1769287 – Divide-by-zero crash in libmp4v2

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1769287 - Divide-by-zero crash in libmp4v2

Summary: Divide-by-zero crash in libmp4v2

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libmp4v2
Sub Component:
Version:	31
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	David King
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-11-06 10:33 UTC by ryan@testtoast.com
Modified:	2019-11-25 00:40 UTC (History)
CC List:	5 users (show)
Fixed In Version:	libmp4v2-2.1.0-0.19.trunkREV507.fc31 libmp4v2-2.1.0-0.19.trunkREV507.fc30 libmp4v2-2.1.0-0.19.trunkREV507.fc29 libmp4v2-2.1.0-0.19.trunkREV507.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-11-08 08:52:06 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description ryan@testtoast.com 2019-11-06 10:33:29 UTC

Description of problem:
Crash using cmus to play MP4 files using fedora-testing libmp4v2 package


Version-Release number of selected component (if applicable):
0.18.trunkREV507.fc31 (regression from 0.17)

How reproducible:
100%

Steps to Reproduce:
1. Play music in MP4 container with cmus

Actual results:
Divide-by-zero error in libmp4v2.

Expected results:
Playback.

Additional info:

LLDB backtrace:

(lldb) bt
* thread #1, name = 'cmus', stop reason = signal SIGFPE: integer divide by zero
  * frame #0: 0x00007f2e5cabb8fc libmp4v2.so.2`___lldb_unnamed_symbol1567$$libmp4v2.so.2 + 44
    frame #1: 0x00007f2e5cab6def libmp4v2.so.2`___lldb_unnamed_symbol1512$$libmp4v2.so.2 + 143
    frame #2: 0x00007f2e5ca85832 libmp4v2.so.2`___lldb_unnamed_symbol974$$libmp4v2.so.2 + 7602
    frame #3: 0x00007f2e5ca9b5db libmp4v2.so.2`___lldb_unnamed_symbol1136$$libmp4v2.so.2 + 235
    frame #4: 0x00007f2e5ca9cc93 libmp4v2.so.2`___lldb_unnamed_symbol1137$$libmp4v2.so.2 + 35
    frame #5: 0x00007f2e5ca9d3e6 libmp4v2.so.2`___lldb_unnamed_symbol1145$$libmp4v2.so.2 + 326
    frame #6: 0x00007f2e5ca9d84f libmp4v2.so.2`___lldb_unnamed_symbol1146$$libmp4v2.so.2 + 239
    frame #7: 0x00007f2e5ca9ea88 libmp4v2.so.2`___lldb_unnamed_symbol1150$$libmp4v2.so.2 + 88
    frame #8: 0x00007f2e5ca9d47e libmp4v2.so.2`___lldb_unnamed_symbol1145$$libmp4v2.so.2 + 478
    frame #9: 0x00007f2e5ca9d84f libmp4v2.so.2`___lldb_unnamed_symbol1146$$libmp4v2.so.2 + 239
    frame #10: 0x00007f2e5ca9ea88 libmp4v2.so.2`___lldb_unnamed_symbol1150$$libmp4v2.so.2 + 88
