Opened 3 years ago

Closed 3 years ago

#8265 closed defect (fixed)

Division by zero at libavfilter/vf_lenscorrection.c:177

Reported by: Suhwan Owned by:
Priority: normal Component: undetermined
Version: git-master Keywords: ubsan asan
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:
There is a Division by zero at libavfilter/vf_lenscorrection.c:177

How to reproduce:

% ffmpeg_g -y -i $PoC -filter_complex lenscorrection -loglevel 99 tmp.wtv

ffmpeg version N-95336-g4f4334bcbc Copyright (c) 2000-2019 the FFmpeg developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan

Here's log

libavfilter/vf_lenscorrection.c:177:45: runtime error: division by zero
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavfilter/vf_lenscorrection.c:177:45 in 

Thread 1 "ffmpeg_asan" received signal SIGFPE, Arithmetic exception.
0x0000000000e45a68 in filter_frame (inlink=<optimized out>, in=<optimized out>) at libavfilter/vf_lenscorrection.c:177
177	            const int64_t r2inv = (4LL<<60) / (w * w + h * h);
(gdb) bt
#0  0x0000000000e45a68 in filter_frame (inlink=<optimized out>, in=<optimized out>) at libavfilter/vf_lenscorrection.c:177
#1  0x0000000000826e2a in ff_filter_frame_framed (link=<optimized out>, frame=0x0) at libavfilter/avfilter.c:1071
#2  ff_filter_frame_to_filter (link=<optimized out>) at libavfilter/avfilter.c:1219
#3  ff_filter_activate_default (filter=0x611000001080) at libavfilter/avfilter.c:1268
#4  ff_filter_activate (filter=0x611000001080) at libavfilter/avfilter.c:1430
#5  0x000000000086fd23 in push_frame (graph=0x60e0000010c0) at libavfilter/buffersrc.c:187
#6  av_buffersrc_add_frame_internal (ctx=<optimized out>, frame=0x61600000e480, flags=4) at libavfilter/buffersrc.c:261
#7  0x000000000086e763 in av_buffersrc_add_frame_flags (ctx=0x6110000011c0, frame=0x61600000e480, flags=4) at libavfilter/buffersrc.c:170
#8  0x0000000000666408 in ifilter_send_frame (ifilter=<optimized out>, frame=<optimized out>) at fftools/ffmpeg.c:2186
#9  send_frame_to_filters (ist=0x615000000040, decoded_frame=0x61600000e480) at fftools/ffmpeg.c:2260
#10 0x0000000000607667 in decode_video (ist=0x615000000040, pkt=0x7fff00000000, got_output=0x7fffffffb4a0, duration_pts=<optimized out>, eof=<optimized out>, decode_failed=<optimized out>)
    at fftools/ffmpeg.c:2459
#11 process_input_packet (ist=0x615000000040, pkt=0x0, no_eof=0) at fftools/ffmpeg.c:2613
#12 0x0000000000644c59 in process_input (file_index=0) at fftools/ffmpeg.c:4303
#13 0x00000000005e7158 in transcode_step () at fftools/ffmpeg.c:4628
#14 transcode () at fftools/ffmpeg.c:4682
#15 0x00000000005db65c in main (argc=<optimized out>, argv=<optimized out>) at fftools/ffmpeg.c:4884
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0xe45a48 to 0xe45a88:
   0x0000000000e45a48 <filter_frame+4104>:	je     0xe4690a <filter_frame+7882>
   0x0000000000e45a4e <filter_frame+4110>:	mov    $0xb340eac,%edi
   0x0000000000e45a53 <filter_frame+4115>:	callq  0x505ae0 <__sanitizer_cov_trace_pc_guard>
   0x0000000000e45a58 <filter_frame+4120>:	mov    0x68(%rbx),%r12
   0x0000000000e45a5c <filter_frame+4124>:	movabs $0x4000000000000000,%rax
   0x0000000000e45a66 <filter_frame+4134>:	cqto   
=> 0x0000000000e45a68 <filter_frame+4136>:	idiv   %r14
   0x0000000000e45a6b <filter_frame+4139>:	mov    %rax,0x120(%rbx)
   0x0000000000e45a72 <filter_frame+4146>:	movslq 0x10(%rbx),%rdi
   0x0000000000e45a76 <filter_frame+4150>:	movslq 0x4(%rbx),%rsi
   0x0000000000e45a7a <filter_frame+4154>:	shl    $0x2,%rsi
   0x0000000000e45a7e <filter_frame+4158>:	callq  0x8598a50 <av_malloc_array>
   0x0000000000e45a83 <filter_frame+4163>:	mov    %rax,%r14
   0x0000000000e45a86 <filter_frame+4166>:	cmpb   $0x0,0x1(%rbx)
End of assembler dump.
(gdb) n
0x00000000004e2830 in __asan::AsanOnDeadlySignal(int, void*, void*) ()
(gdb) n
Single stepping until exit from function _ZN6__asan18AsanOnDeadlySignalEiPvS0_,
which has no line number information.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==41795==ERROR: AddressSanitizer: FPE on unknown address 0x000000e45a68 (pc 0x000000e45a68 bp 0x7fffffffaa50 sp 0x7fffffffa760 T0)
    #0 0xe45a67 in filter_frame ffmpeg/libavfilter/vf_lenscorrection.c:177:45
    #1 0x826e29 in ff_filter_activate_default ffmpeg/libavfilter/avfilter.c:1071:11
    #2 0x826e29 in ff_filter_activate ffmpeg/libavfilter/avfilter.c:1430
    #3 0x86fd22 in push_frame ffmpeg/libavfilter/buffersrc.c:187:15
    #4 0x86fd22 in av_buffersrc_add_frame_internal ffmpeg/libavfilter/buffersrc.c:261
    #5 0x86e762 in av_buffersrc_add_frame_flags ffmpeg/libavfilter/buffersrc.c:170:16
    #6 0x666407 in ifilter_send_frame ffmpeg/fftools/ffmpeg.c:2186:11
    #7 0x666407 in send_frame_to_filters ffmpeg/fftools/ffmpeg.c:2260
    #8 0x607666 in decode_video ffmpeg/fftools/ffmpeg.c:2459:11
    #9 0x607666 in process_input_packet ffmpeg/fftools/ffmpeg.c:2613
    #10 0x644c58 in process_input ffmpeg/fftools/ffmpeg.c:4303:23
    #11 0x5e7157 in transcode_step ffmpeg/fftools/ffmpeg.c:4628:11
    #12 0x5e7157 in transcode ffmpeg/fftools/ffmpeg.c:4682
    #13 0x5db65b in main ffmpeg/fftools/ffmpeg.c:4884:9
    #14 0x7ffff5c93b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #15 0x41def9 in _start (ffmpeg_asan+0x41def9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE ffmpeg/libavfilter/vf_lenscorrection.c:177:45 in filter_frame
==41795==ABORTING

Please confirm.
Thanks

Attachments (2)

gdb-vf_lenscorrection_177 (14.8 KB ) - added by Suhwan 3 years ago.
PoC_vf_lenscorrection_177.png48 (290 bytes ) - added by Suhwan 3 years ago.
poc

Download all attachments as: .zip

Change History (3)

by Suhwan, 3 years ago

Attachment: gdb-vf_lenscorrection_177 added

by Suhwan, 3 years ago

poc

comment:1 by Elon Musk, 3 years ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.