matroska: divide by zero with fuzzed file

[tholin]

I get a divide by zero error in mpv/demux/demux_mkv.c:2285 with a fuzzed file. mkv_d->tc_scale gets set to zero at demux_mkv.c346.

$ gdb --args ~/mpv-build_vanilla_debug/mpv/build/mpv --no-config mpv_fpe.mkv 
GNU gdb (Gentoo 7.7.1 p1) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ~/mpv-build_vanilla_debug/mpv/build/mpv...done.
(gdb) r
Starting program: ~/mpv-build_vanilla_debug/mpv/build/mpv --no-config mpv_fpe.mkv
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[New Thread 0x7fffed4bc700 (LWP 18785)]
[New Thread 0x7fffeccbb700 (LWP 18786)]
Playing: mpv_fpe.mkv
[New Thread 0x7fffe7fff700 (LWP 18787)]
[Thread 0x7fffe7fff700 (LWP 18787) exited]
[New Thread 0x7fffe7fff700 (LWP 18788)]
[mkv] Error parsing element SeekHead
[mkv] Invalid SeekHead entry
[mkv] Invalid EBML length at position 311
[mkv] Invalid EBML length at position 860
[mkv] Error parsing element Info
[mkv] Invalid EBML length at position 1196
[mkv] Invalid EBML length at position 2548
[mkv] Error parsing element Tracks
[Thread 0x7fffe7fff700 (LWP 18788) exited]
[stream] Video (+) --vid=1 (mpeg4)
[New Thread 0x7fffe7fff700 (LWP 18789)]
[New Thread 0x7fffe77fe700 (LWP 18790)]
[New Thread 0x7fffe5413700 (LWP 18791)]
[New Thread 0x7fffe4a0d700 (LWP 18792)]
[New Thread 0x7fffdffff700 (LWP 18793)]
[New Thread 0x7fffdf7fe700 (LWP 18794)]
[New Thread 0x7fffdeffd700 (LWP 18795)]
[New Thread 0x7fffde7fc700 (LWP 18796)]
[New Thread 0x7fffddffb700 (LWP 18797)]
[New Thread 0x7fffdd7fa700 (LWP 18798)]
[New Thread 0x7fffdcff9700 (LWP 18799)]

Program received signal SIGFPE, Arithmetic exception.
[Switching to Thread 0x7fffe7fff700 (LWP 18789)]
0x000000000044de2a in index_block (demuxer=0x7fffe02032b0, block=0x7fffe7ffed90) at ../demux/demux_mkv.c:2284
2284            add_block_position(demuxer, block->track, mkv_d->cluster_start,
(gdb) bt full
#0  0x000000000044de2a in index_block (demuxer=0x7fffe02032b0, block=0x7fffe7ffed90)
    at ../demux/demux_mkv.c:2284
        mkv_d = 0x7fffe02038d0
#1  0x000000000044ee36 in demux_mkv_fill_buffer (demuxer=0x7fffe02032b0) at ../demux/demux_mkv.c:2600
        res = 1
        block = {duration = 0, discardpadding = 0, simple = true, keyframe = true, timecode = 0, 
          track = 0x7fffe0203e20, data = {start = 0x7fffd80008c3 "\200", len = 228}, alloc = 0x7fffd80008c0, 
          filepos = 4101}
#2  0x000000000043ea28 in read_packet (in=0x7fffe0203150) at ../demux/demux.c:394
        active = true
        read_more = true
        packs = 0
        bytes = 0
        demux = 0x7fffe02032b0
        eof = 117
#3  0x000000000043ee49 in demux_thread (pctx=0x7fffe0203150) at ../demux/demux.c:484
        in = 0x7fffe0203150
#4  0x00007ffff62f0023 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#5  0x00007ffff1fa970d in clone () from /lib64/libc.so.6
No symbol table info available.

example file https://www.dropbox.com/s/7nl90mc5eb88gvi/mpv_fpe.mkv (is there no easier way to share these?)

[ghost]

Thanks. There are probably dozens of such issues.

(is there no easier way to share these?)

The only thing that I've recently seen that allows sharing arbitrary files without going through typical file hoster stupidity is pomf.se.

[mia-0]

On Saturday 06 December 2014 04:50:15 wm4 wrote:

Thanks. There are probably dozens of such issues.

(is there no easier way to share these?)

The only thing that I've recently seen that allows sharing arbitrary files without going through typical file hoster stupidity is pomf.se.

There’s http://filehorst.de too.