search

MediaArea / MediaInfoLib

Convenient unified display of the most relevant technical and tag data for video and audio files.
https://mediaarea.net/MediaInfo
BSD 2-Clause "Simplified" License
636 stars 176 forks source link

Arithmetic exception: division by zero in ../../../Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp:767 #2107

Open SuyueGuo opened 3 months ago

SuyueGuo commented 3 months ago

Dear maintainers of MediaInfo,

A division with zero bugs was found in MediaInfoLib.

Poc

div_zero.zip

command to run:

mediainfo ./div_zero

Details

GDB output:

Program received signal SIGFPE, Arithmetic exception.
0x0000555555b00ed5 in MediaInfoLib::Aac_k2_Compute (bs_stop_freq=<optimized out>, sampling_frequency=sampling_frequency@entry=0, k0=k0@entry=17 '\021', ratio=<optimized out>) at ../../../Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp:767
767             stopMin=(((2*6000*(ratio==DUAL?128:64))/sampling_frequency)+1)>>1;
(gdb) x/10i $pc
=> 0x555555b00ed5 <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1157>:   idiv   %rsi
   0x555555b00ed8 <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1160>:   lea    0x1(%rax),%r13
   0x555555b00edc <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1164>:   sar    %r13
   0x555555b00edf <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1167>:   jmp    0x555555b00b2f <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+223>
   0x555555b00ee4 <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1172>:   nopl   0x0(%rax)
   0x555555b00ee8 <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1176>:   mov    %rbp,%rax
   0x555555b00eeb <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1179>:   mov    %r10,%rsi
   0x555555b00eee <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1182>:   mov    %r9d,0x2c(%rsp)
   0x555555b00ef3 <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1187>:   sub    %rdx,%rax
   0x555555b00ef6 <_ZN12MediaInfoLib14Aac_k2_ComputeEhxhNS_9sbr_ratioE+1190>:   mov    %r8,0x20(%rsp)
(gdb) info registers
rax            0xbb800             768000
rbx            0x7fffffff0840      140737488291904
rcx            0x1                 1
rdx            0x0                 0
rsi            0x0                 0
rdi            0x5                 5
rbp            0x8                 0x8
rsp            0x7fffffff0730      0x7fffffff0730
r8             0xfffffffe0ec       17592186036460
r9             0x7fffffff07e0      140737488291808
r10            0x62c000001d2a      108576773250346
r11            0x11                17
r12            0x7fffffff0760      140737488291680
r13            0x0                 0
r14            0x7fffffff0760      140737488291680
r15            0x5                 5
rip            0x555555b00ed5      0x555555b00ed5 <MediaInfoLib::Aac_k2_Compute(unsigned char, long long, unsigned char, MediaInfoLib::sbr_ratio)+1157>
eflags         0x10206             [ PF IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0
k0             0xf0000000          4026531840
