[libav-bugs] [Bug 1150] New: Floating point execption occurred in libavformat/vqf.c

bugzilla at libav.org bugzilla at libav.org
Wed Mar 20 17:15:52 CET 2019


https://bugzilla.libav.org/show_bug.cgi?id=1150

            Bug ID: 1150
           Summary: Floating point execption occurred in libavformat/vqf.c
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Mac OS
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavformat
          Assignee: bugzilla at libav.org
          Reporter: mgcho.minic at gmail.com

Created attachment 735
  --> https://bugzilla.libav.org/attachment.cgi?id=735&action=edit
Poc to trigger bug

Triggered by "./avconv -i $POC -f null -"

A floating point execption occurred in libavformat/vqf.c.


ASAN output:

(gdb) r -v 9 -loglevel 99 -i ~/Downloads/vqf_read_header_fpe
Starting program:
/home/seclab/fuzzing-experiment/fuzzing/program/x86/libav-master/clang5/bin/avconv
-v 9 -loglevel 99 -i ~/Downloads/vqf_read_header_fpe
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
avconv version v13_dev0-1642-gf8abf7d, Copyright (c) 2000-2018 the Libav
developers
  built on Mar 19 2019 11:21:48 with clang version 5.0.0-3~16.04.1
(tags/RELEASE_500/final)
  configuration:
--prefix=/home/seclab/fuzzing-experiment/fuzzing/program/x86/libav-master/clang5
--disable-yasm --enable-cross-compile --cc=clang --target-os=linux --arch=i386
--host-cflags=-m32 --host-ldflags=-m32 --extra-cflags=-m32 --extra-ldflags=-m32
  libavutil     56.  8. 0 / 56.  8. 0
  libavcodec    58. 12. 1 / 58. 12. 1
  libavformat   58.  2. 0 / 58.  2. 0
  libavdevice   57.  0. 2 / 57.  0. 2
  libavfilter    7.  1. 0 /  7.  1. 0
  libavresample  4.  0. 0 /  4.  0. 0
  libswscale     5.  0. 1 /  5.  0. 1
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set libav* logging level) with
argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set libav* logging
level) with argument '99'.
Reading option '-i' ... matched as input file with argument
'/home/seclab/Downloads/vqf_read_header_fpe'.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set libav* logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file
/home/seclab/Downloads/vqf_read_header_fpe.
Successfully parsed a group of options.
Opening an input file: /home/seclab/Downloads/vqf_read_header_fpe.
nsv_probe(), buf_size 54
[vqf @ 0x91535c0] Probed with size=2048 and score=50

