Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Arithmetic exception: division by zero in ../../../Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp:767 #2107

Open
SuyueGuo opened this issue Aug 25, 2024 · 2 comments
Open

Arithmetic exception: division by zero in ../../../Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp:767 #2107

SuyueGuo opened this issue Aug 25, 2024 · 2 comments
Assignees
@JeromeMartinez
Labels
bug

Comments

@SuyueGuo
Copy link

Dear maintainers of MediaInfo,

A division with zero bugs was found in MediaInfoLib.

Poc

div_zero.zip

command to run:

mediainfo ./div_zero

Details

GDB output:

Program received signal SIGFPE, Arithmetic exception.
0x0000555555b00ed5 in MediaInfoLib::Aac_k2_Compute (bs_stop_freq=<optimized out>, sampling_frequency=sampling_frequency@entry=0, k0=k0@entry=17 '\021', ratio=<optimized out>) at ../../../Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp:767
767             stopMin=(((2*6000*(ratio==DUAL?128:64))/sampling_frequency)+1)>>1;
(gdb) x/10i $pc
=> 0x555555b00ed5 <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1157>:   idiv   %rsi
   0x555555b00ed8 <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1160>:   lea    0x1(%rax),%r13
   0x555555b00edc <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1164>:   sar    %r13
   0x555555b00edf <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1167>:   jmp    0x555555b00b2f <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+223>
   0x555555b00ee4 <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1172>:   nopl   0x0(%rax)
   0x555555b00ee8 <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1176>:   mov    %rbp,%rax
   0x555555b00eeb <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1179>:   mov    %r10,%rsi
   0x555555b00eee <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1182>:   mov    %r9d,0x2c(%rsp)
   0x555555b00ef3 <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1187>:   sub    %rdx,%rax
   0x555555b00ef6 <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1190>:   mov    %r8,0x20(%rsp)
(gdb) info registers
rax            0xbb800             768000
rbx            0x7fffffff0840      140737488291904
rcx            0x1                 1
rdx            0x0                 0
rsi            0x0                 0
rdi            0x5                 5
rbp            0x8                 0x8
rsp            0x7fffffff0730      0x7fffffff0730
r8             0xfffffffe0ec       17592186036460
r9             0x7fffffff07e0      140737488291808
r10            0x62c000001d2a      108576773250346
r11            0x11                17
r12            0x7fffffff0760      140737488291680
r13            0x0                 0
r14            0x7fffffff0760      140737488291680
r15            0x5                 5
rip            0x555555b00ed5      0x555555b00ed5 <MediaInfoLib::Aac_k2_Compute(unsigned char, long long, unsigned char, MediaInfoLib::sbr_ratio)+1157>
eflags         0x10206             [ PF IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0
k0             0xf0000000          4026531840
k1             0x3                 3
k2             0xfffffff           268435455
k3             0x0                 0
k4             0x0                 0
k5             0x0                 0
k6             0x0                 0
k7             0x0                 0
(gdb) bt
#0  0x0000555555b00ed5 in MediaInfoLib::Aac_k2_Compute (bs_stop_freq=<optimized out>, sampling_frequency=sampling_frequency@entry=0, k0=k0@entry=17 '\021', ratio=<optimized out>)
    at ../../../Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp:767
#1  0x0000555555b023e6 in MediaInfoLib::Aac_Sbr_Compute (sbr=0x62c000001d24, sampling_frequency=0, usac=usac@entry=true)
    at ../../../Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp:1007
#2  0x0000555555e43f73 in MediaInfoLib::File_Usac::UsacSbrData (this=this@entry=0x62c000000200, nrSbrChannels=nrSbrChannels@entry=1,
    usacIndependencyFlag=usacIndependencyFlag@entry=true) at ../../../Source/MediaInfo/Audio/File_Usac.cpp:5084
#3  0x0000555555e5c7eb in MediaInfoLib::File_Usac::UsacSingleChannelElement (this=0x62c000000200, usacIndependencyFlag=<optimized out>)
    at ../../../Source/MediaInfo/Audio/File_Usac.cpp:3857
#4  0x0000555555e872fa in MediaInfoLib::File_Usac::UsacFrame (this=0x62c000000200, BitsNotIncluded=<optimized out>) at ../../../Source/MediaInfo/Audio/File_Usac.cpp:3689
#5  0x0000555555ae65a0 in MediaInfoLib::File_Aac::Read_Buffer_Continue_payload (this=0x62c000000200) at ../../../Source/MediaInfo/Audio/File_Aac.cpp:370