k1             0x3                 3
k2             0xfffffff           268435455
k3             0x0                 0
k4             0x0                 0
k5             0x0                 0
k6             0x0                 0
k7             0x0                 0
(gdb) bt
#0  0x0000555555b00ed5 in MediaInfoLib::Aac_k2_Compute (bs_stop_freq=<optimized out>, sampling_frequency=sampling_frequency@entry=0, k0=k0@entry=17 '\021', ratio=<optimized out>)
    at ../../../Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp:767
#1  0x0000555555b023e6 in MediaInfoLib::Aac_Sbr_Compute (sbr=0x62c000001d24, sampling_frequency=0, usac=usac@entry=true)
    at ../../../Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp:1007
#2  0x0000555555e43f73 in MediaInfoLib::File_Usac::UsacSbrData (this=this@entry=0x62c000000200, nrSbrChannels=nrSbrChannels@entry=1,
    usacIndependencyFlag=usacIndependencyFlag@entry=true) at ../../../Source/MediaInfo/Audio/File_Usac.cpp:5084
#3  0x0000555555e5c7eb in MediaInfoLib::File_Usac::UsacSingleChannelElement (this=0x62c000000200, usacIndependencyFlag=<optimized out>)
    at ../../../Source/MediaInfo/Audio/File_Usac.cpp:3857
#4  0x0000555555e872fa in MediaInfoLib::File_Usac::UsacFrame (this=0x62c000000200, BitsNotIncluded=<optimized out>) at ../../../Source/MediaInfo/Audio/File_Usac.cpp:3689
#5  0x0000555555ae65a0 in MediaInfoLib::File_Aac::Read_Buffer_Continue_payload (this=0x62c000000200) at ../../../Source/MediaInfo/Audio/File_Aac.cpp:370
#6  0x0000555556ac93e5 in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop (this=this@entry=0x62c000000200) at ../../../Source/MediaInfo/File__Analyze.cpp:1482
#7  0x0000555556aca768 in MediaInfoLib::File__Analyze::Open_Buffer_Continue (this=0x62c000000200,
    ToAdd=0x6310001ccabe "\262\331!M~%R0\316\233\243\020\210\277\260<:\356@\324\330\312\245;\226\300\224\024\321\313\027\360\336\032\273*\227[\217\321RFh\371\271M=<9\035\354\017\035\306gY\343(\244\235\277O\272\223\255nzj\244B\226\345\005l\256\321U\375U\261\332It\375%\233\062\272h\245\025\024\273\237A\"\227\316W\370\324Jkw(\265o\017\377\377\377\377\377\326Ux", ToAdd_Size=<optimized out>) at ../../../Source/MediaInfo/File__Analyze.cpp:1101
#8  0x0000555556ad0368 in MediaInfoLib::File__Analyze::Open_Buffer_Continue (this=this@entry=0x61e000000c80, Sub=0x62c000000200, ToAdd=<optimized out>,
    ToAdd_Size=<optimized out>, IsNewPacket=IsNewPacket@entry=true, Ratio=Ratio@entry=1) at ../../../Source/MediaInfo/File__Analyze.cpp:1448
#9  0x0000555556464484 in MediaInfoLib::File_Mpeg4::mdat_xxxx (this=0x61e000000c80) at ../../../Source/MediaInfo/Multiple/File_Mpeg4_Elements.cpp:2139
#10 0x0000555556ac50bd in MediaInfoLib::File__Analyze::Data_Manage (this=this@entry=0x61e000000c80) at ../../../Source/MediaInfo/File__Analyze.cpp:2810
#11 0x0000555556ac853d in MediaInfoLib::File__Analyze::Buffer_Parse (this=this@entry=0x61e000000c80) at ../../../Source/MediaInfo/File__Analyze.cpp:1941
#12 0x0000555556ac8c88 in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop (this=this@entry=0x61e000000c80) at ../../../Source/MediaInfo/File__Analyze.cpp:1507