Program received signal SIGFPE, Arithmetic exception.
0x0814c259 in vqf_read_header (s=<optimized out>) at libavformat/vqf.c:185
185    in libavformat/vqf.c
(gdb) bt
#0  0x0814c259 in vqf_read_header (s=<optimized out>) at libavformat/vqf.c:185
#1  0x08143468 in avformat_open_input (ps=0xffffcc30, filename=<optimized out>,
fmt=<optimized out>, options=<optimized out>) at libavformat/utils.c:336
#2  0x0804b8b9 in open_input_file (o=<optimized out>, filename=<optimized out>)
at avtools/avconv_opt.c:804
#3  0x0804b480 in open_files (l=<optimized out>, inout=<optimized out>,
open_file=<optimized out>) at avtools/avconv_opt.c:2467
#4  0x0804b286 in avconv_parse_options (argc=<optimized out>, argv=<optimized
out>) at avtools/avconv_opt.c:2504
#5  0x08058b4f in main (argc=<optimized out>, argv=<optimized out>) at
avtools/avconv.c:2953
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x814c239 to 0x814c279:
   0x0814c239 <vqf_read_header+857>:    jmp    0x814c382 <vqf_read_header+1186>
   0x0814c23e <vqf_read_header+862>:    mov    $0x5622,%ecx
   0x0814c243 <vqf_read_header+867>:    jmp    0x814c24b <vqf_read_header+875>
   0x0814c245 <vqf_read_header+869>:    imul   $0x3e8,%edx,%ecx
   0x0814c24b <vqf_read_header+875>:    mov    0x9c(%ebp),%edi
   0x0814c251 <vqf_read_header+881>:    mov    %ecx,0x5c(%edi)
   0x0814c254 <vqf_read_header+884>:    mov    0x20(%esp),%eax
   0x0814c258 <vqf_read_header+888>:    cltd   
=> 0x0814c259 <vqf_read_header+889>:    idivl  0x58(%edi)
   0x0814c25c <vqf_read_header+892>:    mov    %eax,%esi
   0x0814c25e <vqf_read_header+894>:    lea    -0x8(%esi),%eax
   0x0814c261 <vqf_read_header+897>:    cmp    $0x29,%eax
   0x0814c264 <vqf_read_header+900>:    jb     0x814c281 <vqf_read_header+929>
   0x0814c266 <vqf_read_header+902>:    push   %esi
   0x0814c267 <vqf_read_header+903>:    push   $0x8926cc7
   0x0814c26c <vqf_read_header+908>:    push   $0x10
   0x0814c26e <vqf_read_header+910>:    push   %ebx
   0x0814c26f <vqf_read_header+911>:    call   0x88e6720 <av_log>
   0x0814c274 <vqf_read_header+916>:    add    $0x10,%esp
   0x0814c277 <vqf_read_header+919>:    mov    $0xc1444e49,%edx
End of assembler dump.
(gdb) info all-registers
eax            0x7f7f7f7f    2139062143
ecx            0x7d00    32000
edx            0x0    0
ebx            0x91535c0    152384960
esp            0xffffcb70    0xffffcb70
ebp            0x9153d00    0x9153d00
esi            0x0    0
edi            0x91542a0    152388256
eip            0x814c259    0x814c259 <vqf_read_header+889>
eflags         0x210206    [ PF IF RF ID ]
cs             0x23    35
ss             0x2b    43
ds             0x2b    43
es             0x2b    43
fs             0x0    0
gs             0x63    99
st0            9.957466722920461539027801867174361e-06    (raw
0x3feea70efe71ee611800)
st1            -0.16666658368778738963378316384478239    (raw
0xbffcaaaaa51919b23800)
st2            -5.2368704321306240943608958015795252e-09    (raw
0xbfe3b3efffdd0585e000)
st3            0.49999999985513093880840074234583881    (raw
0x3ffdfffffffec16df800)
st4            1.7384289452803415575633558961773407e-09    (raw
0x3fe1eeed87e67d4a0800)
st5            0    (raw 0x00000000000000000000)
st6            9.9999999999999994515327145420957165e-21    (raw
0x3fbcbce5086492111800)
st7            1    (raw 0x3fff8000000000000000)
fctrl          0x37f    895
fstat          0x20    32
ftag           0xffff    65535
fiseg          0x0    0
fioff          0xf7f89a27    -134702553
foseg          0x0    0
fooff          0x0    0
fop            0x0    0
mxcsr          0x1fa0    [ PE IM DM ZM OM UM PM ]
bndcfgu        {raw = 0x0, config = {base = 0x0, reserved = 0x0, preserved =
0x0, enabled = 0x0}}    {raw = 0x0, config = {base = 0, reserved = 0, preserved
= 0, enabled = 0}}
bndstatus      {raw = 0x0, status = {bde = 0x0, error = 0x0}}    {raw = 0x0,
status = {bde = 0, error = 0}}
k0             0x0    0
k1             0x0    0
k2             0x0    0
k3             0x0    0
k4             0x0    0
k5             0x0    0
k6             0x0    0
k7             0x0    0
zmm0           {v16_float = {0x0, 0x0, 0x0 <repeats 14 times>}, v8_double =
{0x8000000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v64_int8 = {0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 
    0x0 <repeats 56 times>}, v32_int16 = {0xffff, 0xffff, 0xffff, 0xffff, 0x0
<repeats 28 times>}, v16_int32 = {0xffffffff, 0xffffffff, 0x0 <repeats 14
times>}, v8_int64 = {0xffffffffffffffff, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0}, v4_int128 = {0x0000000000000000ffffffffffffffff,
0x00000000000000000000000000000000, 0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
zmm1           {v16_float = {0x0, 0x0, 0x0, 0x0, 0x0 <repeats 12 times>},
