Opened 4 years ago

Closed 4 years ago

#8327 closed defect (fixed)

divide by zero in libavcodec/tiff.c

Reported by: cstubbs Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: tif crash fpe
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Summary of the bug:

divide by zero while processing a fuzzed tiff file

How to reproduce:

% ffmpeg -i bdcdaac0fbbef8413cf23a4f67c033da1ff5e1fc.out -f null /dev/null

ffmpeg version N-95495-gf7f4691 Copyright (c) 2000-2019 the FFmpeg developers

built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
configuration: --prefix=/home/chris/ffmpeg_build --pkg-config-flags=--static --extra-cflags=-I/home/chris/ffmpeg_build/include --extra-ldflags=-L/home/chris/ffmpeg_build/lib --extra-libs='-lpthread -lm' --bindir=/home/chris/bin --assert-level=2 --disable-ffplay --disable-ffprobe --disable-doc --disable-shared --cc=afl-clang --cxx=afl-clang++ --enable-gpl --enable-libaom --enable-libass --enable-libfdk-aac --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libvorbis --enable-libvpx --enable-libx264 --enable-libx265 --enable-nonfree
libavutil 56. 35.101 / 56. 35.101
libavcodec 58. 59.102 / 58. 59.102
libavformat 58. 33.100 / 58. 33.100
libavdevice 58. 9.100 / 58. 9.100
libavfilter 7. 64.100 / 7. 64.100
libswscale 5. 6.100 / 5. 6.100
libswresample 3. 6.100 / 3. 6.100
libpostproc 55. 6.100 / 55. 6.100

Program received signal SIGFPE, Arithmetic exception.
0x00000000010391e7 in tiff_decode_tag (s=<optimized out>, frame=<optimized out>)

at libavcodec/tiff.c:1417

1417 s->black_level = value / value2;
(gdb) bt
#0 0x00000000010391e7 in tiff_decode_tag (s=<optimized out>, frame=<optimized out>)

at libavcodec/tiff.c:1417

#1 decode_frame (avctx=0x3539e80, data=<optimized out>, got_frame=0x7fffffffd3fc,

avpkt=0x353af00) at libavcodec/tiff.c:1772

#2 0x0000000000ae4fad in decode_simple_internal (avctx=<optimized out>,

frame=<optimized out>) at libavcodec/decode.c:432

#3 decode_simple_receive_frame (avctx=<optimized out>, frame=<optimized out>)

at libavcodec/decode.c:628

#4 decode_receive_frame_internal (avctx=0x3539e80, frame=0x353ab80)

at libavcodec/decode.c:646

#5 0x0000000000ae4d3a in avcodec_send_packet (avctx=0x3539e80, avpkt=0x7fffffffd490)

at libavcodec/decode.c:704

#6 0x00000000009b7b7b in try_decode_frame (s=<optimized out>, st=0x35393c0,

avpkt=<optimized out>, options=<optimized out>) at libavformat/utils.c:3113

#7 0x00000000009b4750 in avformat_find_stream_info (ic=<optimized out>,

options=<optimized out>) at libavformat/utils.c:3939

#8 0x000000000040cbc6 in open_input_file (o=0x7fffffffd870,

filename=0x7fffffffe30f "/home/chris/stage1/bdcdaac0fbbef8413cf23a4f67c033da1ff5e1fc.out") at fftools/ffmpeg_opt.c:1127

#9 0x000000000040be4a in open_files (l=0x35375d8, inout=0x2458307 "input",

open_file=0x40c0a0 <open_input_file>) at fftools/ffmpeg_opt.c:3283

#10 0x000000000040bbd5 in ffmpeg_parse_options (argc=<optimized out>,

argv=<optimized out>) at fftools/ffmpeg_opt.c:3323

#11 0x0000000000429f79 in main (argc=10, argv=0x7fffffffdf28)

at fftools/ffmpeg.c:4862

(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x10391c7 to 0x1039207:

0x00000000010391c7 <decode_frame+6631>: mov %rbp,%rdi
0x00000000010391ca <decode_frame+6634>: callq 0x1042ba0 <ff_tget>
0x00000000010391cf <decode_frame+6639>: mov %eax,%ebx
0x00000000010391d1 <decode_frame+6641>: mov (%r15),%edx
0x00000000010391d4 <decode_frame+6644>: mov $0x4,%esi
0x00000000010391d9 <decode_frame+6649>: mov %rbp,%rdi
0x00000000010391dc <decode_frame+6652>: callq 0x1042ba0 <ff_tget>
0x00000000010391e1 <decode_frame+6657>: mov %eax,%ecx
0x00000000010391e3 <decode_frame+6659>: xor %edx,%edx
0x00000000010391e5 <decode_frame+6661>: mov %ebx,%eax

=> 0x00000000010391e7 <decode_frame+6663>: div %ecx

0x00000000010391e9 <decode_frame+6665>: jmpq 0x103a3b5 <decode_frame+11221>
0x00000000010391ee <decode_frame+6670>: mov 0x288(%rsp),%eax
0x00000000010391f5 <decode_frame+6677>: mov 0x88(%rsp),%rbx
0x00000000010391fd <decode_frame+6685>: mov (%rbx),%ebp
0x00000000010391ff <decode_frame+6687>: mov $0x1,%edx
0x0000000001039204 <decode_frame+6692>: mov %ebp,%ecx
0x0000000001039206 <decode_frame+6694>: shl %cl,%edx

End of assembler dump.
(gdb) info all-registers
rax 0x0 0
rbx 0x0 0
rcx 0x0 0
rdx 0x0 0
rsi 0x0 0
rdi 0x7ffff7f9a050 140737353719888
rbp 0x7ffff7f9a050 0x7ffff7f9a050
rsp 0x7fffffffd030 0x7fffffffd030
r8 0x7fffffffd2b8 140737488343736
r9 0x7fffffffd2fc 140737488343804
r10 0x13c 316
r11 0x353eb9c 55831452
r12 0x7ffff7f9a040 140737353719872
r13 0x353af00 55815936
r14 0x1 1
r15 0x7ffff7f9a49c 140737353720988
rip 0x10391e7 0x10391e7 <decode_frame+6663>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)

Attachments (1)

bdcdaac0fbbef8413cf23a4f67c033da1ff5e1fc.out (316 bytes ) - added by cstubbs 4 years ago.

Download all attachments as: .zip

Change History (4)

by cstubbs, 4 years ago

Attachment: bdcdaac0fbbef8413cf23a4f67c033da1ff5e1fc.out added

comment:1 by Carl Eugen Hoyos, 4 years ago

Keywords: tiff crash fpe added
Priority: normalimportant
Reproduced by developer: set
Status: newopen
Version: unspecifiedgit-master

comment:2 by Carl Eugen Hoyos, 4 years ago

Keywords: tif added; tiff removed

comment:3 by James, 4 years ago

Resolution: fixed
Status: openclosed

Fixed in dad75924290e15996e75c335c6c30b1d8e2e48ea.

Note: See TracTickets for help on using tickets.