MediaInfoLib
MediaInfoLib copied to clipboard
MediaArea
Arithmetic exception: division by zero in ../../../Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp:767
Dear maintainers of MediaInfo,
A division with zero bugs was found in MediaInfoLib.
Poc
command to run:
mediainfo ./div_zero
Details
GDB output:
Program received signal SIGFPE, Arithmetic exception.
0x0000555555b00ed5 in MediaInfoLib::Aac_k2_Compute (bs_stop_freq=<optimized out>, sampling_frequency=sampling_frequency@entry=0, k0=k0@entry=17 '\021', ratio=<optimized out>) at ../../../Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp:767
767 stopMin=(((2*6000*(ratio==DUAL?128:64))/sampling_frequency)+1)>>1;
(gdb) x/10i $pc
=> 0x555555b00ed5 <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1157>: idiv %rsi
0x555555b00ed8 <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1160>: lea 0x1(%rax),%r13
0x555555b00edc <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1164>: sar %r13
0x555555b00edf <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1167>: jmp 0x555555b00b2f <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+223>
0x555555b00ee4 <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1172>: nopl 0x0(%rax)
0x555555b00ee8 <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1176>: mov %rbp,%rax
0x555555b00eeb <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1179>: mov %r10,%rsi
0x555555b00eee <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1182>: mov %r9d,0x2c(%rsp)
0x555555b00ef3 <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1187>: sub %rdx,%rax
0x555555b00ef6 <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1190>: mov %r8,0x20(%rsp)
(gdb) info registers
rax 0xbb800 768000
rbx 0x7fffffff0840 140737488291904
rcx 0x1 1
rdx 0x0 0
rsi 0x0 0
rdi 0x5 5
rbp 0x8 0x8
rsp 0x7fffffff0730 0x7fffffff0730
r8 0xfffffffe0ec 17592186036460
r9 0x7fffffff07e0 140737488291808
r10 0x62c000001d2a 108576773250346
r11 0x11 17
r12 0x7fffffff0760 140737488291680
r13 0x0 0
r14 0x7fffffff0760 140737488291680
r15 0x5 5
rip 0x555555b00ed5 0x555555b00ed5 <MediaInfoLib::Aac_k2_Compute(unsigned char, long long, unsigned char, MediaInfoLib::sbr_ratio)+1157>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
k0 0xf0000000 4026531840
k1 0x3 3
k2 0xfffffff 268435455
k3 0x0 0
k4 0x0 0
k5 0x0 0
k6 0x0 0
k7 0x0 0
(gdb) bt
#0 0x0000555555b00ed5 in MediaInfoLib::Aac_k2_Compute (bs_stop_freq=<optimized out>, sampling_frequency=sampling_frequency@entry=0, k0=k0@entry=17 '\021', ratio=<optimized out>)
at ../../../Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp:767
#1 0x0000555555b023e6 in MediaInfoLib::Aac_Sbr_Compute (sbr=0x62c000001d24, sampling_frequency=0, usac=usac@entry=true)
at ../../../Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp:1007
#2 0x0000555555e43f73 in MediaInfoLib::File_Usac::UsacSbrData (this=this@entry=0x62c000000200, nrSbrChannels=nrSbrChannels@entry=1,
usacIndependencyFlag=usacIndependencyFlag@entry=true) at ../../../Source/MediaInfo/Audio/File_Usac.cpp:5084
#3 0x0000555555e5c7eb in MediaInfoLib::File_Usac::UsacSingleChannelElement (this=0x62c000000200, usacIndependencyFlag=<optimized out>)
at ../../../Source/MediaInfo/Audio/File_Usac.cpp:3857
#4 0x0000555555e872fa in MediaInfoLib::File_Usac::UsacFrame (this=0x62c000000200, BitsNotIncluded=<optimized out>) at ../../../Source/MediaInfo/Audio/File_Usac.cpp:3689
