Opened 4 years ago

Closed 4 years ago

#8335 closed defect (fixed)

Integer divide by zero in libavformat/bintext.c

Reported by: andreafioraldi Owned by:
Priority: important Component: avformat
Version: git-master Keywords: bintext crash fpe
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Hi, I found this bug while fuzzing.
It is a division by zero in predict_width() of libavformat/bintext.c.

The bug affects ffmpeg 4.2.1 as well the git-master.

The Valgrind output is:

valgrind ../FFmpeg/ffmpeg_g -y -i out/ffmpeg/weizz_rq_1571070675/crashes/id:000004,sig:08,src:015475,time:156881952,op:cmpdata,pos:98,val:be:+2 -c:v mpeg4 -c:a out.mp4
==32974== Memcheck, a memory error detector
==32974== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==32974== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
==32974== Command: ../FFmpeg/ffmpeg_g -y -i out/ffmpeg/weizz_rq_1571070675/crashes/id:000004,sig:08,src:015475,time:156881952,op:cmpdata,pos:98,val:be:+2 -c:v mpeg4 -c:a out.mp4
==32974== 
ffmpeg version N-95553-g155508c6e9 Copyright (c) 2000-2019 the FFmpeg developers
  built with gcc 6.3.0 (Debian 6.3.0-18+deb9u1) 20170516
  configuration: --enable-debug
  libavutil      56. 35.101 / 56. 35.101
  libavcodec     58. 59.102 / 58. 59.102
  libavformat    58. 33.100 / 58. 33.100
  libavdevice    58.  9.100 / 58.  9.100
  libavfilter     7. 65.100 /  7. 65.100
  libswscale      5.  6.100 /  5.  6.100
  libswresample   3.  6.100 /  3.  6.100
Trailing option(s) found in the command: may be ignored.
[bin @ 0x70b5640] Format bin detected only with low score of 1, misdetection possible!
==32974== 
==32974== Process terminating with default action of signal 8 (SIGFPE)
==32974==  Integer divide by zero at address 0x806925EF7
==32974==    at 0x45FB21: predict_width (bintext.c:125)
==32974==    by 0x45FB21: bintext_read_header (bintext.c:197)
==32974==    by 0x57C740: avformat_open_input (utils.c:633)
==32974==    by 0x27D6D4: open_input_file (ffmpeg_opt.c:1105)
==32974==    by 0x27F46D: open_files (ffmpeg_opt.c:3283)
==32974==    by 0x27F46D: ffmpeg_parse_options (ffmpeg_opt.c:3323)
==32974==    by 0x2773A6: main (ffmpeg.c:4863)
==32974== 
==32974== HEAP SUMMARY:
==32974==     in use at exit: 38,913 bytes in 51 blocks
==32974==   total heap usage: 90 allocs, 39 frees, 78,778 bytes allocated
==32974== 
==32974== LEAK SUMMARY:
==32974==    definitely lost: 0 bytes in 0 blocks
==32974==    indirectly lost: 0 bytes in 0 blocks
==32974==      possibly lost: 0 bytes in 0 blocks
==32974==    still reachable: 38,913 bytes in 51 blocks
==32974==         suppressed: 0 bytes in 0 blocks
==32974== Rerun with --leak-check=full to see details of leaked memory
==32974== 
==32974== For counts of detected and suppressed errors, rerun with: -v
==32974== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Floating point exception

The testcase that triggers the bug is the following (in base64):

VE1BU0FVQ0UwMEkgTElTVOz8AAAAAAIAAAAAAAAAAOdLSVNUlBAT/3N0cmxzdAAAAHsaRd+j8A
ZHt9fQAQAAEF6AABAAD5/vwAAAAAAAAEAAAAAAAAAExJU1SUEAAAAAUBAAABABUAAQCAAGkBAAAB
ZHNGAAAAAAMfYkEAowAAlOI=

Regards,
Andrea

Attachments (1)

id:000004,sig:08,src:015475,time:156881952,op:cmpdata,pos:98,val:be:+2 (131 bytes ) - added by andreafioraldi 4 years ago.
Testcase that triggers the bug

Download all attachments as: .zip

Change History (3)

by andreafioraldi, 4 years ago

Testcase that triggers the bug

comment:1 by Carl Eugen Hoyos, 4 years ago

Keywords: bintext crash fpe added; division zero removed
Reproduced by developer: set
Status: newopen
Version: 4.2git-master

comment:2 by Carl Eugen Hoyos, 4 years ago

Resolution: fixed
Status: openclosed
Note: See TracTickets for help on using tickets.