[FFmpeg-trac] #8484(avcodec:closed): UBSan: division by zero

FFmpeg trac at avcodec.org
Sun Jan 19 14:49:26 EET 2020 

#8484: UBSan: division by zero
-------------------------------------+-------------------------------------
             Reporter:               |                    Owner:
  andreafioraldi                     |
                 Type:  defect       |                   Status:  closed
             Priority:  important    |                Component:  avcodec
              Version:  unspecified  |               Resolution:  fixed
             Keywords:  bintext      |               Blocked By:
  crash fpe                          |
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
Changes (by cehoyos):

 * keywords:  sigfpe => bintext crash fpe
 * status:  new => closed
 * version:  4.2 => unspecified
 * resolution:   => fixed


Old description:

> Build ffmpeg 4.2.2 using clang and ubsan (-fsanitize=undefined).
> Command line: ./ffmpeg.ubsan -y -i ./input -c:v mpeg4 -c:a out.mp4
> Output:
> ffmpeg version 4.2.2 Copyright (c) 2000-2019 the FFmpeg developers
>   built with clang version 8.0.0-3~ubuntu18.04.2 (tags/RELEASE_800/final)
>   configuration: --cc=clang-8 --cxx=clang++-8 --ld=clang-8
>   libavutil      56. 31.100 / 56. 31.100
>   libavcodec     58. 54.100 / 58. 54.100
>   libavformat    58. 29.100 / 58. 29.100
>   libavdevice    58.  8.100 / 58.  8.100
>   libavfilter     7. 57.100 /  7. 57.100
>   libswscale      5.  5.100 /  5.  5.100
>   libswresample   3.  5.100 /  3.  5.100
> Trailing options were found on the commandline.
> [bin @ 0x902f600] Format bin detected only with low score of 1,
> misdetection possible!
> libavformat/bintext.c:79:26: runtime error: division by zero
> UndefinedBehaviorSanitizer:DEADLYSIGNAL
> ==20336==ERROR: UndefinedBehaviorSanitizer: FPE on unknown address
> 0x0000013f5b4d (pc 0x0000013f5b4d bp 0x000009038601 sp 0x7fffffffd060
> T20336)
>     #0 0x13f5b4c in calculate_height
> /home/andrea/Videos/ffmpeg-4.2.2/libavformat/bintext.c:79:26
>     #1 0x13f2dfb in bintext_read_header
> /home/andrea/Videos/ffmpeg-4.2.2/libavformat/bintext.c:198:13
>     #2 0x197213c in avformat_open_input
> /home/andrea/Videos/ffmpeg-4.2.2/libavformat/utils.c:631:20
>     #3 0x42f3e7 in open_input_file
> /home/andrea/Videos/ffmpeg-4.2.2/fftools/ffmpeg_opt.c:1104:11
>     #4 0x42d24e in open_files
> /home/andrea/Videos/ffmpeg-4.2.2/fftools/ffmpeg_opt.c:3275:15
>     #5 0x42cf3f in ffmpeg_parse_options
> /home/andrea/Videos/ffmpeg-4.2.2/fftools/ffmpeg_opt.c:3315:11
>     #6 0x487003 in main
> /home/andrea/Videos/ffmpeg-4.2.2/fftools/ffmpeg.c:4872:11
>     #7 0x7ffff61aab96 in __libc_start_main /build/glibc-
> OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
>     #8 0x407769 in _start
> (/home/andrea/Videos/ffmpeg-4.2.2/ffmpeg_g+0x407769)
>
> UndefinedBehaviorSanitizer can not provide additional info.
> ==20336==ABORTING
>
> Note that you need UBSan to get the stacktrace but it is not needed to
> reproduce the crash, the process gets a SIGFPE.
>
> The bug seems in when par->width is controlled:
> static void calculate_height(AVCodecParameters *par, uint64_t fsize)
> {
>     par->height = (fsize / ((par->width>>3)*2)) << 4;
> }
>
> I attach a minimal input that triggers the bug in base64:
> YHR//wAAEQAAZAAnBv8AaDgACAB/6Pb29vb29vcELhYAAP//3v//AACV/wAHAAAAAAAQAAEAAAAAAAIAAAAOAP/t/wAAAABMAAAAAbUAAEgADAwMDEAnDAwGAgcMDAwMAAAAAIv9/u8AAAABZAAQBv8AVFe1dTZUVFRURlRU5wB//93//YAAAAQAAAAAAAAAAADzAFNBVUNFMDA7NDBtTnZpaAD29vb2LfoAAPpTQVVDRTD///9/bU52aWgA9vb29hf3CP//3gAAAABXkHU2AAAAEBobSzA7MzA7////f3R/AAAixhVkAAAAAGAoYHR//wAFAQAAMQAAAP8AMlRUV5oAgAAAAABkACAZAEZNUDQA3xEA