#5 0x0000555555ae65a0 in MediaInfoLib::File_Aac::Read_Buffer_Continue_payload (this=0x62c000000200) at ../../../Source/MediaInfo/Audio/File_Aac.cpp:370
#6 0x0000555556ac93e5 in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop (this=this@entry=0x62c000000200) at ../../../Source/MediaInfo/File__Analyze.cpp:1482
#7 0x0000555556aca768 in MediaInfoLib::File__Analyze::Open_Buffer_Continue (this=0x62c000000200,
ToAdd=0x6310001ccabe "\262\331!M~%R0\316\233\243\020\210\277\260<:\356@\324\330\312\245;\226\300\224\024\321\313\027\360\336\032\273*\227[\217\321RFh\371\271M=<9\035\354\017\035\306gY\343(\244\235\277O\272\223\255nzj\244B\226\345\005l\256\321U\375U\261\332It\375%\233\062\272h\245\025\024\273\237A\"\227\316W\370\324Jkw(\265o\017\377\377\377\377\377\326Ux", ToAdd_Size=<optimized out>) at ../../../Source/MediaInfo/File__Analyze.cpp:1101
#8 0x0000555556ad0368 in MediaInfoLib::File__Analyze::Open_Buffer_Continue (this=this@entry=0x61e000000c80, Sub=0x62c000000200, ToAdd=<optimized out>,
ToAdd_Size=<optimized out>, IsNewPacket=IsNewPacket@entry=true, Ratio=Ratio@entry=1) at ../../../Source/MediaInfo/File__Analyze.cpp:1448
#9 0x0000555556464484 in MediaInfoLib::File_Mpeg4::mdat_xxxx (this=0x61e000000c80) at ../../../Source/MediaInfo/Multiple/File_Mpeg4_Elements.cpp:2139
#10 0x0000555556ac50bd in MediaInfoLib::File__Analyze::Data_Manage (this=this@entry=0x61e000000c80) at ../../../Source/MediaInfo/File__Analyze.cpp:2810
#11 0x0000555556ac853d in MediaInfoLib::File__Analyze::Buffer_Parse (this=this@entry=0x61e000000c80) at ../../../Source/MediaInfo/File__Analyze.cpp:1941
#12 0x0000555556ac8c88 in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop (this=this@entry=0x61e000000c80) at ../../../Source/MediaInfo/File__Analyze.cpp:1507
#13 0x0000555556aca768 in MediaInfoLib::File__Analyze::Open_Buffer_Continue (this=0x61e000000c80, ToAdd=ToAdd@entry=0x6310001cc800 "\371[P\206\377", ToAdd_Size=<optimized out>,
ToAdd_Size@entry=2344) at ../../../Source/MediaInfo/File__Analyze.cpp:1101
#14 0x0000555555a56d6f in MediaInfoLib::MediaInfo_Internal::Open_Buffer_Continue (this=this@entry=0x61b000000e80, ToAdd=<optimized out>, ToAdd_Size=<optimized out>)
at ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1721
#15 0x00005555567fffdf in MediaInfoLib::Reader_File::Format_Test_PerParser_Continue (this=0x60b000008b20, MI=0x61b000000e80)
at ../../../Source/MediaInfo/Reader/Reader_File.cpp:766
#16 0x00005555567fd434 in MediaInfoLib::Reader_File::Format_Test_PerParser (this=<optimized out>, MI=MI@entry=0x61b000000e80,
File_Name=L"/data/fuzz/fuzz-data/output/mediainfo/aflpp2/default/crashes/id:000096,sig:08,src:014327,time:232724936,execs:18865626,op:havoc,rep:3")
at ../../../Source/MediaInfo/Reader/Reader_File.cpp:313
#17 0x0000555555a0c2b9 in MediaInfoLib::MediaInfo_Internal::ListFormats (this=this@entry=0x61b000000e80,
File_Name=L"/data/fuzz/fuzz-data/output/mediainfo/aflpp2/default/crashes/id:000096,sig:08,src:014327,time:232724936,execs:18865626,op:havoc,rep:3")
at ../../../Source/MediaInfo/MediaInfo_File.cpp:912
#18 0x00005555567fe6d7 in MediaInfoLib::Reader_File::Format_Test (this=this@entry=0x60b000008b20, MI=MI@entry=0x61b000000e80,
File_Name=L"/data/fuzz/fuzz-data/output/mediainfo/aflpp2/default/crashes/id:000096,sig:08,src:014327,time:232724936,execs:18865626,op:havoc,rep:3")
