New submission from Daniel Kang <[email protected]>: ffmpeg crashes with a sample_size of 0. n is then calculated by: n = avctx->channels * sample_size. When buf_size % n is taken, a SIGPE is raised. The patch attached fixes this by adding a check for n=0.
The pcm audio is contained in a c93 file.
gdb run:
(gdb) r -i ../fuzzed.c93
Starting program: ffmpeg/ffmpeg_g -i ../fuzzed.c93
[Thread debugging using libthread_db enabled]
FFmpeg version git-b06938e, Copyright (c) 2000-2011 the FFmpeg developers
built on Jan 6 2011 20:01:54 with gcc 4.4.5
configuration: --enable-gpl --disable-pthreads
libavutil 50.36. 0 / 50.36. 0
libavcore 0.16. 0 / 0.16. 0
libavcodec 52.103. 1 / 52.103. 1
libavformat 52.92. 0 / 52.92. 0
libavdevice 52. 2. 3 / 52. 2. 3
libavfilter 1.72. 0 / 1.72. 0
libswscale 0.12. 0 / 0.12. 0
Program received signal SIGFPE, Arithmetic exception.
0x00000000006bea5f in pcm_decode_frame (avctx=0x12090e0, data=0x7ffff7fcb010,
data_size=0x7fffffffd448, avpkt=<value optimized out>) at libavcodec/pcm.c:308
308 n = buf_size/sample_size;
(gdb) bt
#0 0x00000000006bea5f in pcm_decode_frame (avctx=0x12090e0,
data=0x7ffff7fcb010, data_size=0x7fffffffd448, avpkt=<value optimized out>) at
libavcodec/pcm.c:308
#1 0x0000000000755fdf in avcodec_decode_audio3 (avctx=0x12090e0, samples=0x0,
frame_size_ptr=0x0, avpkt=0x7ffff7fcb010) at libavcodec/utils.c:677
#2 0x00000000004d7610 in try_decode_frame (ic=0x1200510) at
libavformat/utils.c:2088
#3 av_find_stream_info (ic=0x1200510) at libavformat/utils.c:2361
#4 0x000000000043124b in opt_input_file (filename=0x7fffffffdb06
"../fuzzed.c93") at ffmpeg.c:3214
#5 0x000000000043b40c in parse_options (argc=3, argv=0x7fffffffd768,
options=<value optimized out>, parse_arg_function=0x437e20 <opt_output_file>) at
cmdutils.c:208
#6 0x0000000000437412 in main (argc=3, argv=0x7fffffffd768) at ffmpeg.c:4343
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x6bea3f to 0x6bea7f:
0x00000000006bea3f <pcm_decode_frame+175>: movl $0x0,(%r12)
0x00000000006bea47 <pcm_decode_frame+183>: mov %eax,%edx
0x00000000006bea49 <pcm_decode_frame+185>: shr $0x1f,%edx
0x00000000006bea4c <pcm_decode_frame+188>: lea (%rdx,%rax,1),%eax
0x00000000006bea4f <pcm_decode_frame+191>: sar %eax
0x00000000006bea51 <pcm_decode_frame+193>: cmp %eax,%r13d
0x00000000006bea54 <pcm_decode_frame+196>: mov %eax,%edx
0x00000000006bea56 <pcm_decode_frame+198>: cmovle %r13d,%edx
0x00000000006bea5a <pcm_decode_frame+202>: mov %edx,%eax
0x00000000006bea5c <pcm_decode_frame+204>: sar $0x1f,%edx
0x00000000006bea5f <pcm_decode_frame+207>: idiv %esi
0x00000000006bea61 <pcm_decode_frame+209>: mov 0x98(%rbx),%rdx
0x00000000006bea68 <pcm_decode_frame+216>: mov 0xc(%rdx),%edx
0x00000000006bea6b <pcm_decode_frame+219>: sub $0x10000,%edx
0x00000000006bea71 <pcm_decode_frame+225>: cmp $0x19,%edx
0x00000000006bea74 <pcm_decode_frame+228>: jbe 0x6bea90
<pcm_decode_frame+256>
0x00000000006bea76 <pcm_decode_frame+230>: mov $0xffffffff,%eax
0x00000000006bea7b <pcm_decode_frame+235>: add $0x208,%rsp
End of assembler dump.
(gdb) info all-registers
rax 0x3768 14184
rbx 0x12090e0 18911456
rcx 0x7ffff7fcb010 140737353920528
rdx 0x0 0
rsi 0x0 0
rdi 0x0 0
rbp 0x7ffff7fcb010 0x7ffff7fcb010
rsp 0x7fffffffcee0 0x7fffffffcee0
r8 0x2ee00 192000
r9 0x2ee00 192000
r10 0x22 34
r11 0x246 582
r12 0x7fffffffd448 140737488344136
r13 0x3768 14184
r14 0x122f070 19066992
r15 0x12164b0 18965680
rip 0x6bea5f 0x6bea5f <pcm_decode_frame+207>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xd8, 0x20, 0x87, 0x8f, 0x69, 0x61, 0x6d, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x20d8, 0x8f87, 0x6169, 0x3f6d, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x8f8720d8, 0x3f6d6169, 0x0, 0x0}, v2_int64 = {0x3f6d61698f8720d8,
0x0},
uint128 = 0x00000000000000003f6d61698f8720d8}
---Type <return> to continue, or q <return> to quit---
xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x40, 0x1c, 0xeb, 0xe2, 0x36, 0x4a, 0xbf, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0x4000, 0xeb1c, 0x36e2, 0xbf4a, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0xeb1c4000, 0xbf4a36e2, 0x0, 0x0}, v2_int64 = {0xbf4a36e2eb1c4000,
0x0},
uint128 = 0x0000000000000000bf4a36e2eb1c4000}
xmm2 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x9a, 0x99, 0x99, 0x99, 0x99, 0x99, 0xe9, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x999a, 0x9999, 0x9999, 0x3fe9, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x9999999a, 0x3fe99999, 0x0, 0x0}, v2_int64 = {0x3fe999999999999a,
0x0},
uint128 = 0x00000000000000003fe999999999999a}
xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0,
0x8000000000000000}, v16_int8 = {0x73, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x54,
0x72, 0x69, 0x65,
0x64, 0x20, 0x74, 0x6f}, v8_int16 = {0x73, 0x0, 0x0, 0x0, 0x7254, 0x6569,
0x2064, 0x6f74}, v4_int32 = {0x73, 0x0, 0x65697254, 0x6f742064}, v2_int64 =
{0x73,
0x6f74206465697254}, uint128 = 0x6f742064656972540000000000000073}
xmm5 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0xe0, 0x95, 0x9c, 0xe7, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0x0, 0xe000, 0x9c95, 0x3fe7, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0xe0000000, 0x3fe79c95, 0x0, 0x0}, v2_int64 = {0x3fe79c95e0000000, 0x0},
uint128 = 0x00000000000000003fe79c95e0000000}
xmm6 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x6d, 0x7d, 0xbf, 0xbb, 0x27, 0xaf, 0xf5, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x7d6d, 0xbbbf, 0xaf27, 0x3ff5, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0xbbbf7d6d, 0x3ff5af27, 0x0, 0x0}, v2_int64 = {0x3ff5af27bbbf7d6d,
0x0},
uint128 = 0x00000000000000003ff5af27bbbf7d6d}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x68, 0xc8, 0xbc, 0x3b, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0xc868, 0x3bbc, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3bbcc868, 0x0, 0x0}, v2_int64 = {0x3bbcc86800000000, 0x0},
uint128 = 0x00000000000000003bbcc86800000000}
xmm8 {v4_float = {0x0, 0xfffffffd, 0x0, 0x0}, v2_double =
{0xffffffffffffffd2, 0x0}, v16_int8 = {0xe0, 0xe6, 0x35, 0x67, 0x9e, 0x6, 0x47,
0xc0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xe6e0, 0x6735, 0x69e, 0xc047,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x6735e6e0, 0xc047069e, 0x0, 0x0}, v2_int64 = {
0xc047069e6735e6e0, 0x0}, uint128 = 0x0000000000000000c047069e6735e6e0}
xmm9 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3ff00000, 0x0, 0x0}, v2_int64 = {0x3ff0000000000000, 0x0},
uint128 = 0x00000000000000003ff0000000000000}
xmm10 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x46, 0x84, 0x24, 0x59, 0xd6, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x8446, 0x5924, 0x3ed6, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0x84460000, 0x3ed65924, 0x0, 0x0}, v2_int64 = {0x3ed6592484460000, 0x0},
uint128 = 0x00000000000000003ed6592484460000}
xmm11 {v4_float = {0x9689a800, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x6a, 0xa2, 0x65, 0x50, 0xf2, 0xea, 0x8f, 0xbd, 0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0}, v8_int16 = {0xa26a, 0x5065, 0xeaf2, 0xbd8f, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x5065a26a, 0xbd8feaf2, 0x0, 0x0}, v2_int64 =
{0xbd8feaf25065a26a,
0x0}, uint128 = 0x0000000000000000bd8feaf25065a26a}
xmm12 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x29, 0xf2, 0x88, 0x6c, 0xa6, 0x49, 0xde, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0xf229, 0x6c88, 0x49a6, 0x3ede, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x6c88f229, 0x3ede49a6, 0x0, 0x0}, v2_int64 = {0x3ede49a66c88f229,
0x0},
uint128 = 0x00000000000000003ede49a66c88f229}
xmm13 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xb3, 0x12, 0x58, 0x17, 0x64, 0x46, 0xe6, 0x3b, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x12b3, 0x1758, 0x4664, 0x3be6, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x175812b3, 0x3be64664, 0x0, 0x0}, v2_int64 = {0x3be64664175812b3,
0x0},
uint128 = 0x00000000000000003be64664175812b3}
xmm14 {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x2d, 0x0},
v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, v2_int64 = {0x4046dfb516f209c0,
0x0},
uint128 = 0x00000000000000004046dfb516f209c0}
xmm15 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
---Type <return> to continue, or q <return> to quit---
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
----------
files: pcm_sanity_check.diff
messages: 13263
priority: normal
status: open
substatus: open
title: ffmpeg crashes for pcm audio with invalid sample_size
type: bug
________________________________________________
FFmpeg issue tracker <[email protected]>
<https://roundup.ffmpeg.org/issue2502>
________________________________________________
pcm_sanity_check.diff
Description: Binary data