    frame #11: 0x00007f2e5ca9d47e libmp4v2.so.2`___lldb_unnamed_symbol1145$$libmp4v2.so.2 + 478
    frame #12: 0x00007f2e5ca9d84f libmp4v2.so.2`___lldb_unnamed_symbol1146$$libmp4v2.so.2 + 239
    frame #13: 0x00007f2e5ca9ea88 libmp4v2.so.2`___lldb_unnamed_symbol1150$$libmp4v2.so.2 + 88
    frame #14: 0x00007f2e5ca9d47e libmp4v2.so.2`___lldb_unnamed_symbol1145$$libmp4v2.so.2 + 478
    frame #15: 0x00007f2e5ca9d84f libmp4v2.so.2`___lldb_unnamed_symbol1146$$libmp4v2.so.2 + 239
    frame #16: 0x00007f2e5ca9ea88 libmp4v2.so.2`___lldb_unnamed_symbol1150$$libmp4v2.so.2 + 88
    frame #17: 0x00007f2e5ca9d47e libmp4v2.so.2`___lldb_unnamed_symbol1145$$libmp4v2.so.2 + 478
    frame #18: 0x00007f2e5ca9d84f libmp4v2.so.2`___lldb_unnamed_symbol1146$$libmp4v2.so.2 + 239
    frame #19: 0x00007f2e5ca9ea88 libmp4v2.so.2`___lldb_unnamed_symbol1150$$libmp4v2.so.2 + 88
    frame #20: 0x00007f2e5ca9d47e libmp4v2.so.2`___lldb_unnamed_symbol1145$$libmp4v2.so.2 + 478
    frame #21: 0x00007f2e5ca9d84f libmp4v2.so.2`___lldb_unnamed_symbol1146$$libmp4v2.so.2 + 239
    frame #22: 0x00007f2e5ca9ea88 libmp4v2.so.2`___lldb_unnamed_symbol1150$$libmp4v2.so.2 + 88
    frame #23: 0x00007f2e5caaa708 libmp4v2.so.2`___lldb_unnamed_symbol1362$$libmp4v2.so.2 + 104
    frame #24: 0x00007f2e5caada2d libmp4v2.so.2`___lldb_unnamed_symbol1388$$libmp4v2.so.2 + 29
    frame #25: 0x00007f2e5ca96ebe libmp4v2.so.2`MP4Read + 46
    frame #26: 0x00007f2e5d45aa4b mp4.so`mp4_open(ip_data=0x0000000002a0a3a8) at mp4.c:177:21
    frame #27: 0x0000000000421af4 cmus`ip_open at input.c:463:8
    frame #28: 0x0000000000421a0a cmus`ip_open at input.c:481
    frame #29: 0x0000000000421a00 cmus`ip_open(ip=0x0000000002a0a3a0) at input.c:599
    frame #30: 0x000000000042b45c cmus`_producer_play at player.c:660:8
    frame #31: 0x000000000042c9da cmus`player_set_file(ti=0x00000000023598f0) at player.c:1164:3
    frame #32: 0x000000000043c6b9 cmus`mpris_next(m=0x0000000002a34270, _userdata=<unavailable>, _ret_error=<unavailable>) at mpris.c:118:2
    frame #33: 0x00007f2e5d21ed1b libsystemd.so.0`___lldb_unnamed_symbol760$$libsystemd.so.0 + 971
    frame #34: 0x00007f2e5d20768a libsystemd.so.0`___lldb_unnamed_symbol657$$libsystemd.so.0 + 4410
    frame #35: 0x000000000043cd56 cmus`mpris_process at mpris.c:522:10
    frame #36: 0x000000000040d6b5 cmus`main at ui_curses.c:2275:4
    frame #37: 0x00007f2e5d00a1a3 libc.so.6`__libc_start_main + 243
    frame #38: 0x000000000040daee cmus`_start + 46

Comment 1 Sergio Basto 2019-11-06 17:05:55 UTC

thanks for the report , can you use gdb ? I don't know what lldb ? 

I need to know the name of the function, MP4Read  ?

Comment 2 ryan@testtoast.com 2019-11-06 17:25:04 UTC

Sorry, my mistake, forgot the -debuginfo package.

Try now:

(lldb) bt
* thread #1, name = 'cmus', stop reason = signal SIGFPE: integer divide by zero
  * frame #0: 0x00007f39aa4c48fc libmp4v2.so.2`mp4v2::impl::MP4Integer32Property::SetCount(unsigned int) + 44
    frame #1: 0x00007f39aa4bfdef libmp4v2.so.2`mp4v2::impl::MP4TableProperty::AddProperty(mp4v2::impl::MP4Property*) + 143
    frame #2: 0x00007f39aa48e832 libmp4v2.so.2`mp4v2::impl::MP4StandardAtom::MP4StandardAtom(mp4v2::impl::MP4File&, char const*) + 7602
    frame #3: 0x00007f39aa4a45db libmp4v2.so.2`mp4v2::impl::MP4Atom::factory(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*, char const*) + 235
    frame #4: 0x00007f39aa4a5c93 libmp4v2.so.2`mp4v2::impl::MP4Atom::CreateAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*, char const*) + 35
    frame #5: 0x00007f39aa4a63e6 libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) + 326
    frame #6: 0x00007f39aa4a684f libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadChildAtoms() + 239
    frame #7: 0x00007f39aa4a7a88 libmp4v2.so.2`mp4v2::impl::MP4Atom::Read() + 88
    frame #8: 0x00007f39aa4a647e libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) + 478
    frame #9: 0x00007f39aa4a684f libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadChildAtoms() + 239
    frame #10: 0x00007f39aa4a7a88 libmp4v2.so.2`mp4v2::impl::MP4Atom::Read() + 88
    frame #11: 0x00007f39aa4a647e libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) + 478
    frame #12: 0x00007f39aa4a684f libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadChildAtoms() + 239
    frame #13: 0x00007f39aa4a7a88 libmp4v2.so.2`mp4v2::impl::MP4Atom::Read() + 88
    frame #14: 0x00007f39aa4a647e libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) + 478
    frame #15: 0x00007f39aa4a684f libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadChildAtoms() + 239
    frame #16: 0x00007f39aa4a7a88 libmp4v2.so.2`mp4v2::impl::MP4Atom::Read() + 88
    frame #17: 0x00007f39aa4a647e libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) + 478
    frame #18: 0x00007f39aa4a684f libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadChildAtoms() + 239
    frame #19: 0x00007f39aa4a7a88 libmp4v2.so.2`mp4v2::impl::MP4Atom::Read() + 88
    frame #20: 0x00007f39aa4a647e libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) + 478
    frame #21: 0x00007f39aa4a684f libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadChildAtoms() + 239
    frame #22: 0x00007f39aa4a7a88 libmp4v2.so.2`mp4v2::impl::MP4Atom::Read() + 88
    frame #23: 0x00007f39aa4b3708 libmp4v2.so.2`mp4v2::impl::MP4File::ReadFromFile() + 104
    frame #24: 0x00007f39aa4b6a2d libmp4v2.so.2`mp4v2::impl::MP4File::Read(char const*, MP4FileProvider_s const*) + 29
    frame #25: 0x00007f39aa49febe libmp4v2.so.2`MP4Read + 46
    frame #26: 0x00007f39aae63a4b mp4.so`mp4_open(ip_data=0x00000000021bf2b8) at mp4.c:177:21
    frame #27: 0x0000000000421af4 cmus`ip_open at input.c:463:8
    frame #28: 0x0000000000421a0a cmus`ip_open at input.c:481
    frame #29: 0x0000000000421a00 cmus`ip_open(ip=0x00000000021bf2b0) at input.c:599
    frame #30: 0x000000000042b45c cmus`_producer_play at player.c:660:8
    frame #31: 0x000000000042c9da cmus`player_set_file(ti=0x000000000178fb30) at player.c:1164:3
    frame #32: 0x000000000043c6b9 cmus`mpris_next(m=0x00000000021cef10, _userdata=<unavailable>, _ret_error=<unavailable>) at mpris.c:118:2
    frame #33: 0x00007f39aac27d1b libsystemd.so.0`___lldb_unnamed_symbol760$$libsystemd.so.0 + 971
    frame #34: 0x00007f39aac1068a libsystemd.so.0`___lldb_unnamed_symbol657$$libsystemd.so.0 + 4410
    frame #35: 0x000000000043cd56 cmus`mpris_process at mpris.c:522:10
    frame #36: 0x000000000040d6b5 cmus`main at ui_curses.c:2275:4
    frame #37: 0x00007f39aaa131a3 libc.so.6`__libc_start_main + 243
    frame #38: 0x000000000040daee cmus`_start + 46

And with gdb:

