New submission from Daniel Kang <[email protected]>: ffmpeg fails assertion "ffmpeg: libavutil/mathematics.c:79: av_rescale_rnd: Assertion `c > 0' failed." for wav files with invalid sampling rates (e.g. -2147461598 Hz). Adding a sanity check on the sample rate fixes the failed assertion. The patch is attached.
The broken wav file was generated with zzuf.
This is the run with the sanity check:
./ffmpeg -i ../fuzzed.wav del.wav
FFmpeg version git-0a30723, Copyright (c) 2000-2011 the FFmpeg developers
built on Jan 1 2011 19:46:06 with gcc 4.4.5
configuration: --enable-gpl
libavutil 50.36. 0 / 50.36. 0
libavcore 0.16. 0 / 0.16. 0
libavcodec 52.101. 0 / 52.101. 0
libavformat 52.91. 0 / 52.91. 0
libavdevice 52. 2. 2 / 52. 2. 2
libavfilter 1.72. 0 / 1.72. 0
libswscale 0.12. 0 / 0.12. 0
st:0 has too large timebase, reducing
[wav @ 0x11f9510] Estimating duration from bitrate, this may be inaccurate
Input #0, wav, from '../fuzzed.wav':
Duration: 00:01:06.55, bitrate: 2802 kb/s
Stream #0.0: Audio: pcm_s16le, -2147461598 Hz, 2 channels, s16, 705 kb/s
File 'del.wav' already exists. Overwrite ? [y/N] y
[wav @ 0x11fa7f0] sample rate not set
Output #0, wav, to 'del.wav':
Stream #0.0: Audio: pcm_s16le, -2147461598 Hz, 2 channels, s16, 705 kb/s
Stream mapping:
Stream #0.0 -> #0.0
Could not write header for output file #0 (incorrect codec parameters ?)
This is the gdb run:
(gdb) r -i ../fuzzed.wav del.wav
Starting program: ffmpeg/ffmpeg_g -i ../fuzzed.wav del.wav
[Thread debugging using libthread_db enabled]
FFmpeg version git-0a30723, Copyright (c) 2000-2011 the FFmpeg developers
built on Jan 1 2011 19:46:06 with gcc 4.4.5
configuration: --enable-gpl
libavutil 50.36. 0 / 50.36. 0
libavcore 0.16. 0 / 0.16. 0
libavcodec 52.101. 0 / 52.101. 0
libavformat 52.91. 0 / 52.91. 0
libavdevice 52. 2. 2 / 52. 2. 2
libavfilter 1.72. 0 / 1.72. 0
libswscale 0.12. 0 / 0.12. 0
st:0 has too large timebase, reducing
ffmpeg_g: libavutil/mathematics.c:79: av_rescale_rnd: Assertion `c > 0' failed.
Program received signal SIGABRT, Aborted.
0x00007ffff6d09445 in raise () from /lib/libc.so.6
(gdb) bt
#0 0x00007ffff6d09445 in raise () from /lib/libc.so.6
#1 0x00007ffff6d0a900 in abort () from /lib/libc.so.6
#2 0x00007ffff6d02311 in __assert_fail () from /lib/libc.so.6
#3 0x000000000091a1e0 in av_rescale_rnd (a=<value optimized out>, b=<value
optimized out>, c=140737353819904, rnd=<value optimized out>) at
libavutil/mathematics.c:79
#4 0x00000000004d36df in compute_pkt_fields (s=0x11f9510, st=0x11fa5d0, pc=0x0,
pkt=0x7fffffffd570) at libavformat/utils.c:955
#5 0x00000000004d3f06 in av_read_frame_internal (s=0x11f9510,
pkt=0x7fffffffd570) at libavformat/utils.c:1087
#6 0x00000000004d4c65 in av_find_stream_info (ic=0x11f9510) at
libavformat/utils.c:2287
#7 0x00000000004301db in opt_input_file (filename=0x7fffffffdcbd
"../fuzzed.wav") at ffmpeg.c:3211
#8 0x000000000043a70c in parse_options (argc=4, argv=0x7fffffffd938,
options=<value optimized out>, parse_arg_function=0x437260 <opt_output_file>) at
cmdutils.c:204
#9 0x00000000004363a2 in main (argc=4, argv=0x7fffffffd938) at ffmpeg.c:4330
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x7ffff6d09425 to 0x7ffff6d09465:
0x00007ffff6d09425 <raise+21>: mov $0xf000000,%edx
