{"id":314,"date":"2015-07-16T11:57:59","date_gmt":"2015-07-16T09:57:59","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=314"},"modified":"2016-09-07T14:37:33","modified_gmt":"2016-09-07T12:37:33","slug":"libav-divide-by-zero-in-ff_h263_decode_mba","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2015\/07\/16\/libav-divide-by-zero-in-ff_h263_decode_mba\/","title":{"rendered":"libav: divide-by-zero in ff_h263_decode_mba()"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"https:\/\/libav.org\/\">Libav<\/a> is an open source set of tools for audio and video processing.<\/p>\n<p>After talking with <a href=\"mailto:lu_zero@gentoo.org\">Luca Barbato<\/a> which is both a Gentoo and Libav developer, I spent a bit of my time fuzzing libav and in particular I fuzzed libavcodec though avplay.<br \/>\nI hit a crash and after I reported it to upstream, they confirmed the issue as a divide-by-zero.<\/p>\n<p>The complete gdb output:<\/p>\n<pre><font size=\"2\">ago@willoughby $ gdb --args \/usr\/bin\/avplay avplay.crash \r\nGNU gdb (Gentoo 7.7.1 p1) 7.7.1\r\nCopyright (C) 2014 Free Software Foundation, Inc.\r\nLicense GPLv3+: GNU GPL version 3 or later \r\nThis is free software: you are free to change and redistribute it.\r\nThere is NO WARRANTY, to the extent permitted by law.  Type \"show copying\"\r\nand \"show warranty\" for details.\r\nThis GDB was configured as \"x86_64-pc-linux-gnu\".\r\nType \"show configuration\" for configuration details.\r\nFor bug reporting instructions, please see:\r\n.\r\nFind the GDB manual and other documentation resources online at:\r\n.\r\nFor help, type \"help\".\r\nType \"apropos word\" to search for commands related to \"word\"...\r\nReading symbols from \/usr\/bin\/avplay...Reading symbols from \/usr\/lib64\/debug\/\/usr\/bin\/avplay.debug...done.\r\ndone.\r\n(gdb) run\r\nStarting program: \/usr\/bin\/avplay avplay.crash\r\nwarning: Could not load shared library symbols for linux-vdso.so.1.\r\nDo you need \"set solib-search-path\" or \"set sysroot\"?\r\n[Thread debugging using libthread_db enabled]\r\nUsing host libthread_db library \"\/lib64\/libthread_db.so.1\".\r\navplay version 11.3, Copyright (c) 2003-2014 the Libav developers\r\n  built on Jun 19 2015 09:50:59 with gcc 4.8.4 (Gentoo 4.8.4 p1.6, pie-0.6.1)\r\n[New Thread 0x7fffec4c7700 (LWP 7016)]\r\n[New Thread 0x7fffeb166700 (LWP 7017)]\r\nINFO: AddressSanitizer ignores mlock\/mlockall\/munlock\/munlockall\r\n[New Thread 0x7fffe9e28700 (LWP 7018)]\r\n[h263 @ 0x60480000f680] Format detected only with low score of 25, misdetection possible!\r\n[h263 @ 0x60440001f980] Syntax-based Arithmetic Coding (SAC) not supported\r\n[h263 @ 0x60440001f980] Reference Picture Selection not supported\r\n[h263 @ 0x60440001f980] Independent Segment Decoding not supported\r\n[h263 @ 0x60440001f980] header damaged\r\n\r\nProgram received signal SIGFPE, Arithmetic exception.\r\n[Switching to Thread 0x7fffe9e28700 (LWP 7018)]\r\n0x00007ffff21e3313 in ff_h263_decode_mba (s=s@entry=0x60720005a100) at \/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavcodec\/ituh263dec.c:142\r\n142     \/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavcodec\/ituh263dec.c: No such file or directory.\r\n(gdb) bt\r\n#0  0x00007ffff21e3313 in ff_h263_decode_mba (s=s@entry=0x60720005a100) at \/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavcodec\/ituh263dec.c:142\r\n#1  0x00007ffff21f3c2d in ff_h263_decode_picture_header (s=0x60720005a100) at \/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavcodec\/ituh263dec.c:1112\r\n#2  0x00007ffff1ae16ed in ff_h263_decode_frame (avctx=0x60440001f980, data=0x60380002f480, got_frame=0x7fffe9e272f0, avpkt=) at \/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavcodec\/h263dec.c:444\r\n#3  0x00007ffff2cd963e in avcodec_decode_video2 (avctx=0x60440001f980, picture=0x60380002f480, got_picture_ptr=got_picture_ptr@entry=0x7fffe9e272f0, avpkt=avpkt@entry=0x7fffe9e273b0) at \/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavcodec\/utils.c:1600\r\n#4  0x00007ffff44d4fb4 in try_decode_frame (st=st@entry=0x60340002fb00, avpkt=avpkt@entry=0x601c00037b00, options=) at \/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavformat\/utils.c:1910\r\n#5  0x00007ffff44ebd89 in avformat_find_stream_info (ic=0x60480000f680, options=0x600a00009e80) at \/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavformat\/utils.c:2276\r\n#6  0x0000000000431834 in decode_thread (arg=0x7ffff7e0b800) at \/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/avplay.c:2268\r\n#7  0x00007ffff0284b08 in ?? () from \/usr\/lib64\/libSDL-1.2.so.0\r\n#8  0x00007ffff02b4be9 in ?? () from \/usr\/lib64\/libSDL-1.2.so.0\r\n#9  0x00007ffff4e65aa8 in ?? () from \/usr\/lib\/gcc\/x86_64-pc-linux-gnu\/4.8.4\/libasan.so.0\r\n#10 0x00007ffff0062204 in start_thread () from \/lib64\/libpthread.so.0\r\n#11 0x00007fffefda957d in clone () from \/lib64\/libc.so.6\r\n(gdb)\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n11.3 (and maybe past versions)<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\n11.5 and 12.0<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\n<a href=\"https:\/\/git.libav.org\/?p=libav.git;a=commitdiff;h=0a49a62f998747cfa564d98d36a459fe70d3299b;hp=6f4cd33efb5a9ec75db1677d5f7846c60337129f\">https:\/\/git.libav.org\/?p=libav.git;a=commitdiff;h=0a49a62f998747cfa564d98d36a459fe70d3299b;hp=6f4cd33efb5a9ec75db1677d5f7846c60337129f<\/a><\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2015-5479<\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2015-06-21: bug discovered<br \/>\n2015-06-22: bug reported privately to upstream<br \/>\n2015-06-30: upstream commit the fix<br \/>\n2015-07-14: CVE assigned<br \/>\n2015-07-16: advisory release<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<br \/>\nThis bug does not affect <a href=\"http:\/\/ffmpeg.org\/\">ffmpeg<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><br \/>\n<a href=\"http:\/\/blogs.gentoo.org\/ago\/2015\/07\/16\/libav-divide-by-zero-in-ff_h263_decode_mba\">http:\/\/blogs.gentoo.org\/ago\/2015\/07\/16\/libav-divide-by-zero-in-ff_h263_decode_mba<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: Libav is an open source set of tools for audio and video processing. After talking with Luca Barbato which is both a Gentoo and Libav developer, I spent a bit of my time fuzzing libav and in particular I &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2015\/07\/16\/libav-divide-by-zero-in-ff_h263_decode_mba\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-54","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/314"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=314"}],"version-history":[{"count":15,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/314\/revisions"}],"predecessor-version":[{"id":339,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/314\/revisions\/339"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=314"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=314"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=314"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}