#8484 closed defect (fixed)
UBSan: division by zero
| Reported by: | andreafioraldi | Owned by: | |
|---|---|---|---|
| Priority: | important | Component: | avcodec |
| Version: | unspecified | Keywords: | bintext crash fpe |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description (last modified by )
Build ffmpeg 4.2.2 using clang and ubsan (-fsanitize=undefined).
Command line: ./ffmpeg.ubsan -y -i ./input -c:v mpeg4 -c:a out.mp4
Output:
ffmpeg version 4.2.2 Copyright (c) 2000-2019 the FFmpeg developers
built with clang version 8.0.0-3~ubuntu18.04.2 (tags/RELEASE_800/final)
configuration: --cc=clang-8 --cxx=clang++-8 --ld=clang-8
libavutil 56. 31.100 / 56. 31.100
libavcodec 58. 54.100 / 58. 54.100
libavformat 58. 29.100 / 58. 29.100
libavdevice 58. 8.100 / 58. 8.100
libavfilter 7. 57.100 / 7. 57.100
libswscale 5. 5.100 / 5. 5.100
libswresample 3. 5.100 / 3. 5.100
Trailing options were found on the commandline.
[bin @ 0x902f600] Format bin detected only with low score of 1, misdetection possible!
libavformat/bintext.c:79:26: runtime error: division by zero
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==20336==ERROR: UndefinedBehaviorSanitizer: FPE on unknown address 0x0000013f5b4d (pc 0x0000013f5b4d bp 0x000009038601 sp 0x7fffffffd060 T20336)
#0 0x13f5b4c in calculate_height /home/andrea/Videos/ffmpeg-4.2.2/libavformat/bintext.c:79:26
#1 0x13f2dfb in bintext_read_header /home/andrea/Videos/ffmpeg-4.2.2/libavformat/bintext.c:198:13
#2 0x197213c in avformat_open_input /home/andrea/Videos/ffmpeg-4.2.2/libavformat/utils.c:631:20
#3 0x42f3e7 in open_input_file /home/andrea/Videos/ffmpeg-4.2.2/fftools/ffmpeg_opt.c:1104:11
#4 0x42d24e in open_files /home/andrea/Videos/ffmpeg-4.2.2/fftools/ffmpeg_opt.c:3275:15
#5 0x42cf3f in ffmpeg_parse_options /home/andrea/Videos/ffmpeg-4.2.2/fftools/ffmpeg_opt.c:3315:11
#6 0x487003 in main /home/andrea/Videos/ffmpeg-4.2.2/fftools/ffmpeg.c:4872:11
#7 0x7ffff61aab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#8 0x407769 in _start (/home/andrea/Videos/ffmpeg-4.2.2/ffmpeg_g+0x407769)
UndefinedBehaviorSanitizer can not provide additional info.
==20336==ABORTING
Note that you need UBSan to get the stacktrace but it is not needed to reproduce the crash, the process gets a SIGFPE.
The bug seems in when par->width is controlled:
static void calculate_height(AVCodecParameters *par, uint64_t fsize)
{
par->height = (fsize / ((par->width>>3)*2)) << 4;
}
I attach a minimal input that triggers the bug in base64:
YHR//wAAEQAAZAAnBv8AaDgACAB/6Pb29vb29vcELhYAAP//3v//AACV/wAHAAAAAAAQAAEAAAAAAAIAAAAOAP/t/wAAAABMAAAAAbUAAEgADAwMDEAnDAwGAgcMDAwMAAAAAIv9/u8AAAABZAAQBv8AVFe1dTZUVFRURlRU5wB//93//YAAAAQAAAAAAAAAAADzAFNBVUNFMDA7NDBtTnZpaAD29vb2LfoAAPpTQVVDRTD///9/bU52aWgA9vb29hf3CP//3gAAAABXkHU2AAAAEBobSzA7MzA7////f3R/AAAixhVkAAAAAGAoYHR//wAFAQAAMQAAAP8AMlRUV5oAgAAAAABkACAZAEZNUDQA3xEA
Change History (3)
comment:1 by , 4 years ago
| Description: | modified (diff) |
|---|---|
| Keywords: | bintext crash fpe added; sigfpe removed |
| Resolution: | → fixed |
| Status: | new → closed |
| Version: | 4.2 → unspecified |
comment:2 by , 4 years ago
Allow me to add that it is not welcome to open the same ticket again and please understand that in general there is no release support on this bug tracker.
comment:3 by , 4 years ago
Oki np for the files upload, sorry for the double report I didn't realize that it is the same bug that I reported months ago (different functions but same root cause), for sure next time I'll test with git-master.
Fixed in 19bfd7212695b456352e258c9ee50882583ce12f, see ticket #8335.
For future tickets: Please test current FFmpeg git head and please attach samples, do not provide encodings (note that the base64 that you provided did not allow to reproduce the issue originally).