0x00007ffff6d0942a <raise+26>: add $0x8964c689,%eax
0x00007ffff6d0942f <raise+31>: add $0x25,%al
0x00007ffff6d09431 <raise+33>: rolb (%rdx)
0x00007ffff6d09433 <raise+35>: add %al,(%rax)
0x00007ffff6d09435 <raise+37>: movslq %edi,%rdx
0x00007ffff6d09438 <raise+40>: movslq %esi,%rsi
0x00007ffff6d0943b <raise+43>: movslq %eax,%rdi
0x00007ffff6d0943e <raise+46>: mov $0xea,%eax
0x00007ffff6d09443 <raise+51>: syscall
0x00007ffff6d09445 <raise+53>: cmp $0xfffffffffffff000,%rax
0x00007ffff6d0944b <raise+59>: ja 0x7ffff6d09462 <raise+82>
0x00007ffff6d0944d <raise+61>: repz retq
0x00007ffff6d0944f <raise+63>: nop
0x00007ffff6d09450 <raise+64>: test %eax,%eax
0x00007ffff6d09452 <raise+66>: jg 0x7ffff6d09435 <raise+37>
0x00007ffff6d09454 <raise+68>: test $0x7fffffff,%eax
0x00007ffff6d09459 <raise+73>: jne 0x7ffff6d0947b <raise+107>
0x00007ffff6d0945b <raise+75>: mov %esi,%eax
0x00007ffff6d0945d <raise+77>: nopl (%rax)
0x00007ffff6d09460 <raise+80>: jmp 0x7ffff6d09435 <raise+37>
0x00007ffff6d09462 <raise+82>: mov 0x323b3f(%rip),%rdx #
0x7ffff702cfa8
End of assembler dump.
(gdb) info all-registers
rax 0x0 0
rbx 0x7fffffffdcb1 140737488346289
rcx 0xffffffffffffffff -1
rdx 0x6 6
rsi 0x6b96 27542
rdi 0x6b96 27542
rbp 0x7ffff6df706f 0x7ffff6df706f
rsp 0x7fffffffd018 0x7fffffffd018
r8 0x7ffff7fb2700 140737353819904
r9 0x7341203a646e725f 8304954623013057119
r10 0x8 8
r11 0x206 518
r12 0xa54523 10831139
r13 0xa54860 10831968
r14 0x7ffff6df706f 140737335226479
r15 0x4f 79
rip 0x7ffff6d09445 0x7ffff6d09445 <raise+53>
eflags 0x206 [ PF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0},
v8_int16 = {0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0,
0xff, 0x0}, v2_int64 = {0x0, 0xff}, uint128 =
0x00000000000000ff0000000000000000}
xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x25 <repeats 16 times>}, v8_int16 = {0x2525, 0x2525, 0x2525,
0x2525, 0x2525,
---Type <return> to continue, or q <return> to quit---
0x2525, 0x2525, 0x2525}, v4_int32 = {0x25252525, 0x25252525, 0x25252525,
0x25252525}, v2_int64 = {0x2525252525252525, 0x2525252525252525},
uint128 = 0x25252525252525252525252525252525}
xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0,
0x8000000000000000}, v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0xff, 0x0, 0x0,
0x0, 0x0, 0xff}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0xff00},
v4_int32 = {0x0, 0x0, 0xff0000, 0xff000000}, v2_int64 = {0x0,
0xff00000000ff0000},
uint128 = 0xff00000000ff00000000000000000000}
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0,
0x8000000000000000}, v16_int8 = {0x73, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x54,
0x72, 0x69, 0x65,
0x64, 0x20, 0x74, 0x6f}, v8_int16 = {0x73, 0x0, 0x0, 0x0, 0x7254, 0x6569,
0x2064, 0x6f74}, v4_int32 = {0x73, 0x0, 0x65697254, 0x6f742064}, v2_int64 =
{0x73,
0x6f74206465697254}, uint128 = 0x6f742064656972540000000000000073}
xmm5 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0xe0, 0x95, 0x9c, 0xe7, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0x0, 0xe000, 0x9c95, 0x3fe7, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0xe0000000, 0x3fe79c95, 0x0, 0x0}, v2_int64 = {0x3fe79c95e0000000, 0x0},
uint128 = 0x00000000000000003fe79c95e0000000}