#6  0x0000555556ac93e5 in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop (this=this@entry=0x62c000000200) at ../../../Source/MediaInfo/File__Analyze.cpp:1482
#7  0x0000555556aca768 in MediaInfoLib::File__Analyze::Open_Buffer_Continue (this=0x62c000000200,
    ToAdd=0x6310001ccabe "\262\331!M~%R0\316\233\243\020\210\277\260<:\356@\324\330\312\245;\226\300\224\024\321\313\027\360\336\032\273*\227[\217\321RFh\371\271M=<9\035\354\017\035\306gY\343(\244\235\277O\272\223\255nzj\244B\226\345\005l\256\321U\375U\261\332It\375%\233\062\272h\245\025\024\273\237A\"\227\316W\370\324Jkw(\265o\017\377\377\377\377\377\326Ux", ToAdd_Size=<optimized out>) at ../../../Source/MediaInfo/File__Analyze.cpp:1101
#8  0x0000555556ad0368 in MediaInfoLib::File__Analyze::Open_Buffer_Continue (this=this@entry=0x61e000000c80, Sub=0x62c000000200, ToAdd=<optimized out>,
    ToAdd_Size=<optimized out>, IsNewPacket=IsNewPacket@entry=true, Ratio=Ratio@entry=1) at ../../../Source/MediaInfo/File__Analyze.cpp:1448
#9  0x0000555556464484 in MediaInfoLib::File_Mpeg4::mdat_xxxx (this=0x61e000000c80) at ../../../Source/MediaInfo/Multiple/File_Mpeg4_Elements.cpp:2139
#10 0x0000555556ac50bd in MediaInfoLib::File__Analyze::Data_Manage (this=this@entry=0x61e000000c80) at ../../../Source/MediaInfo/File__Analyze.cpp:2810
#11 0x0000555556ac853d in MediaInfoLib::File__Analyze::Buffer_Parse (this=this@entry=0x61e000000c80) at ../../../Source/MediaInfo/File__Analyze.cpp:1941
#12 0x0000555556ac8c88 in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop (this=this@entry=0x61e000000c80) at ../../../Source/MediaInfo/File__Analyze.cpp:1507
#13 0x0000555556aca768 in MediaInfoLib::File__Analyze::Open_Buffer_Continue (this=0x61e000000c80, ToAdd=ToAdd@entry=0x6310001cc800 "\371[P\206\377", ToAdd_Size=<optimized out>,
    ToAdd_Size@entry=2344) at ../../../Source/MediaInfo/File__Analyze.cpp:1101
#14 0x0000555555a56d6f in MediaInfoLib::MediaInfo_Internal::Open_Buffer_Continue (this=this@entry=0x61b000000e80, ToAdd=<optimized out>, ToAdd_Size=<optimized out>)
    at ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1721
#15 0x00005555567fffdf in MediaInfoLib::Reader_File::Format_Test_PerParser_Continue (this=0x60b000008b20, MI=0x61b000000e80)
    at ../../../Source/MediaInfo/Reader/Reader_File.cpp:766
#16 0x00005555567fd434 in MediaInfoLib::Reader_File::Format_Test_PerParser (this=<optimized out>, MI=MI@entry=0x61b000000e80,
    File_Name=L"/data/fuzz/fuzz-data/output/mediainfo/aflpp2/default/crashes/id:000096,sig:08,src:014327,time:232724936,execs:18865626,op:havoc,rep:3")
    at ../../../Source/MediaInfo/Reader/Reader_File.cpp:313
#17 0x0000555555a0c2b9 in MediaInfoLib::MediaInfo_Internal::ListFormats (this=this@entry=0x61b000000e80,
    File_Name=L"/data/fuzz/fuzz-data/output/mediainfo/aflpp2/default/crashes/id:000096,sig:08,src:014327,time:232724936,execs:18865626,op:havoc,rep:3")
    at ../../../Source/MediaInfo/MediaInfo_File.cpp:912
#18 0x00005555567fe6d7 in MediaInfoLib::Reader_File::Format_Test (this=this@entry=0x60b000008b20, MI=MI@entry=0x61b000000e80,
    File_Name=L"/data/fuzz/fuzz-data/output/mediainfo/aflpp2/default/crashes/id:000096,sig:08,src:014327,time:232724936,execs:18865626,op:havoc,rep:3")
    at ../../../Source/MediaInfo/Reader/Reader_File.cpp:230
#19 0x0000555555a8415f in MediaInfoLib::MediaInfo_Internal::Entry (this=0x61b000000e80) at ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1416
#20 0x0000555555a7fd7f in MediaInfoLib::MediaInfo_Internal::Open (this=0x61b000000e80,
    File_Name_=L"/data/fuzz/fuzz-data/output/mediainfo/aflpp2/default/crashes/id:000096,sig:08,src:014327,time:232724936,execs:18865626,op:havoc,rep:3")
    at ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1172
#21 0x0000555555aa5866 in MediaInfoLib::MediaInfoList_Internal::Entry (this=0x61b000000780) at ../../../Source/MediaInfo/MediaInfoList_Internal.cpp:212
#22 0x0000555555aae3a3 in MediaInfoLib::MediaInfoList_Internal::Open (this=<optimized out>, File_Name=..., Options=Options@entry=MediaInfoLib::FileOption_Nothing)
    at ../../../Source/MediaInfo/MediaInfoList_Internal.cpp:148
#23 0x0000555555a9c53c in MediaInfoLib::MediaInfoList::Open (this=<optimized out>, File=..., Options=Options@entry=MediaInfoLib::FileOption_Nothing)
    at ../../../Source/MediaInfo/MediaInfoList.cpp:118
#24 0x0000555555990c83 in Core::Menu_File_Open_Files_Continue (this=this@entry=0x7fffffffe3c0, FileName=...) at ../../../Source/Common/Core.cpp:172
#25 0x000055555597f70c in main (argc=<optimized out>, argv_ansi=<optimized out>) at ../../../Source/CLI/CLI_Main.cpp:155