#13 0x0000555556aca768 in MediaInfoLib::File__Analyze::Open_Buffer_Continue (this=0x61e000000c80, ToAdd=ToAdd@entry=0x6310001cc800 "\371[P\206\377", ToAdd_Size=<optimized out>,
    ToAdd_Size@entry=2344) at ../../../Source/MediaInfo/File__Analyze.cpp:1101
#14 0x0000555555a56d6f in MediaInfoLib::MediaInfo_Internal::Open_Buffer_Continue (this=this@entry=0x61b000000e80, ToAdd=<optimized out>, ToAdd_Size=<optimized out>)
    at ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1721
#15 0x00005555567fffdf in MediaInfoLib::Reader_File::Format_Test_PerParser_Continue (this=0x60b000008b20, MI=0x61b000000e80)
    at ../../../Source/MediaInfo/Reader/Reader_File.cpp:766
#16 0x00005555567fd434 in MediaInfoLib::Reader_File::Format_Test_PerParser (this=<optimized out>, MI=MI@entry=0x61b000000e80,
    File_Name=L"/data/fuzz/fuzz-data/output/mediainfo/aflpp2/default/crashes/id:000096,sig:08,src:014327,time:232724936,execs:18865626,op:havoc,rep:3")
    at ../../../Source/MediaInfo/Reader/Reader_File.cpp:313
#17 0x0000555555a0c2b9 in MediaInfoLib::MediaInfo_Internal::ListFormats (this=this@entry=0x61b000000e80,
    File_Name=L"/data/fuzz/fuzz-data/output/mediainfo/aflpp2/default/crashes/id:000096,sig:08,src:014327,time:232724936,execs:18865626,op:havoc,rep:3")
    at ../../../Source/MediaInfo/MediaInfo_File.cpp:912
#18 0x00005555567fe6d7 in MediaInfoLib::Reader_File::Format_Test (this=this@entry=0x60b000008b20, MI=MI@entry=0x61b000000e80,
    File_Name=L"/data/fuzz/fuzz-data/output/mediainfo/aflpp2/default/crashes/id:000096,sig:08,src:014327,time:232724936,execs:18865626,op:havoc,rep:3")
    at ../../../Source/MediaInfo/Reader/Reader_File.cpp:230
#19 0x0000555555a8415f in MediaInfoLib::MediaInfo_Internal::Entry (this=0x61b000000e80) at ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1416
#20 0x0000555555a7fd7f in MediaInfoLib::MediaInfo_Internal::Open (this=0x61b000000e80,
    File_Name_=L"/data/fuzz/fuzz-data/output/mediainfo/aflpp2/default/crashes/id:000096,sig:08,src:014327,time:232724936,execs:18865626,op:havoc,rep:3")
    at ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1172
#21 0x0000555555aa5866 in MediaInfoLib::MediaInfoList_Internal::Entry (this=0x61b000000780) at ../../../Source/MediaInfo/MediaInfoList_Internal.cpp:212
#22 0x0000555555aae3a3 in MediaInfoLib::MediaInfoList_Internal::Open (this=<optimized out>, File_Name=..., Options=Options@entry=MediaInfoLib::FileOption_Nothing)
    at ../../../Source/MediaInfo/MediaInfoList_Internal.cpp:148
#23 0x0000555555a9c53c in MediaInfoLib::MediaInfoList::Open (this=<optimized out>, File=..., Options=Options@entry=MediaInfoLib::FileOption_Nothing)
    at ../../../Source/MediaInfo/MediaInfoList.cpp:118
#24 0x0000555555990c83 in Core::Menu_File_Open_Files_Continue (this=this@entry=0x7fffffffe3c0, FileName=...) at ../../../Source/Common/Core.cpp:172
#25 0x000055555597f70c in main (argc=<optimized out>, argv_ansi=<optimized out>) at ../../../Source/CLI/CLI_Main.cpp:155

