[FFmpeg-trac] #5386(undetermined:new): svag: SIGFPE during fuzzed file demuxing
FFmpeg
trac at avcodec.org
Tue Mar 29 01:39:19 CEST 2016
#5386: svag: SIGFPE during fuzzed file demuxing
-------------------------------------+-------------------------------------
Reporter: qiubit | Type: defect
Status: new | Priority: normal
Component: | Version:
undetermined | unspecified
Keywords: SIGFPE | Blocked By:
crash svag | Reproduced by developer: 0
Blocking: |
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Summary of the bug:
ffmpeg crashes with arithmetic exception when trying to read fuzzed svag
file
How to reproduce:
{{{
ffmpeg -i fuzzIn -acodec copy -vcodec copy fuzzOut
}}}
Backtrace:
gdb
{{{
pgolinski at Ubuntu-y580:~/Dokumenty/Programowanie/git/fffuzz
head/successfulFuzzes$ gdb ../../ffmpeg/build/ffmpeg_g
GNU gdb (Ubuntu 7.10-1ubuntu2) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ../../ffmpeg/build/ffmpeg_g...done.
(gdb) r -v 9 -loglevel 99 -i fuzzIn -acodec copy -vcodec copy fuzzOut
Starting program:
/home/pgolinski/Dokumenty/Programowanie/git/ffmpeg/build/ffmpeg_g -v 9
-loglevel 99 -i fuzzIn -acodec copy -vcodec copy fuzzOut
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ffmpeg version N-79116-gb098e1a Copyright (c) 2000-2016 the FFmpeg
developers
built with Ubuntu clang version 3.6.2-1 (tags/RELEASE_362/final) (based
on LLVM 3.6.2)
configuration: --cc=afl-clang-fast --cxx=afl-clang-fast
--prefix=/home/pgolinski/Dokumenty/Programowanie/git/ffmpeg/build/install
libavutil 55. 19.100 / 55. 19.100
libavcodec 57. 30.100 / 57. 30.100
libavformat 57. 29.100 / 57. 29.100
libavdevice 57. 0.101 / 57. 0.101
libavfilter 6. 39.102 / 6. 39.102
libswscale 4. 0.100 / 4. 0.100
libswresample 2. 0.101 / 2. 0.101
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with
argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging
level) with argument '99'.
Reading option '-i' ... matched as input file with argument 'fuzzIn'.
Reading option '-acodec' ... matched as option 'acodec' (force audio codec
('copy' to copy stream)) with argument 'copy'.
Reading option '-vcodec' ... matched as option 'vcodec' (force video codec
('copy' to copy stream)) with argument 'copy'.
Reading option 'fuzzOut' ... matched as output file.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file fuzzIn.
Successfully parsed a group of options.
Opening an input file: fuzzIn.
[file @ 0x60a00000ef80] Setting default whitelist 'file,crypto'
Probing svag score:100 size:301
[svag @ 0x61b00001f180] Format svag probed with size=2048 and score=100
Program received signal SIGFPE, Arithmetic exception.
0x0000000000b686e3 in svag_read_header (s=<optimized out>) at
src/libavformat/svag.c:53
53 st->duration = size / (16 * st->codec->channels) *
28;
(gdb) -i opusFuzz1 -acodec copy -vcodec copy fuzzOut
Undefined command: "-i". Try "help".
(gdb) bt
#0 0x0000000000b686e3 in svag_read_header (s=<optimized out>) at
src/libavformat/svag.c:53
#1 0x0000000000b8c78c in avformat_open_input (ps=0x7fffffffd3a0,
filename=<optimized out>, fmt=<optimized out>, options=0x60700000df68)
at src/libavformat/utils.c:512
#2 0x000000000054083a in open_input_file (o=<optimized out>,
filename=<optimized out>) at src/ffmpeg_opt.c:949
#3 0x000000000053f40d in open_files (l=<optimized out>, inout=<optimized
out>, open_file=<optimized out>) at src/ffmpeg_opt.c:3003
#4 0x000000000053ec1f in ffmpeg_parse_options (argc=<optimized out>,
argv=<optimized out>) at src/ffmpeg_opt.c:3040
#5 0x00000000005657e1 in main (argc=<optimized out>, argv=<optimized
out>) at src/ffmpeg.c:4312
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0xb686c3 to 0xb68703:
0x0000000000b686c3 <svag_read_header+387>: mov
0x29c718f(%rip),%esi # 0x352f858 <__afl_area_ptr>
0x0000000000b686c9 <svag_read_header+393>: xor $0x6610,%rdx
0x0000000000b686d0 <svag_read_header+400>: incb (%rsi,%rdx,1)
0x0000000000b686d3 <svag_read_header+403>: movl $0x3308,%fs:(%rax)
0x0000000000b686da <svag_read_header+410>: shl $0x4,%ecx
0x0000000000b686dd <svag_read_header+413>: xor %edx,%edx
0x0000000000b686df <svag_read_header+415>: mov 0xc(%rsp),%eax
=> 0x0000000000b686e3 <svag_read_header+419>: div %ecx
0x0000000000b686e5 <svag_read_header+421>: imul $0x1c,%eax,%eax
0x0000000000b686e8 <svag_read_header+424>: lea 0x40(%r14),%rdi
0x0000000000b686ec <svag_read_header+428>: mov %rdi,%rcx
0x0000000000b686ef <svag_read_header+431>: shr $0x3,%rcx
0x0000000000b686f3 <svag_read_header+435>: cmpb
$0x0,0x7fff8000(%rcx)
0x0000000000b686fa <svag_read_header+442>: jne 0xb6892a
<svag_read_header+1002>
0x0000000000b68700 <svag_read_header+448>: mov %rax,(%rdi)
End of assembler dump.
