Opened 5 years ago
Closed 5 years ago
#8265 closed defect (fixed)
Division by zero at libavfilter/vf_lenscorrection.c:177
Reported by: | Suhwan | Owned by: | |
---|---|---|---|
Priority: | normal | Component: | undetermined |
Version: | git-master | Keywords: | ubsan asan |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | no |
Description
Summary of the bug:
There is a Division by zero at libavfilter/vf_lenscorrection.c:177
How to reproduce:
% ffmpeg_g -y -i $PoC -filter_complex lenscorrection -loglevel 99 tmp.wtv ffmpeg version N-95336-g4f4334bcbc Copyright (c) 2000-2019 the FFmpeg developers built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final) configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan
Here's log
libavfilter/vf_lenscorrection.c:177:45: runtime error: division by zero SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavfilter/vf_lenscorrection.c:177:45 in Thread 1 "ffmpeg_asan" received signal SIGFPE, Arithmetic exception. 0x0000000000e45a68 in filter_frame (inlink=<optimized out>, in=<optimized out>) at libavfilter/vf_lenscorrection.c:177 177 const int64_t r2inv = (4LL<<60) / (w * w + h * h); (gdb) bt #0 0x0000000000e45a68 in filter_frame (inlink=<optimized out>, in=<optimized out>) at libavfilter/vf_lenscorrection.c:177 #1 0x0000000000826e2a in ff_filter_frame_framed (link=<optimized out>, frame=0x0) at libavfilter/avfilter.c:1071 #2 ff_filter_frame_to_filter (link=<optimized out>) at libavfilter/avfilter.c:1219 #3 ff_filter_activate_default (filter=0x611000001080) at libavfilter/avfilter.c:1268 #4 ff_filter_activate (filter=0x611000001080) at libavfilter/avfilter.c:1430 #5 0x000000000086fd23 in push_frame (graph=0x60e0000010c0) at libavfilter/buffersrc.c:187 #6 av_buffersrc_add_frame_internal (ctx=<optimized out>, frame=0x61600000e480, flags=4) at libavfilter/buffersrc.c:261 #7 0x000000000086e763 in av_buffersrc_add_frame_flags (ctx=0x6110000011c0, frame=0x61600000e480, flags=4) at libavfilter/buffersrc.c:170 #8 0x0000000000666408 in ifilter_send_frame (ifilter=<optimized out>, frame=<optimized out>) at fftools/ffmpeg.c:2186 #9 send_frame_to_filters (ist=0x615000000040, decoded_frame=0x61600000e480) at fftools/ffmpeg.c:2260 #10 0x0000000000607667 in decode_video (ist=0x615000000040, pkt=0x7fff00000000, got_output=0x7fffffffb4a0, duration_pts=<optimized out>, eof=<optimized out>, decode_failed=<optimized out>) at fftools/ffmpeg.c:2459 #11 process_input_packet (ist=0x615000000040, pkt=0x0, no_eof=0) at fftools/ffmpeg.c:2613 #12 0x0000000000644c59 in process_input (file_index=0) at fftools/ffmpeg.c:4303 #13 0x00000000005e7158 in transcode_step () at fftools/ffmpeg.c:4628 #14 transcode () at fftools/ffmpeg.c:4682 #15 0x00000000005db65c in main (argc=<optimized out>, argv=<optimized out>) at fftools/ffmpeg.c:4884 (gdb) disass $pc-32,$pc+32 Dump of assembler code from 0xe45a48 to 0xe45a88: 0x0000000000e45a48 <filter_frame+4104>: je 0xe4690a <filter_frame+7882> 0x0000000000e45a4e <filter_frame+4110>: mov $0xb340eac,%edi 0x0000000000e45a53 <filter_frame+4115>: callq 0x505ae0 <__sanitizer_cov_trace_pc_guard> 0x0000000000e45a58 <filter_frame+4120>: mov 0x68(%rbx),%r12 0x0000000000e45a5c <filter_frame+4124>: movabs $0x4000000000000000,%rax 0x0000000000e45a66 <filter_frame+4134>: cqto => 0x0000000000e45a68 <filter_frame+4136>: idiv %r14 0x0000000000e45a6b <filter_frame+4139>: mov %rax,0x120(%rbx) 0x0000000000e45a72 <filter_frame+4146>: movslq 0x10(%rbx),%rdi 0x0000000000e45a76 <filter_frame+4150>: movslq 0x4(%rbx),%rsi 0x0000000000e45a7a <filter_frame+4154>: shl $0x2,%rsi 0x0000000000e45a7e <filter_frame+4158>: callq 0x8598a50 <av_malloc_array> 0x0000000000e45a83 <filter_frame+4163>: mov %rax,%r14 0x0000000000e45a86 <filter_frame+4166>: cmpb $0x0,0x1(%rbx) End of assembler dump. (gdb) n 0x00000000004e2830 in __asan::AsanOnDeadlySignal(int, void*, void*) () (gdb) n Single stepping until exit from function _ZN6__asan18AsanOnDeadlySignalEiPvS0_, which has no line number information. AddressSanitizer:DEADLYSIGNAL ================================================================= ==41795==ERROR: AddressSanitizer: FPE on unknown address 0x000000e45a68 (pc 0x000000e45a68 bp 0x7fffffffaa50 sp 0x7fffffffa760 T0) #0 0xe45a67 in filter_frame ffmpeg/libavfilter/vf_lenscorrection.c:177:45 #1 0x826e29 in ff_filter_activate_default ffmpeg/libavfilter/avfilter.c:1071:11 #2 0x826e29 in ff_filter_activate ffmpeg/libavfilter/avfilter.c:1430 #3 0x86fd22 in push_frame ffmpeg/libavfilter/buffersrc.c:187:15 #4 0x86fd22 in av_buffersrc_add_frame_internal ffmpeg/libavfilter/buffersrc.c:261 #5 0x86e762 in av_buffersrc_add_frame_flags ffmpeg/libavfilter/buffersrc.c:170:16 #6 0x666407 in ifilter_send_frame ffmpeg/fftools/ffmpeg.c:2186:11 #7 0x666407 in send_frame_to_filters ffmpeg/fftools/ffmpeg.c:2260 #8 0x607666 in decode_video ffmpeg/fftools/ffmpeg.c:2459:11 #9 0x607666 in process_input_packet ffmpeg/fftools/ffmpeg.c:2613 #10 0x644c58 in process_input ffmpeg/fftools/ffmpeg.c:4303:23 #11 0x5e7157 in transcode_step ffmpeg/fftools/ffmpeg.c:4628:11 #12 0x5e7157 in transcode ffmpeg/fftools/ffmpeg.c:4682 #13 0x5db65b in main ffmpeg/fftools/ffmpeg.c:4884:9 #14 0x7ffff5c93b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #15 0x41def9 in _start (ffmpeg_asan+0x41def9) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: FPE ffmpeg/libavfilter/vf_lenscorrection.c:177:45 in filter_frame ==41795==ABORTING
Please confirm.
Thanks
Attachments (2)
Change History (3)
by , 5 years ago
Attachment: | gdb-vf_lenscorrection_177 added |
---|
by , 5 years ago
Attachment: | PoC_vf_lenscorrection_177.png48 added |
---|
comment:1 by , 5 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
poc