xmm6 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x6d, 0x7d, 0xbf, 0xbb, 0x27, 0xaf, 0xf5, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x7d6d, 0xbbbf, 0xaf27, 0x3ff5, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0xbbbf7d6d, 0x3ff5af27, 0x0, 0x0}, v2_int64 = {0x3ff5af27bbbf7d6d,
0x0},
uint128 = 0x00000000000000003ff5af27bbbf7d6d}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x68, 0xc8, 0xbc, 0x3b, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0xc868, 0x3bbc, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3bbcc868, 0x0, 0x0}, v2_int64 = {0x3bbcc86800000000, 0x0},
uint128 = 0x00000000000000003bbcc86800000000}
xmm8 {v4_float = {0x0, 0xfffffffd, 0x0, 0x0}, v2_double =
{0xffffffffffffffd2, 0x0}, v16_int8 = {0xe0, 0xe6, 0x35, 0x67, 0x9e, 0x6, 0x47,
0xc0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xe6e0, 0x6735, 0x69e, 0xc047,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x6735e6e0, 0xc047069e, 0x0, 0x0}, v2_int64 = {
0xc047069e6735e6e0, 0x0}, uint128 = 0x0000000000000000c047069e6735e6e0}
xmm9 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3ff00000, 0x0, 0x0}, v2_int64 = {0x3ff0000000000000, 0x0},
uint128 = 0x00000000000000003ff0000000000000}
xmm10 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x46, 0x84, 0x24, 0x59, 0xd6, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x8446, 0x5924, 0x3ed6, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0x84460000, 0x3ed65924, 0x0, 0x0}, v2_int64 = {0x3ed6592484460000, 0x0},
uint128 = 0x00000000000000003ed6592484460000}
xmm11 {v4_float = {0x9689a800, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x6a, 0xa2, 0x65, 0x50, 0xf2, 0xea, 0x8f, 0xbd, 0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0}, v8_int16 = {0xa26a, 0x5065, 0xeaf2, 0xbd8f, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x5065a26a, 0xbd8feaf2, 0x0, 0x0}, v2_int64 =
{0xbd8feaf25065a26a,
0x0}, uint128 = 0x0000000000000000bd8feaf25065a26a}
xmm12 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x29, 0xf2, 0x88, 0x6c, 0xa6, 0x49, 0xde, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0xf229, 0x6c88, 0x49a6, 0x3ede, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x6c88f229, 0x3ede49a6, 0x0, 0x0}, v2_int64 = {0x3ede49a66c88f229,
0x0},
uint128 = 0x00000000000000003ede49a66c88f229}
xmm13 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xb3, 0x12, 0x58, 0x17, 0x64, 0x46, 0xe6, 0x3b, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x12b3, 0x1758, 0x4664, 0x3be6, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x175812b3, 0x3be64664, 0x0, 0x0}, v2_int64 = {0x3be64664175812b3,
0x0},
uint128 = 0x00000000000000003be64664175812b3}
xmm14 {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x2d, 0x0},
v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, v2_int64 = {0x4046dfb516f209c0,
0x0},
uint128 = 0x00000000000000004046dfb516f209c0}
xmm15 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
----------
files: wav_assertion_fail_fix.diff
messages: 13147
priority: normal
status: open
substatus: open
title: ffmpeg fails assertion on wav files with invalid sample rates
type: patch
________________________________________________
FFmpeg issue tracker <[email protected]>
<https://roundup.ffmpeg.org/issue2475>
________________________________________________
wav_assertion_fail_fix.diff
Description: Binary data
