[libav-bugs] [Bug 996] New: Divide by zero in sbr_make_f_master()

bugzilla at libav.org bugzilla at libav.org
Thu Dec 8 12:50:21 CET 2016


https://bugzilla.libav.org/show_bug.cgi?id=996

            Bug ID: 996
           Summary: Divide by zero in sbr_make_f_master()
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: fumfi.255 at gmail.com

Created attachment 624
  --> https://bugzilla.libav.org/attachment.cgi?id=624&action=edit
POC to trigger divide by zero (avconv)

After some fuzz testing I found a crashing test case.

Command: avconv -i libav_divide_zero_sbr_make_f_master -f /dev/null

Git Head: f22da2cdf90dc892d483e2d4003cffc0500816f6

Output + ASAN:

avconv version v13_dev0-588-gf22da2c, Copyright (c) 2000-2016 the Libav
developers
  built on Dec  7 2016 11:40:38 with clang version 3.9.0
(tags/RELEASE_390/final)
Trailing options were found on the commandline.
[aac @ 0x61a00001f280] Format detected only with low score of 1, misdetection
possible!
[aac @ 0x61900001ea80] Sample rate index in program config element does not
match the sample rate index configured by the container.
ASAN:DEADLYSIGNAL
=================================================================
==1678==ERROR: AddressSanitizer: FPE on unknown address 0x000001ab7256 (pc
0x000001ab7256 bp 0x7ffc5f5b7370 sp 0x7ffc5f5b7020 T0)
    #0 0x1ab7255 in sbr_make_f_master XYZ/libav/libavcodec/aacsbr.c:337:57
    #1 0x1ab7255 in sbr_reset XYZ/libav/libavcodec/aacsbr.c:1041
    #2 0x1ab7255 in ff_decode_sbr_extension XYZ/libav/libavcodec/aacsbr.c:1089
    #3 0x1a8be26 in decode_extension_payload
XYZ/libav/libavcodec/aacdec.c:2239:15
    #4 0x1a8be26 in aac_decode_frame_int XYZ/libav/libavcodec/aacdec.c:2917
    #5 0x1a7b1a8 in aac_decode_frame XYZ/libav/libavcodec/aacdec.c:3010:15
    #6 0xa9c411 in avcodec_decode_audio4 XYZ/libav/libavcodec/decode.c:385:15
    #7 0xa9a50b in do_decode XYZ/libav/libavcodec/decode.c:173:15
    #8 0xa99612 in avcodec_send_packet XYZ/libav/libavcodec/decode.c:245:12
    #9 0x8dc07b in try_decode_frame XYZ/libav/libavformat/utils.c:1950:19
    #10 0x8d5bc3 in avformat_find_stream_info
XYZ/libav/libavformat/utils.c:2459:9
    #11 0x4f8701 in open_input_file XYZ/libav/avconv_opt.c:771:11
    #12 0x4f7394 in open_files XYZ/libav/avconv_opt.c:2408:15
    #13 0x4f6bd2 in avconv_parse_options XYZ/libav/avconv_opt.c:2445:11
    #14 0x51c0cf in main XYZ/libav/avconv.c:2876:11
    #15 0x7fe25020282f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #16 0x41af48 in _start (/usr/local/bin/avconv+0x41af48)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE XYZ/libav/libavcodec/aacsbr.c:337:57 in
sbr_make_f_master
==1678==ABORTING

Regards,
Kamil Frankowicz

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20161208/c0c82941/attachment.html>


More information about the libav-bugs mailing list