libav: divide-by-zero in sbr_make_f_master (aacsbr.c)

Description:
Libav is an open source set of tools for audio and video processing.

A fuzzing with an mp3 file as input discovered a divide-by-zero in sbr_make_f_master.

The complete ASan output:

# avconv -i $FILE -f null -
avconv version 11.7, Copyright (c) 2000-2016 the Libav developers
  built on Aug 16 2016 15:34:42 with clang version 3.8.1 (tags/RELEASE_381/final)
[mpeg @ 0x61a00001f280] Format detected only with low score of 25, misdetection possible!
[aac @ 0x619000000580] Sample rate index in program config element does not match the sample rate index configured by the container.
[aac @ 0x619000000580] SBR was found before the first channel element.
ASAN:DEADLYSIGNAL
=================================================================
==29103==ERROR: AddressSanitizer: FPE on unknown address 0x7fbd80295491 (pc 0x7fbd80295491 bp 0x7ffde63eb2f0 sp 0x7ffde63eafa0 T0)
    #0 0x7fbd80295490 in sbr_make_f_master /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/aacsbr.c:338:57
    #1 0x7fbd80295490 in sbr_reset /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/aacsbr.c:1045
    #2 0x7fbd80295490 in ff_decode_sbr_extension /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/aacsbr.c:1093
    #3 0x7fbd801efe1b in decode_extension_payload /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/aacdec.c:2196:15
    #4 0x7fbd801efe1b in aac_decode_frame_int /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/aacdec.c:2866
    #5 0x7fbd801d3bbb in aac_decode_frame /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/aacdec.c:2959:15
    #6 0x7fbd823ed42a in avcodec_decode_audio4 /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/utils.c:1657:15
    #7 0x7fbd83f00b20 in try_decode_frame /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavformat/utils.c:1914:19
    #8 0x7fbd83ef76e2 in avformat_find_stream_info /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavformat/utils.c:2276:9
    #9 0x50d195 in open_input_file /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv_opt.c:726:11
    #10 0x50b625 in open_files /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv_opt.c:2127:15
    #11 0x50af81 in avconv_parse_options /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv_opt.c:2164:11
    #12 0x541414 in main /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv.c:2630:11
    #13 0x7fbd7e77f61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #14 0x41d098 in _init (/usr/bin/avconv+0x41d098)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/aacsbr.c:338:57 in sbr_make_f_master
==29103==ABORTING

Affected version:
11.7

Fixed version:
N/A

Commit fix:
https://git.libav.org/?p=libav.git;a=blobdiff;f=libavcodec/aacsbr.c;h=7d156e525b40b197c38db17acf16730845b91e56;hp=dbfb1677813ce6c531e4362d0be7ccf9fdfdd28e;hb=a50a5ff29ec5a8243499769e2bb9b5509ce9fd52;hpb=f55e3ff5891daf3d538b4d9176371960200d68fa

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-7499

Timeline:
2016-08-15: bug discovered
2016-08-16: bug reported to upstream
2016-09-21: blog post about the issue
2016-09-21: CVE assigned
2016-11-02: upstream released a patch

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libav: divide-by-zero in sbr_make_f_master (aacsbr.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.