Description:
Libav is an open source set of tools for audio and video processing.
After talking with Luca Barbato which is both a Gentoo and Libav developer, I spent a bit of my time fuzzing libav and in particular I fuzzed libavcodec though avplay.
I hit a crash and after I reported it to upstream, they confirmed the issue as a divide-by-zero.
The complete gdb output:
ago@willoughby $ gdb --args /usr/bin/avplay avplay.crash GNU gdb (Gentoo 7.7.1 p1) 7.7.1 Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-pc-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/bin/avplay...Reading symbols from /usr/lib64/debug//usr/bin/avplay.debug...done. done. (gdb) run Starting program: /usr/bin/avplay avplay.crash warning: Could not load shared library symbols for linux-vdso.so.1. Do you need "set solib-search-path" or "set sysroot"? [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". avplay version 11.3, Copyright (c) 2003-2014 the Libav developers built on Jun 19 2015 09:50:59 with gcc 4.8.4 (Gentoo 4.8.4 p1.6, pie-0.6.1) [New Thread 0x7fffec4c7700 (LWP 7016)] [New Thread 0x7fffeb166700 (LWP 7017)] INFO: AddressSanitizer ignores mlock/mlockall/munlock/munlockall [New Thread 0x7fffe9e28700 (LWP 7018)] [h263 @ 0x60480000f680] Format detected only with low score of 25, misdetection possible! [h263 @ 0x60440001f980] Syntax-based Arithmetic Coding (SAC) not supported [h263 @ 0x60440001f980] Reference Picture Selection not supported [h263 @ 0x60440001f980] Independent Segment Decoding not supported [h263 @ 0x60440001f980] header damaged Program received signal SIGFPE, Arithmetic exception. [Switching to Thread 0x7fffe9e28700 (LWP 7018)] 0x00007ffff21e3313 in ff_h263_decode_mba (s=s@entry=0x60720005a100) at /tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/ituh263dec.c:142 142 /tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/ituh263dec.c: No such file or directory. (gdb) bt #0 0x00007ffff21e3313 in ff_h263_decode_mba (s=s@entry=0x60720005a100) at /tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/ituh263dec.c:142 #1 0x00007ffff21f3c2d in ff_h263_decode_picture_header (s=0x60720005a100) at /tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/ituh263dec.c:1112 #2 0x00007ffff1ae16ed in ff_h263_decode_frame (avctx=0x60440001f980, data=0x60380002f480, got_frame=0x7fffe9e272f0, avpkt=) at /tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/h263dec.c:444 #3 0x00007ffff2cd963e in avcodec_decode_video2 (avctx=0x60440001f980, picture=0x60380002f480, got_picture_ptr=got_picture_ptr@entry=0x7fffe9e272f0, avpkt=avpkt@entry=0x7fffe9e273b0) at /tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/utils.c:1600 #4 0x00007ffff44d4fb4 in try_decode_frame (st=st@entry=0x60340002fb00, avpkt=avpkt@entry=0x601c00037b00, options=) at /tmp/portage/media-video/libav-11.3/work/libav-11.3/libavformat/utils.c:1910 #5 0x00007ffff44ebd89 in avformat_find_stream_info (ic=0x60480000f680, options=0x600a00009e80) at /tmp/portage/media-video/libav-11.3/work/libav-11.3/libavformat/utils.c:2276 #6 0x0000000000431834 in decode_thread (arg=0x7ffff7e0b800) at /tmp/portage/media-video/libav-11.3/work/libav-11.3/avplay.c:2268 #7 0x00007ffff0284b08 in ?? () from /usr/lib64/libSDL-1.2.so.0 #8 0x00007ffff02b4be9 in ?? () from /usr/lib64/libSDL-1.2.so.0 #9 0x00007ffff4e65aa8 in ?? () from /usr/lib/gcc/x86_64-pc-linux-gnu/4.8.4/libasan.so.0 #10 0x00007ffff0062204 in start_thread () from /lib64/libpthread.so.0 #11 0x00007fffefda957d in clone () from /lib64/libc.so.6 (gdb)
Affected version:
11.3 (and maybe past versions)
Fixed version:
11.5 and 12.0
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2015-5479
Timeline:
2015-06-21: bug discovered
2015-06-22: bug reported privately to upstream
2015-06-30: upstream commit the fix
2015-07-14: CVE assigned
2015-07-16: advisory release
Note:
This bug was found with American Fuzzy Lop.
This bug does not affect ffmpeg.
Permalink:
http://blogs.gentoo.org/ago/2015/07/16/libav-divide-by-zero-in-ff_h263_decode_mba