reproduce:

% ffmpeg_g -y -r 49 -i $PoC -filter_complex adeclick -loglevel 0 -c:s:7 h264_v4l2m2m -disposition:s:3 apng -vframes 35 -ab 267k -ac 0 -strict 1 tmp.ast

ffmpeg version N-95291-g5345965b3f Copyright (c) 2000-2019 the FFmpeg developers
  built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
  configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-usan

Attachments (2)

PoC_af_adeclick684.wav (125.0 KB ) - added by Suhwan 5 years ago.
poc
gdb-af_adeclick684 (44.2 KB ) - added by Suhwan 5 years ago.

Download all attachments as: .zip

Change History (6)

by Suhwan, 5 years ago

Attachment: PoC_af_adeclick684.wav added

poc

comment:1 by Elon Musk, 5 years ago

Resolution: invalid
Status: newclosed

in reply to:  1 comment:2 by Suhwan, 5 years ago

Resolution: invalid
Status: closedreopened

Replying to richardpl:
I checked this again and re-uploaded the full gdb-log.
I compiled ffmpeg with "--toolchain=clang-usan" option to check division by zero.

please confirm.
Thanks

How to reproduce:

$ ffmpeg_g -y -r 49 -i $PoC -filter_complex adeclick -loglevel 99 -c:s:7 h264_v4l2m2m -disposition:s:3 apng -vframes 35 -ab 267k -ac 0 -strict 1 tmp.ast

ffmpeg version N-95314-g1331e00179 Copyright (c) 2000-2019 the FFmpeg developers
  built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
  configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-usan

Breakpoint 1, uninit (ctx=0x90e0140) at libavfilter/af_adeclick.c:684
684	           s->nb_samples, 100. * s->detected_errors / s->nb_samples);
(gdb) n
683	           s->is_declip ? "clips" : "clicks", s->detected_errors,
(gdb) n
684	           s->nb_samples, 100. * s->detected_errors / s->nb_samples);
(gdb) n
libavfilter/af_adeclick.c:684:53: runtime error: division by zero
682	    av_log(ctx, AV_LOG_INFO, "Detected %s in %"PRId64" of %"PRId64" samples (%g%%).\n",
(gdb) bt
#0  uninit (ctx=0x90e0140) at libavfilter/af_adeclick.c:682
#1  0x00000000005ca3f3 in avfilter_free (filter=0x90e0140) at libavfilter/avfilter.c:771
#2  0x00000000005d6218 in avfilter_graph_free (graph=0x7fffffffde50) at libavfilter/avfiltergraph.c:126
#3  0x00000000004646ca in init_complex_filtergraph (fg=<optimized out>) at fftools/ffmpeg_filter.c:377
#4  0x000000000042db4c in init_complex_filters () at fftools/ffmpeg_opt.c:2102
#5  ffmpeg_parse_options (argc=<optimized out>, argv=<optimized out>) at fftools/ffmpeg_opt.c:3324
#6  0x0000000000487b44 in main (argc=23, argv=0x7fffffffe118) at fftools/ffmpeg.c:4872
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0xfeb693 to 0xfeb6d3:
   0x0000000000feb693 <uninit+265>:	pushfq 
   0x0000000000feb694 <uninit+266>:	add    $0x66,%al
   0x0000000000feb696 <uninit+268>:	subps  0x49c8d83(%rip),%xmm1        # 0x59b4420
   0x0000000000feb69d <uninit+275>:	pshufd $0x4e,%xmm1,%xmm2
   0x0000000000feb6a2 <uninit+280>:	addpd  %xmm1,%xmm2
   0x0000000000feb6a6 <uninit+284>:	test   %rax,%rax
   0x0000000000feb6a9 <uninit+287>:	je     0xfebc7b <uninit+1777>
   0x0000000000feb6af <uninit+293>:	divsd  %xmm2,%xmm0
=> 0x0000000000feb6b3 <uninit+297>:	mov    $0x20,%esi
   0x0000000000feb6b8 <uninit+302>:	mov    $0x5a698dc,%edx
   0x0000000000feb6bd <uninit+307>:	mov    $0x1,%al
   0x0000000000feb6bf <uninit+309>:	mov    %r15,%rdi
   0x0000000000feb6c2 <uninit+312>:	mov    %rbx,%rcx
   0x0000000000feb6c5 <uninit+315>:	mov    %r13,%r9
   0x0000000000feb6c8 <uninit+318>:	callq  0x58e7540 <av_log>
   0x0000000000feb6cd <uninit+323>:	mov    0xf(%rsp),%r12b
   0x0000000000feb6d2 <uninit+328>:	test   %r12b,%r12b
End of assembler dump.

by Suhwan, 5 years ago

Attachment: gdb-af_adeclick684 added

comment:3 by mkver, 5 years ago

I guess the reason for the closure was that you use $PoC in the command line. Strictly speaking, this makes the ticket invalid.

comment:4 by Elon Musk, 5 years ago

Resolution: invalid
Status: reopenedclosed

Division by zero is with floats, and that is valid.

Note: See TracTickets for help on using tickets.