ASAN output:

=================================================================
==1922209==ERROR: AddressSanitizer: FPE on unknown address 0x5617d1794ed5 (pc 0x5617d1794ed5 bp 0x000000000008 sp 0x7fff534fe820 T0)
    #0 0x5617d1794ed5 in MediaInfoLib::Aac_k2_Compute(unsigned char, long long, unsigned char, MediaInfoLib::sbr_ratio) ../../../Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp:767
    #1 0x5617d17963e5 in MediaInfoLib::Aac_Sbr_Compute(MediaInfoLib::sbr_handler*, long long, bool) ../../../Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp:1007
    #2 0x5617d1ad7f72 in MediaInfoLib::File_Usac::UsacSbrData(unsigned long, bool) ../../../Source/MediaInfo/Audio/File_Usac.cpp:5084
    #3 0x5617d1af07ea in MediaInfoLib::File_Usac::UsacSingleChannelElement(bool) ../../../Source/MediaInfo/Audio/File_Usac.cpp:3857
    #4 0x5617d1b1b2f9 in MediaInfoLib::File_Usac::UsacFrame(unsigned long) ../../../Source/MediaInfo/Audio/File_Usac.cpp:3689
    #5 0x5617d177a59f in MediaInfoLib::File_Aac::Read_Buffer_Continue_payload() ../../../Source/MediaInfo/Audio/File_Aac.cpp:370
    #6 0x5617d275d3e4 in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop() ../../../Source/MediaInfo/File__Analyze.cpp:1482
    #7 0x5617d275e767 in MediaInfoLib::File__Analyze::Open_Buffer_Continue(unsigned char const*, unsigned long) ../../../Source/MediaInfo/File__Analyze.cpp:1101
    #8 0x5617d2764367 in MediaInfoLib::File__Analyze::Open_Buffer_Continue(MediaInfoLib::File__Analyze*, unsigned char const*, unsigned long, bool, double) ../../../Source/MediaInfo/File__Analyze.cpp:1448
    #9 0x5617d20f8483 in MediaInfoLib::File_Mpeg4::mdat_xxxx() ../../../Source/MediaInfo/Multiple/File_Mpeg4_Elements.cpp:2139
    #10 0x5617d27590bc in MediaInfoLib::File__Analyze::Data_Manage() ../../../Source/MediaInfo/File__Analyze.cpp:2810
    #11 0x5617d275c53c in MediaInfoLib::File__Analyze::Buffer_Parse() ../../../Source/MediaInfo/File__Analyze.cpp:1941
    #12 0x5617d275cc87 in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop() ../../../Source/MediaInfo/File__Analyze.cpp:1507
    #13 0x5617d275e767 in MediaInfoLib::File__Analyze::Open_Buffer_Continue(unsigned char const*, unsigned long) ../../../Source/MediaInfo/File__Analyze.cpp:1101
    #14 0x5617d16ead6e in MediaInfoLib::MediaInfo_Internal::Open_Buffer_Continue(unsigned char const*, unsigned long) ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1721
    #15 0x5617d2493fde in MediaInfoLib::Reader_File::Format_Test_PerParser_Continue(MediaInfoLib::MediaInfo_Internal*) ../../../Source/MediaInfo/Reader/Reader_File.cpp:766
    #16 0x5617d2491433 in MediaInfoLib::Reader_File::Format_Test_PerParser(MediaInfoLib::MediaInfo_Internal*, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) ../../../Source/MediaInfo/Reader/Reader_File.cpp:313
    #17 0x5617d16a02b8 in MediaInfoLib::MediaInfo_Internal::ListFormats(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) ../../../Source/MediaInfo/MediaInfo_File.cpp:912
    #18 0x5617d24926d6 in MediaInfoLib::Reader_File::Format_Test(MediaInfoLib::MediaInfo_Internal*, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >) ../../../Source/MediaInfo/Reader/Reader_File.cpp:230
    #19 0x5617d171815e in MediaInfoLib::MediaInfo_Internal::Entry() ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1416
    #20 0x5617d1713d7e in MediaInfoLib::MediaInfo_Internal::Open(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1172
    #21 0x5617d1739865 in MediaInfoLib::MediaInfoList_Internal::Entry() ../../../Source/MediaInfo/MediaInfoList_Internal.cpp:212
    #22 0x5617d17423a2 in MediaInfoLib::MediaInfoList_Internal::Open(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&, MediaInfoLib::fileoptions_t) ../../../Source/MediaInfo/MediaInfoList_Internal.cpp:148
    #23 0x5617d161370b in main ../../../Source/CLI/CLI_Main.cpp:155
    #24 0x7f24eef81d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #25 0x7f24eef81e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #26 0x5617d16185b4 in _start (/data/fuzz/fuzz-data/target/elf/debug/mediainfo+0x4305b4)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE ../../../Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp:767 in MediaInfoLib::Aac_k2_Compute(unsigned char, long long, unsigned char, MediaInfoLib::sbr_ratio)
==1922209==ABORTING
cjee21 commented 1 month ago

Looked into this a little:

The division by zero occurs at: https://github.com/MediaArea/MediaInfoLib/blob/f24a17b415eca1f37cf7b75d120634173ff3131e/Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp#L767

Value of sampling_frequency is propagated though a few functions from where it is assigned zero at: https://github.com/MediaArea/MediaInfoLib/blob/f24a17b415eca1f37cf7b75d120634173ff3131e/Source/MediaInfo/Audio/File_Usac.cpp#L5072

This is because Frequency_b is assigned zero at: https://github.com/MediaArea/MediaInfoLib/blob/f24a17b415eca1f37cf7b75d120634173ff3131e/Source/MediaInfo/Audio/File_Aac_Main.cpp#L587

This is because sampling_frequency_index is 13 here: https://github.com/MediaArea/MediaInfoLib/blob/f24a17b415eca1f37cf7b75d120634173ff3131e/Source/MediaInfo/Audio/File_Aac_Main.cpp#L576

So if I understand correctly, any AAC stream with reserved (13/14) or out-of-range sampling frequency index has the potential to cause this division-by-zero crash.

ValeZAA commented 1 month ago

at line sampling_frequency=Frequency_b/2; it should check whether Frequency_b is zero.