at ../../../Source/MediaInfo/Reader/Reader_File.cpp:230
#19 0x0000555555a8415f in MediaInfoLib::MediaInfo_Internal::Entry (this=0x61b000000e80) at ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1416
#20 0x0000555555a7fd7f in MediaInfoLib::MediaInfo_Internal::Open (this=0x61b000000e80,
File_Name_=L"/data/fuzz/fuzz-data/output/mediainfo/aflpp2/default/crashes/id:000096,sig:08,src:014327,time:232724936,execs:18865626,op:havoc,rep:3")
at ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1172
#21 0x0000555555aa5866 in MediaInfoLib::MediaInfoList_Internal::Entry (this=0x61b000000780) at ../../../Source/MediaInfo/MediaInfoList_Internal.cpp:212
#22 0x0000555555aae3a3 in MediaInfoLib::MediaInfoList_Internal::Open (this=<optimized out>, File_Name=..., Options=Options@entry=MediaInfoLib::FileOption_Nothing)
at ../../../Source/MediaInfo/MediaInfoList_Internal.cpp:148
#23 0x0000555555a9c53c in MediaInfoLib::MediaInfoList::Open (this=<optimized out>, File=..., Options=Options@entry=MediaInfoLib::FileOption_Nothing)
at ../../../Source/MediaInfo/MediaInfoList.cpp:118
#24 0x0000555555990c83 in Core::Menu_File_Open_Files_Continue (this=this@entry=0x7fffffffe3c0, FileName=...) at ../../../Source/Common/Core.cpp:172
#25 0x000055555597f70c in main (argc=<optimized out>, argv_ansi=<optimized out>) at ../../../Source/CLI/CLI_Main.cpp:155
ASAN output:
=================================================================
==1922209==ERROR: AddressSanitizer: FPE on unknown address 0x5617d1794ed5 (pc 0x5617d1794ed5 bp 0x000000000008 sp 0x7fff534fe820 T0)
#0 0x5617d1794ed5 in MediaInfoLib::Aac_k2_Compute(unsigned char, long long, unsigned char, MediaInfoLib::sbr_ratio) ../../../Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp:767
#1 0x5617d17963e5 in MediaInfoLib::Aac_Sbr_Compute(MediaInfoLib::sbr_handler*, long long, bool) ../../../Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp:1007
#2 0x5617d1ad7f72 in MediaInfoLib::File_Usac::UsacSbrData(unsigned long, bool) ../../../Source/MediaInfo/Audio/File_Usac.cpp:5084
#3 0x5617d1af07ea in MediaInfoLib::File_Usac::UsacSingleChannelElement(bool) ../../../Source/MediaInfo/Audio/File_Usac.cpp:3857
#4 0x5617d1b1b2f9 in MediaInfoLib::File_Usac::UsacFrame(unsigned long) ../../../Source/MediaInfo/Audio/File_Usac.cpp:3689
#5 0x5617d177a59f in MediaInfoLib::File_Aac::Read_Buffer_Continue_payload() ../../../Source/MediaInfo/Audio/File_Aac.cpp:370
#6 0x5617d275d3e4 in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop() ../../../Source/MediaInfo/File__Analyze.cpp:1482
#7 0x5617d275e767 in MediaInfoLib::File__Analyze::Open_Buffer_Continue(unsigned char const*, unsigned long) ../../../Source/MediaInfo/File__Analyze.cpp:1101
#8 0x5617d2764367 in MediaInfoLib::File__Analyze::Open_Buffer_Continue(MediaInfoLib::File__Analyze*, unsigned char const*, unsigned long, bool, double) ../../../Source/MediaInfo/File__Analyze.cpp:1448
#9 0x5617d20f8483 in MediaInfoLib::File_Mpeg4::mdat_xxxx() ../../../Source/MediaInfo/Multiple/File_Mpeg4_Elements.cpp:2139
#10 0x5617d27590bc in MediaInfoLib::File__Analyze::Data_Manage() ../../../Source/MediaInfo/File__Analyze.cpp:2810
#11 0x5617d275c53c in MediaInfoLib::File__Analyze::Buffer_Parse() ../../../Source/MediaInfo/File__Analyze.cpp:1941
#12 0x5617d275cc87 in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop() ../../../Source/MediaInfo/File__Analyze.cpp:1507