ASAN output:

=================================================================
==1922209==ERROR: AddressSanitizer: FPE on unknown address 0x5617d1794ed5 (pc 0x5617d1794ed5 bp 0x000000000008 sp 0x7fff534fe820 T0)
    #0 0x5617d1794ed5 in MediaInfoLib::Aac_k2_Compute(unsigned char, long long, unsigned char, MediaInfoLib::sbr_ratio) ../../../Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp:767
    #1 0x5617d17963e5 in MediaInfoLib::Aac_Sbr_Compute(MediaInfoLib::sbr_handler*, long long, bool) ../../../Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp:1007
    #2 0x5617d1ad7f72 in MediaInfoLib::File_Usac::UsacSbrData(unsigned long, bool) ../../../Source/MediaInfo/Audio/File_Usac.cpp:5084
    #3 0x5617d1af07ea in MediaInfoLib::File_Usac::UsacSingleChannelElement(bool) ../../../Source/MediaInfo/Audio/File_Usac.cpp:3857
    #4 0x5617d1b1b2f9 in MediaInfoLib::File_Usac::UsacFrame(unsigned long) ../../../Source/MediaInfo/Audio/File_Usac.cpp:3689
    #5 0x5617d177a59f in MediaInfoLib::File_Aac::Read_Buffer_Continue_payload() ../../../Source/MediaInfo/Audio/File_Aac.cpp:370
    #6 0x5617d275d3e4 in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop() ../../../Source/MediaInfo/File__Analyze.cpp:1482
    #7 0x5617d275e767 in MediaInfoLib::File__Analyze::Open_Buffer_Continue(unsigned char const*, unsigned long) ../../../Source/MediaInfo/File__Analyze.cpp:1101
    #8 0x5617d2764367 in MediaInfoLib::File__Analyze::Open_Buffer_Continue(MediaInfoLib::File__Analyze*, unsigned char const*, unsigned long, bool, double) ../../../Source/MediaInfo/File__Analyze.cpp:1448
    #9 0x5617d20f8483 in MediaInfoLib::File_Mpeg4::mdat_xxxx() ../../../Source/MediaInfo/Multiple/File_Mpeg4_Elements.cpp:2139
    #10 0x5617d27590bc in MediaInfoLib::File__Analyze::Data_Manage() ../../../Source/MediaInfo/File__Analyze.cpp:2810
    #11 0x5617d275c53c in MediaInfoLib::File__Analyze::Buffer_Parse() ../../../Source/MediaInfo/File__Analyze.cpp:1941
    #12 0x5617d275cc87 in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop() ../../../Source/MediaInfo/File__Analyze.cpp:1507
    #13 0x5617d275e767 in MediaInfoLib::File__Analyze::Open_Buffer_Continue(unsigned char const*, unsigned long) ../../../Source/MediaInfo/File__Analyze.cpp:1101
    #14 0x5617d16ead6e in MediaInfoLib::MediaInfo_Internal::Open_Buffer_Continue(unsigned char const*, unsigned long) ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1721
    #15 0x5617d2493fde in MediaInfoLib::Reader_File::Format_Test_PerParser_Continue(MediaInfoLib::MediaInfo_Internal*) ../../../Source/MediaInfo/Reader/Reader_File.cpp:766
    #16 0x5617d2491433 in MediaInfoLib::Reader_File::Format_Test_PerParser(MediaInfoLib::MediaInfo_Internal*, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) ../../../Source/MediaInfo/Reader/Reader_File.cpp:313
    #17 0x5617d16a02b8 in MediaInfoLib::MediaInfo_Internal::ListFormats(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) ../../../Source/MediaInfo/MediaInfo_File.cpp:912