v8_double = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v64_int8 = {0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc0, 0x35, 0x15, 0x9, 
    0x34, 0x3a, 0x15, 0x9, 0x0 <repeats 48 times>}, v32_int16 = {0x0, 0x0, 0x0,
0x0, 0x35c0, 0x915, 0x3a34, 0x915, 0x0 <repeats 24 times>}, v16_int32 = {0x0,
0x0, 0x91535c0, 0x9153a34, 
    0x0 <repeats 12 times>}, v8_int64 = {0x0, 0x9153a34091535c0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int128 = {0x09153a34091535c00000000000000000,
0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
zmm2           {v16_float = {0x0, 0xffffffff, 0x0 <repeats 14 times>},
v8_double = {0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v64_int8 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0xbf, 
    0x0 <repeats 56 times>}, v32_int16 = {0x0, 0x0, 0x0, 0xbff0, 0x0 <repeats
28 times>}, v16_int32 = {0x0, 0xbff00000, 0x0 <repeats 14 times>}, v8_int64 =
{0xbff0000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0}, v4_int128 = {0x0000000000000000bff0000000000000,
0x00000000000000000000000000000000, 0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
zmm3           {v16_float = {0x0, 0xffffffff, 0x0 <repeats 14 times>},
v8_double = {0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v64_int8 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0xbf, 
    0x0 <repeats 56 times>}, v32_int16 = {0x0, 0x0, 0x0, 0xbff0, 0x0 <repeats
28 times>}, v16_int32 = {0x0, 0xbff00000, 0x0 <repeats 14 times>}, v8_int64 =
{0xbff0000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0}, v4_int128 = {0x0000000000000000bff0000000000000,
0x00000000000000000000000000000000, 0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
zmm4           {v16_float = {0x0, 0x0 <repeats 15 times>}, v8_double = {0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v64_int8 = {0xff, 0xff, 0xff, 0xff, 0x0
<repeats 60 times>}, v32_int16 = {0xffff, 0xffff, 
    0x0 <repeats 30 times>}, v16_int32 = {0xffffffff, 0x0 <repeats 15 times>},
v8_int64 = {0xffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int128 =
{0x000000000000000000000000ffffffff, 
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
zmm5           {v16_float = {0x0 <repeats 16 times>}, v8_double = {0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v64_int8 = {0x0 <repeats 64 times>}, v32_int16 =
{0x0 <repeats 32 times>}, v16_int32 = {
    0x0 <repeats 16 times>}, v8_int64 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 
---Type <return> to continue, or q <return> to quit---
    0x00000000000000000000000000000000}}
zmm6           {v16_float = {0x0 <repeats 16 times>}, v8_double = {0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v64_int8 = {0x0 <repeats 64 times>}, v32_int16 =
{0x0 <repeats 32 times>}, v16_int32 = {
    0x0 <repeats 16 times>}, v8_int64 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
zmm7           {v16_float = {0x0 <repeats 16 times>}, v8_double = {0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v64_int8 = {0x0 <repeats 64 times>}, v32_int16 =
{0x0 <repeats 32 times>}, v16_int32 = {
    0x0 <repeats 16 times>}, v8_int64 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
mm0            {uint64 = 0xa70efe71ee611800, v2_int32 = {0xee611800,
0xa70efe71}, v4_int16 = {0x1800, 0xee61, 0xfe71, 0xa70e}, v8_int8 = {0x0, 0x18,
0x61, 0xee, 0x71, 0xfe, 0xe, 0xa7}}
mm1            {uint64 = 0xaaaaa51919b23800, v2_int32 = {0x19b23800,
0xaaaaa519}, v4_int16 = {0x3800, 0x19b2, 0xa519, 0xaaaa}, v8_int8 = {0x0, 0x38,
0xb2, 0x19, 0x19, 0xa5, 0xaa, 0xaa}}
mm2            {uint64 = 0xb3efffdd0585e000, v2_int32 = {0x585e000,
0xb3efffdd}, v4_int16 = {0xe000, 0x585, 0xffdd, 0xb3ef}, v8_int8 = {0x0, 0xe0,
0x85, 0x5, 0xdd, 0xff, 0xef, 0xb3}}
mm3            {uint64 = 0xfffffffec16df800, v2_int32 = {0xc16df800,
0xfffffffe}, v4_int16 = {0xf800, 0xc16d, 0xfffe, 0xffff}, v8_int8 = {0x0, 0xf8,
0x6d, 0xc1, 0xfe, 0xff, 0xff, 0xff}}
mm4            {uint64 = 0xeeed87e67d4a0800, v2_int32 = {0x7d4a0800,
0xeeed87e6}, v4_int16 = {0x800, 0x7d4a, 0x87e6, 0xeeed}, v8_int8 = {0x0, 0x8,
0x4a, 0x7d, 0xe6, 0x87, 0xed, 0xee}}
mm5            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,
0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm6            {uint64 = 0xbce5086492111800, v2_int32 = {0x92111800,
0xbce50864}, v4_int16 = {0x1800, 0x9211, 0x864, 0xbce5}, v8_int8 = {0x0, 0x18,
0x11, 0x92, 0x64, 0x8, 0xe5, 0xbc}}
mm7            {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},
v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x80}}


Credits:

Mingi Cho, Seoyoung Kim, and Taekyoung Kwon of the Information Security Lab,
Yonsei University.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20190320/662916bc/attachment.html>


More information about the libav-bugs mailing list