[issue2502] ffmpeg crashes for pcm audio with invalid sample_size

2011-01-11 Thread Carl Eugen Hoyos 

Carl Eugen Hoyos ceho...@rainbow.studorg.tuwien.ac.at added the comment:

Fixed in r26309.

--
status: open - closed
substatus: analyzed - fixed


FFmpeg issue tracker iss...@roundup.ffmpeg.org
https://roundup.ffmpeg.org/issue2502

[issue2502] ffmpeg crashes for pcm audio with invalid sample_size

2011-01-07 Thread Justin Ruggles 

Justin Ruggles justin.rugg...@gmail.com added the comment:

The heart of the issue seems to be that voc_get_packet() changes the codec_id
when reading each packet based on input stream data.  If a file is damaged, a
random value will most likely make it CODEC_ID_NONE since there are only 8 valid
codec_id's for it to choose from.  voc_get_packet() should be fixed to check for
an invalid codec_id, and the pcm decoder should be fixed to at least not crash
when encountering such changes.


FFmpeg issue tracker iss...@roundup.ffmpeg.org
https://roundup.ffmpeg.org/issue2502

[issue2502] ffmpeg crashes for pcm audio with invalid sample_size

2011-01-07 Thread Justin Ruggles 

Justin Ruggles justin.rugg...@gmail.com added the comment:

change status

--
substatus: open - analyzed


FFmpeg issue tracker iss...@roundup.ffmpeg.org
https://roundup.ffmpeg.org/issue2502

[issue2502] ffmpeg crashes for pcm audio with invalid sample_size

2011-01-07 Thread Carl Eugen Hoyos 

Carl Eugen Hoyos ceho...@rainbow.studorg.tuwien.ac.at added the comment:

First 200kb moved to /samples/ffmpeg-bugs/roundup/issue2502.

--
priority: normal - important


FFmpeg issue tracker iss...@roundup.ffmpeg.org
https://roundup.ffmpeg.org/issue2502

[issue2502] ffmpeg crashes for pcm audio with invalid sample_size

2011-01-06 Thread Daniel Kang 

New submission from Daniel Kang daniel.d.k...@gmail.com:

ffmpeg crashes with a sample_size of 0. n is then calculated by: n =
avctx-channels * sample_size. When buf_size % n is taken, a SIGPE is raised.
The patch attached fixes this by adding a check for n=0.

The pcm audio is contained in a c93 file.

gdb run:
(gdb) r -i ../fuzzed.c93
Starting program: ffmpeg/ffmpeg_g -i ../fuzzed.c93
[Thread debugging using libthread_db enabled]
FFmpeg version git-b06938e, Copyright (c) 2000-2011 the FFmpeg developers
  built on Jan  6 2011 20:01:54 with gcc 4.4.5
  configuration: --enable-gpl --disable-pthreads
  libavutil 50.36. 0 / 50.36. 0
  libavcore  0.16. 0 /  0.16. 0
  libavcodec52.103. 1 / 52.103. 1
  libavformat   52.92. 0 / 52.92. 0
  libavdevice   52. 2. 3 / 52. 2. 3
  libavfilter1.72. 0 /  1.72. 0
  libswscale 0.12. 0 /  0.12. 0