    #18 0x5617d24926d6 in MediaInfoLib::Reader_File::Format_Test(MediaInfoLib::MediaInfo_Internal*, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >) ../../../Source/MediaInfo/Reader/Reader_File.cpp:230
    #19 0x5617d171815e in MediaInfoLib::MediaInfo_Internal::Entry() ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1416
    #20 0x5617d1713d7e in MediaInfoLib::MediaInfo_Internal::Open(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1172
    #21 0x5617d1739865 in MediaInfoLib::MediaInfoList_Internal::Entry() ../../../Source/MediaInfo/MediaInfoList_Internal.cpp:212
    #22 0x5617d17423a2 in MediaInfoLib::MediaInfoList_Internal::Open(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&, MediaInfoLib::fileoptions_t) ../../../Source/MediaInfo/MediaInfoList_Internal.cpp:148
    #23 0x5617d161370b in main ../../../Source/CLI/CLI_Main.cpp:155
    #24 0x7f24eef81d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #25 0x7f24eef81e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #26 0x5617d16185b4 in _start (/data/fuzz/fuzz-data/target/elf/debug/mediainfo+0x4305b4)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE ../../../Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp:767 in MediaInfoLib::Aac_k2_Compute(unsigned char, long long, unsigned char, MediaInfoLib::sbr_ratio)
==1922209==ABORTING
@JeromeMartinez JeromeMartinez self-assigned this Aug 25, 2024
@cjee21
Copy link
Contributor

cjee21 commented Oct 1, 2024
edited
Loading

Looked into this a little:

The division by zero occurs at:

MediaInfoLib/Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp

Line 767 in f24a17b

stopMin=(((2*6000*(ratio==DUAL?128:64))/sampling_frequency)+1)>>1;

Value of sampling_frequency is propagated though a few functions from where it is assigned zero at:

MediaInfoLib/Source/MediaInfo/Audio/File_Usac.cpp

Line 5072 in f24a17b

sampling_frequency=Frequency_b/2;

This is because Frequency_b is assigned zero at:

MediaInfoLib/Source/MediaInfo/Audio/File_Aac_Main.cpp

Line 587 in f24a17b

Frequency_b=0;

This is because sampling_frequency_index is 13 here:

MediaInfoLib/Source/MediaInfo/Audio/File_Aac_Main.cpp

Line 576 in f24a17b

Get_S1 (4, sampling_frequency_index, "samplingFrequencyIndex"); Param_Info1C(sampling_frequency_index<Aac_sampling_frequency_Size, Aac_sampling_frequency[sampling_frequency_index]);

So if I understand correctly, any AAC stream with reserved (13/14) or out-of-range sampling frequency index has the potential to cause this division-by-zero crash.

@ValeZAA
Copy link

ValeZAA commented Oct 10, 2024

at line sampling_frequency=Frequency_b/2; it should check whether Frequency_b is zero.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JeromeMartinez JeromeMartinez

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@JeromeMartinez @SuyueGuo @cjee21 @ValeZAA