#13 0x5617d275e767 in MediaInfoLib::File__Analyze::Open_Buffer_Continue(unsigned char const*, unsigned long) ../../../Source/MediaInfo/File__Analyze.cpp:1101
#14 0x5617d16ead6e in MediaInfoLib::MediaInfo_Internal::Open_Buffer_Continue(unsigned char const*, unsigned long) ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1721
#15 0x5617d2493fde in MediaInfoLib::Reader_File::Format_Test_PerParser_Continue(MediaInfoLib::MediaInfo_Internal*) ../../../Source/MediaInfo/Reader/Reader_File.cpp:766
#16 0x5617d2491433 in MediaInfoLib::Reader_File::Format_Test_PerParser(MediaInfoLib::MediaInfo_Internal*, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) ../../../Source/MediaInfo/Reader/Reader_File.cpp:313
#17 0x5617d16a02b8 in MediaInfoLib::MediaInfo_Internal::ListFormats(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) ../../../Source/MediaInfo/MediaInfo_File.cpp:912
#18 0x5617d24926d6 in MediaInfoLib::Reader_File::Format_Test(MediaInfoLib::MediaInfo_Internal*, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >) ../../../Source/MediaInfo/Reader/Reader_File.cpp:230
#19 0x5617d171815e in MediaInfoLib::MediaInfo_Internal::Entry() ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1416
#20 0x5617d1713d7e in MediaInfoLib::MediaInfo_Internal::Open(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1172
#21 0x5617d1739865 in MediaInfoLib::MediaInfoList_Internal::Entry() ../../../Source/MediaInfo/MediaInfoList_Internal.cpp:212
#22 0x5617d17423a2 in MediaInfoLib::MediaInfoList_Internal::Open(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&, MediaInfoLib::fileoptions_t) ../../../Source/MediaInfo/MediaInfoList_Internal.cpp:148
#23 0x5617d161370b in main ../../../Source/CLI/CLI_Main.cpp:155
#24 0x7f24eef81d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#25 0x7f24eef81e3f in __libc_start_main_impl ../csu/libc-start.c:392
#26 0x5617d16185b4 in _start (/data/fuzz/fuzz-data/target/elf/debug/mediainfo+0x4305b4)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE ../../../Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp:767 in MediaInfoLib::Aac_k2_Compute(unsigned char, long long, unsigned char, MediaInfoLib::sbr_ratio)
==1922209==ABORTING
Looked into this a little:
The division by zero occurs at: https://github.com/MediaArea/MediaInfoLib/blob/f24a17b415eca1f37cf7b75d120634173ff3131e/Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp#L767
Value of sampling_frequency is propagated though a few functions from where it is assigned zero at:
https://github.com/MediaArea/MediaInfoLib/blob/f24a17b415eca1f37cf7b75d120634173ff3131e/Source/MediaInfo/Audio/File_Usac.cpp#L5072
This is because Frequency_b is assigned zero at:
https://github.com/MediaArea/MediaInfoLib/blob/f24a17b415eca1f37cf7b75d120634173ff3131e/Source/MediaInfo/Audio/File_Aac_Main.cpp#L587
This is because sampling_frequency_index is 13 here:
https://github.com/MediaArea/MediaInfoLib/blob/f24a17b415eca1f37cf7b75d120634173ff3131e/Source/MediaInfo/Audio/File_Aac_Main.cpp#L576
So if I understand correctly, any AAC stream with reserved (13/14) or out-of-range sampling frequency index has the potential to cause this division-by-zero crash.
at line sampling_frequency=Frequency_b/2; it should check whether Frequency_b is zero.
Fixed by https://github.com/MediaArea/MediaInfoLib/commit/c28ae12b4d8d89d547ed066f54561a20de4e07e0.