(gdb) bt
#0  mp4v2::impl::MP4Integer32Array::Resize (newSize=0, this=0x226cfd0) at src/mp4array.h:131
#1  mp4v2::impl::MP4Integer32Property::SetCount (this=0x226cfb0, count=0) at src/mp4property.h:205
#2  0x00007fc5bb9afdef in mp4v2::impl::MP4TableProperty::AddProperty (this=this@entry=0x226cf70, pProperty=pProperty@entry=0x226cfb0) at src/mp4property.cpp:694
#3  0x00007fc5bb97e832 in mp4v2::impl::MP4StandardAtom::MP4StandardAtom (this=0x226c670, file=..., type=<optimized out>) at src/mp4property.h:57
#4  0x00007fc5bb9945db in mp4v2::impl::MP4Atom::factory (file=..., parent=<optimized out>, type=0x7ffc56cb89ab "stts") at src/mp4atom.cpp:1020
#5  0x00007fc5bb995c93 in mp4v2::impl::MP4Atom::CreateAtom (file=..., parent=<optimized out>, type=<optimized out>) at src/mp4atom.cpp:78
#6  0x00007fc5bb9963e6 in mp4v2::impl::MP4Atom::ReadAtom (file=..., pParentAtom=0x22a50c0) at src/mp4atom.cpp:174
#7  0x00007fc5bb99684f in mp4v2::impl::MP4Atom::ReadChildAtoms (this=0x22a50c0) at src/mp4atom.cpp:435
#8  0x00007fc5bb997a88 in mp4v2::impl::MP4Atom::Read (this=0x22a50c0) at src/mp4atom.cpp:241
#9  0x00007fc5bb99647e in mp4v2::impl::MP4Atom::ReadAtom (file=..., pParentAtom=0x22a0e00) at src/mp4atom.cpp:201
#10 0x00007fc5bb99684f in mp4v2::impl::MP4Atom::ReadChildAtoms (this=0x22a0e00) at src/mp4atom.cpp:435
#11 0x00007fc5bb997a88 in mp4v2::impl::MP4Atom::Read (this=0x22a0e00) at src/mp4atom.cpp:241
#12 0x00007fc5bb99647e in mp4v2::impl::MP4Atom::ReadAtom (file=..., pParentAtom=0x229fa50) at src/mp4atom.cpp:201
#13 0x00007fc5bb99684f in mp4v2::impl::MP4Atom::ReadChildAtoms (this=0x229fa50) at src/mp4atom.cpp:435
#14 0x00007fc5bb997a88 in mp4v2::impl::MP4Atom::Read (this=0x229fa50) at src/mp4atom.cpp:241
#15 0x00007fc5bb99647e in mp4v2::impl::MP4Atom::ReadAtom (file=..., pParentAtom=0x2395120) at src/mp4atom.cpp:201
#16 0x00007fc5bb99684f in mp4v2::impl::MP4Atom::ReadChildAtoms (this=0x2395120) at src/mp4atom.cpp:435
#17 0x00007fc5bb997a88 in mp4v2::impl::MP4Atom::Read (this=0x2395120) at src/mp4atom.cpp:241
#18 0x00007fc5bb99647e in mp4v2::impl::MP4Atom::ReadAtom (file=..., pParentAtom=0x2394760) at src/mp4atom.cpp:201
#19 0x00007fc5bb99684f in mp4v2::impl::MP4Atom::ReadChildAtoms (this=0x2394760) at src/mp4atom.cpp:435
#20 0x00007fc5bb997a88 in mp4v2::impl::MP4Atom::Read (this=0x2394760) at src/mp4atom.cpp:241
#21 0x00007fc5bb99647e in mp4v2::impl::MP4Atom::ReadAtom (file=..., pParentAtom=0x22aeea0) at src/mp4atom.cpp:201
#22 0x00007fc5bb99684f in mp4v2::impl::MP4Atom::ReadChildAtoms (this=0x22aeea0) at src/mp4atom.cpp:435
#23 0x00007fc5bb997a88 in mp4v2::impl::MP4Atom::Read (this=0x22aeea0) at src/mp4atom.cpp:241
#24 0x00007fc5bb9a3708 in mp4v2::impl::MP4File::ReadFromFile (this=0x22a13c0) at src/mp4file.cpp:430
#25 0x00007fc5bb9a6a2d in mp4v2::impl::MP4File::Read (this=0x22a13c0, name=<optimized out>, provider=<optimized out>) at src/mp4file.cpp:96
#26 0x00007fc5bb98febe in MP4Read () at src/mp4.cpp:102
#27 0x00007fc5bc353a4b in mp4_open (ip_data=0x23ad6f8) at ip/mp4.c:177
#28 0x0000000000421af4 in open_file_locked (ip=0x23ad6f0) at input.c:463
#29 open_file (ip=0x23ad6f0) at input.c:481
#30 ip_open (ip=0x23ad6f0) at input.c:599
#31 0x000000000042b45c in _producer_play () at player.c:660
#32 0x000000000042c8cd in player_pause () at player.c:1127
#33 player_pause () at player.c:1117
#34 0x000000000043c659 in mpris_toggle_pause (m=0x22a0620, _userdata=<optimized out>, _ret_error=<optimized out>) at mpris.c:139
#35 0x00007fc5bc117d1b in object_find_and_run.lto_priv () from /lib64/libsystemd.so.0
#36 0x00007fc5bc10068a in bus_process_internal () from /lib64/libsystemd.so.0
#37 0x000000000043cd56 in mpris_process () at mpris.c:523
#38 0x000000000040d6b5 in main_loop () at ui_curses.c:2275
#39 main (argc=<optimized out>, argv=<optimized out>) at ui_curses.c:2556tlibmp

