[FFmpeg-trac] #8484(avcodec:new): UBSan: division by zero
FFmpeg
trac at avcodec.org
Sun Jan 19 12:08:31 EET 2020
#8484: UBSan: division by zero
-------------------------------------+-------------------------------------
Reporter: | Type: defect
andreafioraldi |
Status: new | Priority: important
Component: avcodec | Version: 4.2
Keywords: sigfpe | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Build ffmpeg 4.2.2 using clang and ubsan (-fsanitize=undefined).
Command line: ./ffmpeg.ubsan -y -i ./input -c:v mpeg4 -c:a out.mp4
Output:
ffmpeg version 4.2.2 Copyright (c) 2000-2019 the FFmpeg developers
built with clang version 8.0.0-3~ubuntu18.04.2 (tags/RELEASE_800/final)
configuration: --cc=clang-8 --cxx=clang++-8 --ld=clang-8
libavutil 56. 31.100 / 56. 31.100
libavcodec 58. 54.100 / 58. 54.100
libavformat 58. 29.100 / 58. 29.100
libavdevice 58. 8.100 / 58. 8.100
libavfilter 7. 57.100 / 7. 57.100
libswscale 5. 5.100 / 5. 5.100
libswresample 3. 5.100 / 3. 5.100
Trailing options were found on the commandline.
[bin @ 0x902f600] Format bin detected only with low score of 1,
misdetection possible!
libavformat/bintext.c:79:26: runtime error: division by zero
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==20336==ERROR: UndefinedBehaviorSanitizer: FPE on unknown address
0x0000013f5b4d (pc 0x0000013f5b4d bp 0x000009038601 sp 0x7fffffffd060
T20336)
#0 0x13f5b4c in calculate_height
/home/andrea/Videos/ffmpeg-4.2.2/libavformat/bintext.c:79:26
#1 0x13f2dfb in bintext_read_header
/home/andrea/Videos/ffmpeg-4.2.2/libavformat/bintext.c:198:13
#2 0x197213c in avformat_open_input
/home/andrea/Videos/ffmpeg-4.2.2/libavformat/utils.c:631:20
#3 0x42f3e7 in open_input_file
/home/andrea/Videos/ffmpeg-4.2.2/fftools/ffmpeg_opt.c:1104:11
#4 0x42d24e in open_files
/home/andrea/Videos/ffmpeg-4.2.2/fftools/ffmpeg_opt.c:3275:15
#5 0x42cf3f in ffmpeg_parse_options
/home/andrea/Videos/ffmpeg-4.2.2/fftools/ffmpeg_opt.c:3315:11
#6 0x487003 in main
/home/andrea/Videos/ffmpeg-4.2.2/fftools/ffmpeg.c:4872:11
#7 0x7ffff61aab96 in __libc_start_main /build/glibc-
OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#8 0x407769 in _start
(/home/andrea/Videos/ffmpeg-4.2.2/ffmpeg_g+0x407769)
UndefinedBehaviorSanitizer can not provide additional info.
==20336==ABORTING
Note that you need UBSan to get the stacktrace but it is not needed to
reproduce the crash, the process gets a SIGFPE.
The bug seems in when par->width is controlled:
static void calculate_height(AVCodecParameters *par, uint64_t fsize)
{
par->height = (fsize / ((par->width>>3)*2)) << 4;
}
I attach a minimal input that triggers the bug in base64:
YHR//wAAEQAAZAAnBv8AaDgACAB/6Pb29vb29vcELhYAAP//3v//AACV/wAHAAAAAAAQAAEAAAAAAAIAAAAOAP/t/wAAAABMAAAAAbUAAEgADAwMDEAnDAwGAgcMDAwMAAAAAIv9/u8AAAABZAAQBv8AVFe1dTZUVFRURlRU5wB//93//YAAAAQAAAAAAAAAAADzAFNBVUNFMDA7NDBtTnZpaAD29vb2LfoAAPpTQVVDRTD///9/bU52aWgA9vb29hf3CP//3gAAAABXkHU2AAAAEBobSzA7MzA7////f3R/AAAixhVkAAAAAGAoYHR//wAFAQAAMQAAAP8AMlRUV5oAgAAAAABkACAZAEZNUDQA3xEA
--
Ticket URL: <https://trac.ffmpeg.org/ticket/8484>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list