Description:
Libav is an open source set of tools for audio and video processing.
A fuzzing with an mp3 file as input discovered a divide-by-zero in sbr_make_f_master.
The complete ASan output:
# avconv -i $FILE -f null -
avconv version 11.7, Copyright (c) 2000-2016 the Libav developers
built on Aug 16 2016 15:34:42 with clang version 3.8.1 (tags/RELEASE_381/final)
[mpeg @ 0x61a00001f280] Format detected only with low score of 25, misdetection possible!
[aac @ 0x619000000580] Sample rate index in program config element does not match the sample rate index configured by the container.
[aac @ 0x619000000580] SBR was found before the first channel element.
ASAN:DEADLYSIGNAL
=================================================================
==29103==ERROR: AddressSanitizer: FPE on unknown address 0x7fbd80295491 (pc 0x7fbd80295491 bp 0x7ffde63eb2f0 sp 0x7ffde63eafa0 T0)
#0 0x7fbd80295490 in sbr_make_f_master /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/aacsbr.c:338:57
#1 0x7fbd80295490 in sbr_reset /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/aacsbr.c:1045
#2 0x7fbd80295490 in ff_decode_sbr_extension /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/aacsbr.c:1093
#3 0x7fbd801efe1b in decode_extension_payload /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/aacdec.c:2196:15
#4 0x7fbd801efe1b in aac_decode_frame_int /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/aacdec.c:2866
#5 0x7fbd801d3bbb in aac_decode_frame /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/aacdec.c:2959:15
#6 0x7fbd823ed42a in avcodec_decode_audio4 /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/utils.c:1657:15
#7 0x7fbd83f00b20 in try_decode_frame /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavformat/utils.c:1914:19
#8 0x7fbd83ef76e2 in avformat_find_stream_info /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavformat/utils.c:2276:9
#9 0x50d195 in open_input_file /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv_opt.c:726:11
#10 0x50b625 in open_files /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv_opt.c:2127:15
#11 0x50af81 in avconv_parse_options /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv_opt.c:2164:11
#12 0x541414 in main /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv.c:2630:11
#13 0x7fbd7e77f61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
#14 0x41d098 in _init (/usr/bin/avconv+0x41d098)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/aacsbr.c:338:57 in sbr_make_f_master
==29103==ABORTING
Affected version:
11.7
Fixed version:
N/A
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2016-7499
Timeline:
2016-08-15: bug discovered
2016-08-16: bug reported to upstream
2016-09-21: blog post about the issue
2016-09-21: CVE assigned
2016-11-02: upstream released a patch
Note:
This bug was found with American Fuzzy Lop.
Permalink: