This is how gdb output looks:
u...@machine:$ gdb --args <libmpeg2_inst_dir>/bin/mpeg2dec -v exploit_0 ... This GDB was configured as "i486-linux-gnu"... (gdb) runStarting program: /space/iisaev/avalanche/libmpeg2-0.5.1/inst/bin/mpeg2dec -v exploits_libmpeg/exploit_0
libmpeg2-0.5.1 - by Michel Lespinasse <wal...@zoy.org> and Aaron Holtzman
10 SEQUENCE PROG
Program received signal SIGFPE, Arithmetic exception.
dump_state (f=0x402e2560, state=<value optimized out>, info=0x91d3440,
offset=16, verbose=1) at dump_state.c:349
349 fprintf (f, " %dx%d chroma %dx%d fps %.*f maxBps %d vbv %d " (gdb) list 344 strncpy (matrix, colour[seq->matrix_coefficients], 15); 345 fprintf (f, " COLORS (prim %s trans %s matrix %s)", 346 prim, trans, matrix); 347 } 348 } 349 fprintf (f, " %dx%d chroma %dx%d fps %.*f maxBps %d vbv %d " 350 "picture %dx%d display %dx%d pixel %dx%d", 351 seq->width, seq->height, 352 seq->chroma_width, seq->chroma_height,353 27000000%seq->frame_period?2:0, 27000000.0/seq->frame_period,
(gdb) p seq->frame_period $1 = 0 (gdb) bt#0 dump_state (f=0x402e2560, state=<value optimized out>, info=0x91d3440, offset=16, verbose=1) at dump_state.c:349 #1 0x08049b42 in decode_mpeg2 (current=<value optimized out>, end=<value optimized out>) at mpeg2dec.c:281
#2 0x0804b24f in main at mpeg2dec.c:758 (gdb)As one may see, the essence of the bug is that the value seq->frame_period is used as a divisor without checking for being equal to 0.
exploit_0
Description: Binary data
------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
_______________________________________________ Libmpeg2-devel mailing list Libmpeg2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/libmpeg2-devel
