New submission from Daniel Kang <daniel.d.k...@gmail.com>: ffmpeg crashes for dct (electronicarts) files with an invalid number of channels (i.e. 0). The error is a division by zero. The patch attached adds checks for 0 channels.
gdb run:
(gdb) r -i ../fuzzed.dct del.mkv
Starting program: /ffmpeg/ffmpeg_g -i ../fuzzed.dct del.mkv
[Thread debugging using libthread_db enabled]
FFmpeg version git-320d2d4, Copyright (c) 2000-2011 the FFmpeg developers
built on Jan 8 2011 21:35:37 with gcc 4.4.5
configuration: --enable-gpl --disable-pthreads
libavutil 50.36. 0 / 50.36. 0
libavcore 0.16. 0 / 0.16. 0
libavcodec 52.107. 0 / 52.107. 0
libavformat 52.92. 0 / 52.92. 0
libavdevice 52. 2. 3 / 52. 2. 3
libavfilter 1.72. 0 / 1.72. 0
libswscale 0.12. 0 / 0.12. 0
Program received signal SIGFPE, Arithmetic exception.
0x0000000000466c16 in ea_read_packet (s=<value optimized out>,
pkt=0x7fffffffd080) at libavformat/electronicarts.c:493
493 ea->audio_frame_counter += ((chunk_size - 12) * 2) /
(gdb) bt
#0 0x0000000000466c16 in ea_read_packet (s=<value optimized out>,
pkt=0x7fffffffd080) at libavformat/electronicarts.c:493
#1 0x00000000004d39d9 in av_read_packet (s=0x1200510, pkt=0x7fffffffd080) at
libavformat/utils.c:701
#2 0x00000000004d5779 in av_read_frame_internal (s=0x1200510,
pkt=0x7fffffffd390) at libavformat/utils.c:1141
#3 0x00000000004d6735 in av_find_stream_info (ic=0x1200510) at
libavformat/utils.c:2287
#4 0x00000000004312db in opt_input_file (filename=0x7fffffffdafe
"../fuzzed.dct") at ffmpeg.c:3214
#5 0x000000000043b49c in parse_options (argc=4, argv=0x7fffffffd758,
options=<value optimized out>, parse_arg_function=0x437eb0 <opt_output_file>) at
cmdutils.c:208
#6 0x00000000004374a2 in main (argc=4, argv=0x7fffffffd758) at ffmpeg.c:4345
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x466bf6 to 0x466c36:
0x0000000000466bf6 <ea_read_packet+774>: (bad)
0x0000000000466bf7 <ea_read_packet+775>: js 0x466bf8
<ea_read_packet+776>
0x0000000000466bf9 <ea_read_packet+777>: ljmpq *<internal disassembler
error>
0x0000000000466bfb <ea_read_packet+779>: adc %edi,%ebp
0x0000000000466bfd <ea_read_packet+781>: (bad)
0x0000000000466bfe <ea_read_packet+782>: callq *0x1e1c8d41(%rax)
0x0000000000466c04 <ea_read_packet+788>: mov %ebx,0x24(%r12)
0x0000000000466c09 <ea_read_packet+793>: jmpq 0x466a68
<ea_read_packet+376>
0x0000000000466c0e <ea_read_packet+798>: xchg %ax,%ax
0x0000000000466c10 <ea_read_packet+800>: lea -0x18(%rbp,%rbp,1),%eax
0x0000000000466c14 <ea_read_packet+804>: xor %edx,%edx
0x0000000000466c16 <ea_read_packet+806>: divl 0x30(%r12)
0x0000000000466c1b <ea_read_packet+811>: add %ebx,%eax
0x0000000000466c1d <ea_read_packet+813>: mov %eax,0x24(%r12)
0x0000000000466c22 <ea_read_packet+818>: jmpq 0x466a68
<ea_read_packet+376>
0x0000000000466c27 <ea_read_packet+823>: nopw 0x0(%rax,%rax,1)
0x0000000000466c30 <ea_read_packet+832>: mov %rbx,%rdi
0x0000000000466c33 <ea_read_packet+835>: sub $0xc,%ebp
End of assembler dump.
