Divide By Zero FPE in gpac/gpac

Valid

Reported on

May 18th 2023

Environment

Distributor ID: Debian
Description:    Debian GNU/Linux bookworm/sid
Release:    n/a
Codename:   bookworm

Version

I checked against the latest release as of 05/18/23 the current master branch at commit a6ae93532ea5615c876c81a6580badbfa01d4383 .

Description

This AddressSanitizer output is indicating that floating point exception occurred in the function dasher_mark_segment_start at line 7588 in the file dasher.c. This error is a divide by zero error ds->timescale is not properly checked and can be zero, leading to this FPE error.

//ds->timescale is zero here with the provided testcase
ds->last_min_segment_start_time /= ds->timescale;

POC

AFL_MAP_SIZE=260000 ./MP4Box -dash 1000 ./crash_file1

POC File

ASAN

[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[AVC|H264] Error parsing NAL unit type 7
[AVC|H264] Error parsing Sequence Param Set
[AVC|H264] Possible Variable Frame Rate: VUI "fixed_frame_rate_flag" absent
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[avc-h264] SEI user message type 2035 size error (1658 but 16 remain), keeping full SEI untouched
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[AVC|H264] Possible Variable Frame Rate: VUI "fixed_frame_rate_flag" absent
[AVC|H264] Possible Variable Frame Rate: VUI "fixed_frame_rate_flag" absent
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[Dasher] No bitrate property assigned to PID crash_file1, computing from bitstream
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[AVC|H264] Possible Variable Frame Rate: VUI "fixed_frame_rate_flag" absent
[AVC|H264] xPS changed but could not flush frames before signaling state change !
[AVC|H264] Possible Variable Frame Rate: VUI "fixed_frame_rate_flag" absent
[AVC|H264] xPS changed but could not flush frames before signaling state change !
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[AVC|H264] Possible Variable Frame Rate: VUI "fixed_frame_rate_flag" absent
[AVC|H264] xPS changed but could not flush frames before signaling state change !
[AVC|H264] Possible Variable Frame Rate: VUI "fixed_frame_rate_flag" absent
[AVC|H264] xPS changed but could not flush frames before signaling state change !
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[AVC|H264] Possible Variable Frame Rate: VUI "fixed_frame_rate_flag" absent
[AVC|H264] xPS changed but could not flush frames before signaling state change !
[AVC|H264] Possible Variable Frame Rate: VUI "fixed_frame_rate_flag" absent
[AVC|H264] xPS changed but could not flush frames before signaling state change !
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[AVC|H264] Possible Variable Frame Rate: VUI "fixed_frame_rate_flag" absent
[AVC|H264] xPS changed but could not flush frames before signaling state change !
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[AVC|H264] Possible Variable Frame Rate: VUI "fixed_frame_rate_flag" absent
[AVC|H264] xPS changed but could not flush frames before signaling state change !
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[AVC|H264] Possible Variable Frame Rate: VUI "fixed_frame_rate_flag" absent
[AVC|H264] xPS changed but could not flush frames before signaling state change !
[AVC|H264] Possible Variable Frame Rate: VUI "fixed_frame_rate_flag" absent
[AVC|H264] xPS changed but could not flush frames before signaling state change !
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[AVC|H264] Possible Variable Frame Rate: VUI "fixed_frame_rate_flag" absent
[AVC|H264] xPS changed but could not flush frames before signaling state change !
[AVC|H264] Possible Variable Frame Rate: VUI "fixed_frame_rate_flag" absent
[AVC|H264] xPS changed but could not flush frames before signaling state change !
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[AVC|H264] Possible Variable Frame Rate: VUI "fixed_frame_rate_flag" absent
[AVC|H264] xPS changed but could not flush frames before signaling state change !
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[AVC|H264] Possible Variable Frame Rate: VUI "fixed_frame_rate_flag" absent
[AVC|H264] xPS changed but could not flush frames before signaling state change !
[AVC|H264] Possible Variable Frame Rate: VUI "fixed_frame_rate_flag" absent
[AVC|H264] xPS changed but could not flush frames before signaling state change !
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[AVC|H264] Possible Variable Frame Rate: VUI "fixed_frame_rate_flag" absent
[AVC|H264] xPS changed but could not flush frames before signaling state change !
[AVC|H264] Possible Variable Frame Rate: VUI "fixed_frame_rate_flag" absent
[AVC|H264] xPS changed but could not flush frames before signaling state change !
[AVC|H264] Incomplete last NAL and eos, discarding
[Dasher] No bitrate property assigned to PID crash_file1, computing from bitstream
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[MP4Mux] No timescale specified, guessing from media: 892678964
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2982015==ERROR: AddressSanitizer: FPE on unknown address 0x7ffff6e0e1ab (pc 0x7ffff6e0e1ab bp 0x7fffffff5bb0 sp 0x7fffffff26e0 T0)
    #0 0x7ffff6e0e1ab in dasher_mark_segment_start /path/to/gpac/src/filters/dasher.c:7588:34
    #1 0x7ffff6dd2223 in dasher_process /path/to/gpac/src/filters/dasher.c:9266:5
    #2 0x7ffff6d74d05 in gf_filter_process_task /path/to/gpac/src/filter_core/filter.c:2894:7
    #3 0x7ffff6d4153c in gf_fs_thread_proc /path/to/gpac/src/filter_core/filter_session.c:1962:3
    #4 0x7ffff6d3fd2f in gf_fs_run /path/to/gpac/src/filter_core/filter_session.c:2264:3
    #5 0x7ffff660245a in gf_dasher_process /path/to/gpac/src/media_tools/dash_segmenter.c:1236:6
    #6 0x5555556c15fc in do_dash /path/to/gpac/applications/mp4box/mp4box.c:4825:15
    #7 0x5555556b2a8e in mp4box_main /path/to/gpac/applications/mp4box/mp4box.c:6236:7
    #8 0x7ffff5846189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7ffff5846244 in __libc_start_main csu/../csu/libc-start.c:381:3
    #10 0x5555555dad30 in _start (/path/to/gpac/new_pull_2_build/bin/gcc/MP4Box+0x86d30) (BuildId: 764c86f2d59b4db3d4590a720eca33bd143620a7)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /path/to/gpac/src/filters/dasher.c:7588:34 in dasher_mark_segment_start
==2982015==ABORTING

Impact

divide by zero can cause a crash which will affect the system availability or availability of the application.

We are processing your report and will contact the gpac team within 24 hours. 8 days ago

coolkingcole

commented 7 days ago

Researcher

Had help from @revpwn If its verified can they be put in the report too?

We have contacted a member of the gpac team and are waiting to hear back 7 days ago

A gpac/gpac maintainer

commented 6 days ago

Maintainer

https://github.com/gpac/gpac/issues/2476

A gpac/gpac maintainer validated this vulnerability 3 days ago

coolkingcole has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A gpac/gpac maintainer marked this as fixed in 2.2.2 with commit 047f96 3 days ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

A gpac/gpac maintainer published this vulnerability 3 days ago

to join this conversation