[FFmpeg-trac] #8327(avcodec:new): divide by zero in libavcodec/tiff.c
FFmpeg
trac at avcodec.org
Tue Oct 22 12:15:54 EEST 2019
#8327: divide by zero in libavcodec/tiff.c
---------------------------------+---------------------------------------
Reporter: cstubbs | Type: defect
Status: new | Priority: normal
Component: avcodec | Version: unspecified
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
---------------------------------+---------------------------------------
Summary of the bug:
divide by zero while processing a fuzzed tiff file
How to reproduce:
{{{
% ffmpeg -i bdcdaac0fbbef8413cf23a4f67c033da1ff5e1fc.out -f null /dev/null
}}}
ffmpeg version N-95495-gf7f4691 Copyright (c) 2000-2019 the FFmpeg
developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
configuration: --prefix=/home/chris/ffmpeg_build --pkg-config-
flags=--static --extra-cflags=-I/home/chris/ffmpeg_build/include --extra-
ldflags=-L/home/chris/ffmpeg_build/lib --extra-libs='-lpthread -lm'
--bindir=/home/chris/bin --assert-level=2 --disable-ffplay --disable-
ffprobe --disable-doc --disable-shared --cc=afl-clang --cxx=afl-clang++
--enable-gpl --enable-libaom --enable-libass --enable-libfdk-aac --enable-
libfreetype --enable-libmp3lame --enable-libopus --enable-libvorbis
--enable-libvpx --enable-libx264 --enable-libx265 --enable-nonfree
libavutil 56. 35.101 / 56. 35.101
libavcodec 58. 59.102 / 58. 59.102
libavformat 58. 33.100 / 58. 33.100
libavdevice 58. 9.100 / 58. 9.100
libavfilter 7. 64.100 / 7. 64.100
libswscale 5. 6.100 / 5. 6.100
libswresample 3. 6.100 / 3. 6.100
libpostproc 55. 6.100 / 55. 6.100
Program received signal SIGFPE, Arithmetic exception.
0x00000000010391e7 in tiff_decode_tag (s=<optimized out>, frame=<optimized
out>)
at libavcodec/tiff.c:1417
1417 s->black_level = value / value2;
(gdb) bt
#0 0x00000000010391e7 in tiff_decode_tag (s=<optimized out>,
frame=<optimized out>)
at libavcodec/tiff.c:1417
#1 decode_frame (avctx=0x3539e80, data=<optimized out>,
got_frame=0x7fffffffd3fc,
avpkt=0x353af00) at libavcodec/tiff.c:1772
#2 0x0000000000ae4fad in decode_simple_internal (avctx=<optimized out>,
frame=<optimized out>) at libavcodec/decode.c:432
#3 decode_simple_receive_frame (avctx=<optimized out>, frame=<optimized
out>)
at libavcodec/decode.c:628
#4 decode_receive_frame_internal (avctx=0x3539e80, frame=0x353ab80)
at libavcodec/decode.c:646
#5 0x0000000000ae4d3a in avcodec_send_packet (avctx=0x3539e80,
avpkt=0x7fffffffd490)
at libavcodec/decode.c:704
#6 0x00000000009b7b7b in try_decode_frame (s=<optimized out>,
st=0x35393c0,
avpkt=<optimized out>, options=<optimized out>) at
libavformat/utils.c:3113
#7 0x00000000009b4750 in avformat_find_stream_info (ic=<optimized out>,
options=<optimized out>) at libavformat/utils.c:3939
#8 0x000000000040cbc6 in open_input_file (o=0x7fffffffd870,
filename=0x7fffffffe30f
"/home/chris/stage1/bdcdaac0fbbef8413cf23a4f67c033da1ff5e1fc.out") at
fftools/ffmpeg_opt.c:1127
#9 0x000000000040be4a in open_files (l=0x35375d8, inout=0x2458307
"input",
open_file=0x40c0a0 <open_input_file>) at fftools/ffmpeg_opt.c:3283
#10 0x000000000040bbd5 in ffmpeg_parse_options (argc=<optimized out>,
argv=<optimized out>) at fftools/ffmpeg_opt.c:3323
#11 0x0000000000429f79 in main (argc=10, argv=0x7fffffffdf28)
at fftools/ffmpeg.c:4862
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x10391c7 to 0x1039207:
0x00000000010391c7 <decode_frame+6631>: mov %rbp,%rdi
0x00000000010391ca <decode_frame+6634>: callq 0x1042ba0 <ff_tget>
0x00000000010391cf <decode_frame+6639>: mov %eax,%ebx
0x00000000010391d1 <decode_frame+6641>: mov (%r15),%edx
0x00000000010391d4 <decode_frame+6644>: mov $0x4,%esi
0x00000000010391d9 <decode_frame+6649>: mov %rbp,%rdi
0x00000000010391dc <decode_frame+6652>: callq 0x1042ba0 <ff_tget>
0x00000000010391e1 <decode_frame+6657>: mov %eax,%ecx
0x00000000010391e3 <decode_frame+6659>: xor %edx,%edx
0x00000000010391e5 <decode_frame+6661>: mov %ebx,%eax
=> 0x00000000010391e7 <decode_frame+6663>: div %ecx
0x00000000010391e9 <decode_frame+6665>: jmpq 0x103a3b5
<decode_frame+11221>
0x00000000010391ee <decode_frame+6670>: mov 0x288(%rsp),%eax
0x00000000010391f5 <decode_frame+6677>: mov 0x88(%rsp),%rbx
0x00000000010391fd <decode_frame+6685>: mov (%rbx),%ebp
0x00000000010391ff <decode_frame+6687>: mov $0x1,%edx
0x0000000001039204 <decode_frame+6692>: mov %ebp,%ecx
0x0000000001039206 <decode_frame+6694>: shl %cl,%edx
End of assembler dump.
(gdb) info all-registers
rax 0x0 0
rbx 0x0 0
rcx 0x0 0
rdx 0x0 0
rsi 0x0 0
rdi 0x7ffff7f9a050 140737353719888
rbp 0x7ffff7f9a050 0x7ffff7f9a050
rsp 0x7fffffffd030 0x7fffffffd030
r8 0x7fffffffd2b8 140737488343736
r9 0x7fffffffd2fc 140737488343804
r10 0x13c 316
r11 0x353eb9c 55831452
r12 0x7ffff7f9a040 140737353719872
r13 0x353af00 55815936
r14 0x1 1
r15 0x7ffff7f9a49c 140737353720988
rip 0x10391e7 0x10391e7 <decode_frame+6663>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
--
Ticket URL: <https://trac.ffmpeg.org/ticket/8327>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list