(gdb) info all-registers
rax 0xc70 3184
rbx 0x0 0
rcx 0x644 1604
rdx 0x0 0
rsi 0x5622 22050
rdi 0x7fffffffd080 140737488343168
rbp 0x644 0x644
rsp 0x7fffffffcfa0 0x7fffffffcfa0
r8 0x0 0
r9 0x0 0
r10 0xf 15
r11 0x640 1600
r12 0x12015a0 18879904
r13 0x7fffffffd080 140737488343168
r14 0x0 0
r15 0x6c444353 1816413011
rip 0x466c16 0x466c16 <ea_read_packet+806>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xc3, 0x80, 0x80, 0xe5, 0xb7, 0x16, 0x33, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x80c3, 0xe580, 0x16b7, 0x3e33, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0xe58080c3, 0x3e3316b7, 0x0, 0x0}, v2_int64 = {0x3e3316b7e58080c3,
0x0},
uint128 = 0x00000000000000003e3316b7e58080c3}
---Type <return> to continue, or q <return> to quit---
xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x84, 0xbd, 0x9c, 0xec, 0x79, 0x11, 0xbf, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0x8400, 0x9cbd, 0x79ec, 0xbf11, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x9cbd8400, 0xbf1179ec, 0x0, 0x0}, v2_int64 = {0xbf1179ec9cbd8400,
0x0},
uint128 = 0x0000000000000000bf1179ec9cbd8400}
xmm2 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0xb1, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x1111, 0x1111, 0x1111, 0x3fb1, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x11111111, 0x3fb11111, 0x0, 0x0}, v2_int64 = {0x3fb1111111111111,
0x0},
uint128 = 0x00000000000000003fb1111111111111}
xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x65, 0x0 <repeats 15 times>}, v8_int16 = {0x65, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v4_int32 = {0x65, 0x0, 0x0, 0x0}, v2_int64 = {0x65, 0x0}, uint128 =
0x00000000000000000000000000000065}
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0,
0x8000000000000000}, v16_int8 = {0x73, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x54,
0x72, 0x69, 0x65,
0x64, 0x20, 0x74, 0x6f}, v8_int16 = {0x73, 0x0, 0x0, 0x0, 0x7254, 0x6569,
0x2064, 0x6f74}, v4_int32 = {0x73, 0x0, 0x65697254, 0x6f742064}, v2_int64 =
{0x73,
0x6f74206465697254}, uint128 = 0x6f742064656972540000000000000073}
xmm5 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0xe0, 0x95, 0x9c, 0xe7, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0x0, 0xe000, 0x9c95, 0x3fe7, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0xe0000000, 0x3fe79c95, 0x0, 0x0}, v2_int64 = {0x3fe79c95e0000000, 0x0},
uint128 = 0x00000000000000003fe79c95e0000000}
xmm6 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x6d, 0x7d, 0xbf, 0xbb, 0x27, 0xaf, 0xf5, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x7d6d, 0xbbbf, 0xaf27, 0x3ff5, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0xbbbf7d6d, 0x3ff5af27, 0x0, 0x0}, v2_int64 = {0x3ff5af27bbbf7d6d,
0x0},
uint128 = 0x00000000000000003ff5af27bbbf7d6d}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x68, 0xc8, 0xbc, 0x3b, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0xc868, 0x3bbc, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3bbcc868, 0x0, 0x0}, v2_int64 = {0x3bbcc86800000000, 0x0},
uint128 = 0x00000000000000003bbcc86800000000}
xmm8 {v4_float = {0x0, 0xfffffffd, 0x0, 0x0}, v2_double =
{0xffffffffffffffd2, 0x0}, v16_int8 = {0xe0, 0xe6, 0x35, 0x67, 0x9e, 0x6, 0x47,
0xc0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xe6e0, 0x6735, 0x69e, 0xc047,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x6735e6e0, 0xc047069e, 0x0, 0x0}, v2_int64 = {
0xc047069e6735e6e0, 0x0}, uint128 = 0x0000000000000000c047069e6735e6e0}
xmm9 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3ff00000, 0x0, 0x0}, v2_int64 = {0x3ff0000000000000, 0x0},
uint128 = 0x00000000000000003ff0000000000000}
xmm10 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x46, 0x84, 0x24, 0x59, 0xd6, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x8446, 0x5924, 0x3ed6, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0x84460000, 0x3ed65924, 0x0, 0x0}, v2_int64 = {0x3ed6592484460000, 0x0},
uint128 = 0x00000000000000003ed6592484460000}
xmm11 {v4_float = {0x9689a800, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x6a, 0xa2, 0x65, 0x50, 0xf2, 0xea, 0x8f, 0xbd, 0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0}, v8_int16 = {0xa26a, 0x5065, 0xeaf2, 0xbd8f, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x5065a26a, 0xbd8feaf2, 0x0, 0x0}, v2_int64 =
{0xbd8feaf25065a26a,
0x0}, uint128 = 0x0000000000000000bd8feaf25065a26a}
xmm12 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x29, 0xf2, 0x88, 0x6c, 0xa6, 0x49, 0xde, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0xf229, 0x6c88, 0x49a6, 0x3ede, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x6c88f229, 0x3ede49a6, 0x0, 0x0}, v2_int64 = {0x3ede49a66c88f229,
0x0},
uint128 = 0x00000000000000003ede49a66c88f229}
xmm13 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xb3, 0x12, 0x58, 0x17, 0x64, 0x46, 0xe6, 0x3b, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x12b3, 0x1758, 0x4664, 0x3be6, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x175812b3, 0x3be64664, 0x0, 0x0}, v2_int64 = {0x3be64664175812b3,
0x0},
uint128 = 0x00000000000000003be64664175812b3}
xmm14 {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x2d, 0x0},
v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, v2_int64 = {0x4046dfb516f209c0,
0x0},
uint128 = 0x00000000000000004046dfb516f209c0}
xmm15 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
---Type <return> to continue, or q <return> to quit---
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
----------
files: dct_channel_check.diff
messages: 13309
priority: normal
status: open
substatus: open
title: ffmpeg crashes on dct files with invalid number of channels
type: patch
________________________________________________
FFmpeg issue tracker <iss...@roundup.ffmpeg.org>
<https://roundup.ffmpeg.org/issue2514>
________________________________________________
dct_channel_check.diff
Description: Binary data
