Bug#777159: malformed wav causes floating point exception (integer divide by zero)

Brian Carpenter brian.carpenter at gmail.com
Thu Feb 5 18:12:11 UTC 2015 

Package: lame
Version: 3.99.5

This bug was found with american fuzzy lop (http://lcamtuf.coredump.cx/afl/).
I compiled lame as follows:
CC=/path/to/afl-gcc ./configure
AFL_HARDEN=1 make

GDB output:
Program received signal SIGFPE, Arithmetic exception.
[----------------------------------registers-----------------------------------]
RAX: 0x1a68
RBX: 0x816720 --> 0xfbad2498
RCX: 0x1a68
RDX: 0x0
RSI: 0x2b11
RDI: 0x7fd240 --> 0xfff88e3b
RBP: 0x7fd240 --> 0xfff88e3b
RSP: 0x7ffffff31310 --> 0x0
RIP: 0x41df9f (<init_infile+13399>: idiv   r15)
R8 : 0x7ffffff31450 --> 0x7fff00001a68
R9 : 0x7ffff7fde700 (0x00007ffff7fde700)
R10: 0x64000000 ('')
R11: 0x68 ('h')
R12: 0x1a68
R13: 0x2
R14: 0x0
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
   0x41df8c <init_infile+13380>: mov    DWORD PTR [rip+0x3af156],0x1
 # 0x7cd0ec <global+12>
   0x41df96 <init_infile+13390>: mov    r13d,0x2
   0x41df9c <init_infile+13396>: movsxd r15,r14d
=> 0x41df9f <init_infile+13399>: idiv   r15
   0x41dfa2 <init_infile+13402>: mov    rsi,rax
   0x41dfa5 <init_infile+13405>: call   0x501b90 <lame_set_num_samples>
   0x41dfaa <init_infile+13410>: mov    DWORD PTR [rip+0x3af12c],0x1
 # 0x7cd0e0 <global>
   0x41dfb4 <init_infile+13420>: jmp    0x41ba8b <init_infile+3907>
[------------------------------------stack-------------------------------------]
0000| 0x7ffffff31310 --> 0x0
0008| 0x7ffffff31318 --> 0xffffffffffffffff
0016| 0x7ffffff31320 --> 0x7ffffff313b0 --> 0x7ffff7393af8 -->
0xc001a00000cbb
0024| 0x7ffffff31328 ("id:00000")
0032| 0x7ffffff31330 --> 0x100000000
0040| 0x7ffffff31338 --> 0x1e
0048| 0x7ffffff31340 --> 0x100000000
0056| 0x7ffffff31348 --> 0x3d2ef35793c76730
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGFPE
0x000000000041df9f in parse_wave_header (sf=0x816720, gfp=0x7fd240) at
get_audio.c:1454
1454        (void) lame_set_num_samples(gfp, data_length / (channels *
((bits_per_sample + 7) / 8)));


Valgrind output:
==15646==
==15646== Process terminating with default action of signal 8 (SIGFPE):
dumping core
==15646==  Integer divide by zero at address 0x40342D82D
==15646==    at 0x41DF8C: init_infile (get_audio.c:1452)
==15646==    by 0x406B0A: lame_main (lame_main.c:151)
==15646==    by 0x402604: main (main.c:470)
Floating point exception

I've attached the test case which causes this crash.

Debian 7, kernel v3.2.63-2+deb7u2 x86_64, libc6 v2.13-38+deb7u7
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20150205/a14fe496/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test00.wav
Type: audio/x-wav
Size: 68 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20150205/a14fe496/attachment.wav>

More information about the pkg-multimedia-maintainers mailing list