Program received signal SIGFPE, Arithmetic exception.
0x006bea5f in pcm_decode_frame (avctx=0x12090e0, data=0x77fcb010,
data_size=0x7fffd448, avpkt=value optimized out) at libavcodec/pcm.c:308
308 n = buf_size/sample_size;
(gdb) bt
#0  0x006bea5f in pcm_decode_frame (avctx=0x12090e0,
data=0x77fcb010, data_size=0x7fffd448, avpkt=value optimized out) at
libavcodec/pcm.c:308
#1  0x00755fdf in avcodec_decode_audio3 (avctx=0x12090e0, samples=0x0,
frame_size_ptr=0x0, avpkt=0x77fcb010) at libavcodec/utils.c:677
#2  0x004d7610 in try_decode_frame (ic=0x1200510) at
libavformat/utils.c:2088
#3  av_find_stream_info (ic=0x1200510) at libavformat/utils.c:2361
#4  0x0043124b in opt_input_file (filename=0x7fffdb06
../fuzzed.c93) at ffmpeg.c:3214
#5  0x0043b40c in parse_options (argc=3, argv=0x7fffd768,
options=value optimized out, parse_arg_function=0x437e20 opt_output_file) at
cmdutils.c:208
#6  0x00437412 in main (argc=3, argv=0x7fffd768) at ffmpeg.c:4343
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x6bea3f to 0x6bea7f:
0x006bea3f pcm_decode_frame+175:  movl   $0x0,(%r12)
0x006bea47 pcm_decode_frame+183:  mov%eax,%edx
0x006bea49 pcm_decode_frame+185:  shr$0x1f,%edx
0x006bea4c pcm_decode_frame+188:  lea(%rdx,%rax,1),%eax
0x006bea4f pcm_decode_frame+191:  sar%eax
0x006bea51 pcm_decode_frame+193:  cmp%eax,%r13d
0x006bea54 pcm_decode_frame+196:  mov%eax,%edx
0x006bea56 pcm_decode_frame+198:  cmovle %r13d,%edx
0x006bea5a pcm_decode_frame+202:  mov%edx,%eax
0x006bea5c pcm_decode_frame+204:  sar$0x1f,%edx
0x006bea5f pcm_decode_frame+207:  idiv   %esi
0x006bea61 pcm_decode_frame+209:  mov0x98(%rbx),%rdx
0x006bea68 pcm_decode_frame+216:  mov0xc(%rdx),%edx
0x006bea6b pcm_decode_frame+219:  sub$0x1,%edx
0x006bea71 pcm_decode_frame+225:  cmp$0x19,%edx
0x006bea74 pcm_decode_frame+228:  jbe0x6bea90
pcm_decode_frame+256
0x006bea76 pcm_decode_frame+230:  mov$0x,%eax
0x006bea7b pcm_decode_frame+235:  add$0x208,%rsp
End of assembler dump.
(gdb) info all-registers
rax0x3768   14184
rbx0x12090e018911456
rcx0x77fcb010   140737353920528
rdx0x0  0
rsi0x0  0
rdi0x0  0
rbp0x77fcb010   0x77fcb010
rsp0x7fffcee0   0x7fffcee0
r8 0x2ee00  192000
r9 0x2ee00  192000
r100x22 34
r110x246582
r120x7fffd448   140737488344136
r130x3768   14184
r140x122f07019066992
r150x12164b018965680
rip0x6bea5f 0x6bea5f pcm_decode_frame+207
eflags 0x10246  [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0  0
es 0x0  0
fs 0x0  0
gs 0x0  0
st00(raw 0x)
st10(raw 0x)
st20(raw 0x)
st30(raw 0x)
st40(raw 0x)
st50(raw 0x)
st60(raw 0x)
st70(raw 0x)
fctrl  0x37f895
fstat  0x0  0
ftag   0x   65535
fiseg  0x0  0
fioff  0x0  0
foseg  0x0  0
fooff  0x0  0
fop0x0  0
xmm0   {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xd8, 0x20, 0x87, 0x8f, 0x69, 0x61, 0x6d, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x20d8, 0x8f87, 0x6169, 0x3f6d, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x8f8720d8, 0x3f6d6169, 0x0, 0x0}, v2_int64 =

[issue2502] ffmpeg crashes for pcm audio with invalid sample_size

2011-01-06 Thread Daniel Kang 

Daniel Kang daniel.d.k...@gmail.com added the comment:

I have uploaded a sample to /MPlayer/incoming/pcm_mod_by_zero_issue2502.


FFmpeg issue tracker iss...@roundup.ffmpeg.org
https://roundup.ffmpeg.org/issue2502