(gdb) info all-registers
rax 0x70707067 1886416999
rbx 0xc3600003e34 13426067783220
rcx 0x0 0
rdx 0x0 0
rsi 0x4a77720 78083872
rdi 0x61a00001f45c 107339822789724
rbp 0xbebbb1b7 0xbebbb1b7
rsp 0x7fffffffcad0 0x7fffffffcad0
r8 0x61b00001f1ac 107408542265772
r9 0x7fffffffca40 140737488341568
r10 0xc3600003e35 13426067783221
r11 0x1 1
r12 0x61800000fc88 107202383772808
r13 0x61b00001f1a0 107408542265760
r14 0x61800000fc80 107202383772800
r15 0xc3000001f91 13400297971601
rip 0xb686e3 0xb686e3 <svag_read_header+419>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
ymm0 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80, 0x0 <repeats
16 times>}, v16_int16 = {0x0, 0x0, 0x0, 0x8000, 0x0, 0x0, 0x0,
0x8000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0,
0x80000000, 0x0, 0x80000000, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {
0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, v2_int128 =
{0x80000000000000008000000000000000, 0x00000000000000000000000000000000}}
ymm1 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x18,
0x0 <repeats 31 times>}, v16_int16 = {0x18, 0x0 <repeats 15 times>},
v8_int32 = {0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {
0x18, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000018,
0x00000000000000000000000000000000}}
ymm2 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x45, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0xab, 0x1c, 0x1, 0x0 <repeats 21 times>}, v16_int16 =
{0x45, 0x0, 0x0, 0x0, 0x1cab, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x45, 0x0, 0x11cab, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int64 = {0x45, 0x11cab, 0x0, 0x0}, v2_int128 = {
0x0000000000011cab0000000000000045,
0x00000000000000000000000000000000}}
ymm3 {v8_float = {0x0, 0xffffffff, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_double = {0xffffffffffffffff, 0x0, 0x0, 0x0}, v32_int8 = {0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0xbf, 0x0 <repeats 24 times>},
v16_int16 = {0x0, 0x0, 0x0, 0xbff0, 0x0 <repeats 12 times>}, v8_int32 = {
0x0, 0xbff00000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 =
{0xbff0000000000000, 0x0, 0x0, 0x0}, v2_int128 = {
0x0000000000000000bff0000000000000,
0x00000000000000000000000000000000}}
ymm4 {v8_float = {0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x1, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0xf0, 0x3f, 0x0 <repeats 24 times>}, v16_int16 = {0x0, 0x0, 0x0,
0x3ff0, 0x0 <repeats 12 times>}, v8_int32 = {0x0, 0x3ff00000, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x3ff0000000000000, 0x0, 0x0,
0x0}, v2_int128 = {0x00000000000000003ff0000000000000,
0x00000000000000000000000000000000}}
ymm5 {v8_float = {0x0, 0x0, 0x0, 0xfdda0000, 0x0, 0x0, 0x0,
0x0}, v4_double = {0x0, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0xf,
0xed, 0xef, 0x0, 0xff, 0xff, 0xff, 0x0, 0x8a, 0x8a, 0x4, 0x0, 0x13,
0x1, 0xd3, 0xd3, 0x0 <repeats 16 times>}, v16_int16 = {0xed0f, 0xef,
0xffff, 0xff, 0x8a8a, 0x4, 0x113, 0xd3d3, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v8_int32 = {0xefed0f, 0xffffff, 0x48a8a, 0xd3d30113,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xffffff00efed0f, 0xd3d3011300048a8a,
0x0, 0x0}, v2_int128 = {0xd3d3011300048a8a00ffffff00efed0f,
0x00000000000000000000000000000000}}
ymm6 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 12 times>,
0xff, 0xff, 0xff, 0x0 <repeats 17 times>}, v16_int16 = {0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0xffff, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v8_int32 = {0x0, 0x0, 0x0, 0xffffff, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x0, 0xffffff00000000, 0x0, 0x0}, v2_int128 = {
0x00ffffff000000000000000000000000,
0x00000000000000000000000000000000}}
ymm7 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm8 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm9 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
---Type <return> to continue, or q <return> to quit---
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm10 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm11 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm12 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xff, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0 <repeats 18
times>}, v16_int16 = {0xff, 0x0, 0x0, 0x0, 0xff, 0x0, 0xff00, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xff, 0x0, 0xff,
0xff00, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xff, 0xff00000000ff, 0x0,
0x0}, v2_int128 = {0x0000ff00000000ff00000000000000ff,
0x00000000000000000000000000000000}}
ymm13 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm14 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm15 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/5386>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list