Opened 20 months ago

Closed 20 months ago

#2397 closed defect (fixed)

A Division by zero occurred in function mov_build_index () of libmpdemux/demux_mov.c

Reported by: ylzs Owned by: beastd
Priority: normal Component: undetermined
Version: HEAD Severity: major
Keywords: Cc:
Blocked By: Blocking:
Reproduced by developer: no Analyzed by developer: no

Description (last modified by ylzs)

Version: SVN-r38374-13.0.1

Build command: ../configure --disable-ffmpeg_a && make (compiling with asan)

Summary of the bug: An Division by zero is found in fucnction mov_build_index () which affects mplayer and mencoder. The attached file can reproduce this issue (ASAN-recompilation is needed). And this vulnerability can cause the crash of the mplayer.

How to reproduce:

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase

./mplayer ./testcase

2.Result:

MEncoder SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team
success: format: 0  data: 0x0 - 0x618
libavformat version 58.29.100 (external)
libavformat file format detected.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f69da944600]Invalid mvhd time scale 0, defaulting to 1
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f69da944600]stream 0, timescale not set
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f69da944600]stream 1, contradictionary STSC and STCO
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f69da944600]error reading header
LAVF_header: av_open_input_stream() failed
ISO: File Type Major Brand: Original QuickTime
Quicktime/MOV file format detected.
*** constant samplesize & variable duration not yet supported! ***
Contact the author if you have such sample file!
MOV: durmap and chunkmap sample count differ (2 vs 0)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==29712==ERROR: AddressSanitizer: FPE on unknown address 0x5634cbb6c512 (pc 0x5634cbb6c512 bp 0x7fff11bafe20 sp 0x7fff11baf9a0 T0)
    #0 0x5634cbb6c512 in mov_build_index /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:302:66
    #1 0x5634cbb6c512 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1333:6
    #2 0x5634cbb608ec in mov_read_header /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1961:5

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:302:66 in mov_build_index
==29712==ABORTING

MPlayer SVN-r38374-9 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/testcase_11.
libavformat version 58.29.100 (external)
libavformat file format detected.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f4780883600]Invalid mvhd time scale 0, defaulting to 1
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f4780883600]stream 0, timescale not set
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f4780883600]stream 1, contradictionary STSC and STCO
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f4780883600]error reading header
LAVF_header: av_open_input_stream() failed
ISO: File Type Major Brand: Original QuickTime
Quicktime/MOV file format detected.
*** constant samplesize & variable duration not yet supported! ***
Contact the author if you have such sample file!
MOV: durmap and chunkmap sample count differ (2 vs 0)


MPlayer interrupted by signal 8 in module: demux_open
- MPlayer crashed by bad usage of CPU/FPU/RAM.
  Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and
  disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
- MPlayer crashed. This shouldn't happen.
  It can be a bug in the MPlayer code _or_ in your drivers _or_ in your
  gcc version. If you think it's MPlayer's fault, please read
  DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and
  won't help unless you provide this information when reporting a possible bug.
  1. debugging with gdb 
    0x0000558629f09b8a      302                 el->pts_offset=((long long)e_pts*(long long)trak->timescale)/(long long)timescale-trak->samples[sample].pts;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────
 RAX  0x0
 RBX  0x0
 RCX  0x400
*RDX  0x0
 RDI  0x55862a74be00 ◂— 0x40000000080
 RSI  0x2
 R8   0x400
 R9   0x1
 R10  0x1f40
 R11  0x55862a73a248 ◂— 0x0
 R12  0x0
 R13  0x80
 R14  0x55862a74be30 ◂— 0x1500000000
 R15  0x0
 RBP  0x55862a74bd20 ◂— 0x200000001
 RSP  0x7ffd2e588830 ◂— 0x301
*RIP  0x558629f09b8a (lschunks+5994) ◂— idiv   qword ptr [rsp + 0x28]
─────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────
   0x558629f09b88 <lschunks+5992>    cqo
 ► 0x558629f09b8a <lschunks+5994>    idiv   qword ptr [rsp + 0x28]
    ↓
   0x558629f09b8a <lschunks+5994>    idiv   qword ptr [rsp + 0x28]







─────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]──────────────────────────────────────────────────────────────────────
In file: /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c
   297      // find start sample
   298      for(;sample<trak->samples_size;sample++){
   299          if(pts<=trak->samples[sample].pts) break;
   300      }
   301      el->start_sample=sample;
 ► 302      el->pts_offset=((long long)e_pts*(long long)trak->timescale)/(long long)timescale-trak->samples[sample].pts;
   303      pts+=((long long)el->dur*(long long)trak->timescale)/(long long)timescale;
   304      e_pts+=el->dur;
   305      // find end sample
   306      for(;sample<trak->samples_size;sample++){
   307          if(pts<trak->samples[sample].pts) break;
─────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────
00:0000│ rsp  0x7ffd2e588830 ◂— 0x301
01:0008│      0x7ffd2e588838 ◂— 0x5c7
02:0010│      0x7ffd2e588840 ◂— 0x2a5
03:0018│      0x7ffd2e588848 ◂— 0x0
... ↓
06:0030│      0x7ffd2e588860 —▸ 0x55862a7410f0 ◂— 0x1c
07:0038│      0x7ffd2e588868 ◂— 0x55867f800000
───────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────
 ► f 0     558629f09b8a lschunks+5994
   f 1     558629f09b8a lschunks+5994
   f 2     558629f0b881 mov_read_header+145
   f 3     558629ee5947 demux_open_stream+1015
   f 4     558629ee63e1 demux_open+753
   f 5     558629e14dcb main+4027
   f 6     7f67a70d10b3 __libc_start_main+243
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Attachments (1)

testcase (1.5 KB ) - added by ylzs 20 months ago.

Download all attachments as: .zip

Change History (5)

by ylzs, 20 months ago

Attachment: testcase added

comment:1 by ylzs, 20 months ago

Description: modified (diff)

comment:2 by ylzs, 20 months ago

Description: modified (diff)
Summary: A Division by zero occurred in the function mov_build_index () of libmpdemux/demux_mov.cA Division by zero occurred in function mov_build_index () of libmpdemux/demux_mov.c

comment:3 by ylzs, 20 months ago

Severity: criticalmajor

comment:4 by reimar, 20 months ago

Resolution: fixed
Status: newclosed

Fixed by r38385.

Note: See TracTickets for help on using tickets.