Looks like SetCount(0) is then passed to Resize(), with a division by newSize without a check for zero here:

https://github.com/sergiomb2/libmp4v2/blob/84edb32a783383b70b6ef9364bbc710fa0c92e32/src/mp4array.h#L106

Comment 3 Sergio Basto 2019-11-06 18:09:38 UTC

(In reply to ryan from comment #2)


> #0  mp4v2::impl::MP4Integer32Array::Resize (newSize=0, this=0x226cfd0) at src/mp4array.h:131
> #1  mp4v2::impl::MP4Integer32Property::SetCount (this=0x226cfb0, count=0) at src/mp4property.h:205

> Looks like SetCount(0) is then passed to Resize(), with a division by
> newSize without a check for zero here:
> 
> https://github.com/sergiomb2/libmp4v2/blob/
> 84edb32a783383b70b6ef9364bbc710fa0c92e32/src/mp4array.h#L106

yeah thanks I choose this patch [1] in favor of another, I will fix it 

[1]
https://github.com/sergiomb2/libmp4v2/commit/f5f814801ecd312a1418e2226dadfea72badec49

Comment 4 Fedora Update System 2019-11-08 03:14:04 UTC

FEDORA-2019-d53d4a79ac has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d53d4a79ac

Comment 5 Fedora Update System 2019-11-08 03:14:19 UTC

FEDORA-2019-1030f4816a has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-1030f4816a

Comment 6 Fedora Update System 2019-11-08 03:14:38 UTC

FEDORA-2019-6469ad8129 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6469ad8129

Comment 7 Fedora Update System 2019-11-08 03:14:56 UTC

FEDORA-EPEL-2019-25eb663796 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-25eb663796

Comment 8 ryan@testtoast.com 2019-11-08 08:52:06 UTC

Fixed in F31 by https://bodhi.fedoraproject.org/updates/FEDORA-2019-d53d4a79ac, thanks!

Comment 9 Fedora Update System 2019-11-09 23:20:41 UTC

libmp4v2-2.1.0-0.19.trunkREV507.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d53d4a79ac

Comment 10 Fedora Update System 2019-11-10 00:39:32 UTC

libmp4v2-2.1.0-0.19.trunkREV507.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-1030f4816a

Comment 11 Fedora Update System 2019-11-10 01:16:32 UTC

libmp4v2-2.1.0-0.19.trunkREV507.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-25eb663796

Comment 12 Fedora Update System 2019-11-10 04:35:38 UTC

libmp4v2-2.1.0-0.19.trunkREV507.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6469ad8129

Comment 13 Fedora Update System 2019-11-17 01:30:19 UTC

libmp4v2-2.1.0-0.19.trunkREV507.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2019-11-18 01:17:53 UTC

libmp4v2-2.1.0-0.19.trunkREV507.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2019-11-18 01:51:50 UTC

libmp4v2-2.1.0-0.19.trunkREV507.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2019-11-25 00:40:49 UTC

libmp4v2-2.1.0-0.19.trunkREV507.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.