New description:

 Build ffmpeg 4.2.2 using clang and ubsan (-fsanitize=undefined).
 Command line: ./ffmpeg.ubsan -y -i ./input -c:v mpeg4 -c:a out.mp4
 Output:
 {{{
 ffmpeg version 4.2.2 Copyright (c) 2000-2019 the FFmpeg developers
   built with clang version 8.0.0-3~ubuntu18.04.2 (tags/RELEASE_800/final)
   configuration: --cc=clang-8 --cxx=clang++-8 --ld=clang-8
   libavutil      56. 31.100 / 56. 31.100
   libavcodec     58. 54.100 / 58. 54.100
   libavformat    58. 29.100 / 58. 29.100
   libavdevice    58.  8.100 / 58.  8.100
   libavfilter     7. 57.100 /  7. 57.100
   libswscale      5.  5.100 /  5.  5.100
   libswresample   3.  5.100 /  3.  5.100
 Trailing options were found on the commandline.
 [bin @ 0x902f600] Format bin detected only with low score of 1,
 misdetection possible!
 libavformat/bintext.c:79:26: runtime error: division by zero
 UndefinedBehaviorSanitizer:DEADLYSIGNAL
 ==20336==ERROR: UndefinedBehaviorSanitizer: FPE on unknown address
 0x0000013f5b4d (pc 0x0000013f5b4d bp 0x000009038601 sp 0x7fffffffd060
 T20336)
     #0 0x13f5b4c in calculate_height
 /home/andrea/Videos/ffmpeg-4.2.2/libavformat/bintext.c:79:26
     #1 0x13f2dfb in bintext_read_header
 /home/andrea/Videos/ffmpeg-4.2.2/libavformat/bintext.c:198:13
     #2 0x197213c in avformat_open_input
 /home/andrea/Videos/ffmpeg-4.2.2/libavformat/utils.c:631:20
     #3 0x42f3e7 in open_input_file
 /home/andrea/Videos/ffmpeg-4.2.2/fftools/ffmpeg_opt.c:1104:11
     #4 0x42d24e in open_files
 /home/andrea/Videos/ffmpeg-4.2.2/fftools/ffmpeg_opt.c:3275:15
     #5 0x42cf3f in ffmpeg_parse_options
 /home/andrea/Videos/ffmpeg-4.2.2/fftools/ffmpeg_opt.c:3315:11
     #6 0x487003 in main
 /home/andrea/Videos/ffmpeg-4.2.2/fftools/ffmpeg.c:4872:11
     #7 0x7ffff61aab96 in __libc_start_main /build/glibc-
 OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
     #8 0x407769 in _start
 (/home/andrea/Videos/ffmpeg-4.2.2/ffmpeg_g+0x407769)

 UndefinedBehaviorSanitizer can not provide additional info.
 ==20336==ABORTING
 }}}
 Note that you need UBSan to get the stacktrace but it is not needed to
 reproduce the crash, the process gets a SIGFPE.

 The bug seems in when par->width is controlled:
 static void calculate_height(AVCodecParameters *par, uint64_t fsize)
 {
     par->height = (fsize / ((par->width>>3)*2)) << 4;
 }

 I attach a minimal input that triggers the bug in base64:
 {{{
 YHR//wAAEQAAZAAnBv8AaDgACAB/6Pb29vb29vcELhYAAP//3v//AACV/wAHAAAAAAAQAAEAAAAAAAIAAAAOAP/t/wAAAABMAAAAAbUAAEgADAwMDEAnDAwGAgcMDAwMAAAAAIv9/u8AAAABZAAQBv8AVFe1dTZUVFRURlRU5wB//93//YAAAAQAAAAAAAAAAADzAFNBVUNFMDA7NDBtTnZpaAD29vb2LfoAAPpTQVVDRTD///9/bU52aWgA9vb29hf3CP//3gAAAABXkHU2AAAAEBobSzA7MzA7////f3R/AAAixhVkAAAAAGAoYHR//wAFAQAAMQAAAP8AMlRUV5oAgAAAAABkACAZAEZNUDQA3xEA
 }}}

--

Comment:

 Fixed in 19bfd7212695b456352e258c9ee50882583ce12f, see ticket #8335.

 For future tickets: Please test current FFmpeg git head and please attach
 samples, do not provide encodings (note that the base64 that you provided
 did not allow to reproduce the issue originally).

--
Ticket URL: <https://trac.ffmpeg.org/ticket/8484#comment:1>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list