Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

divide-by-zero crash #41

Closed
summershrimp opened this issue Oct 9, 2018 · 1 comment
Closed

divide-by-zero crash #41

summershrimp opened this issue Oct 9, 2018 · 1 comment

Comments

@summershrimp
Copy link

summershrimp commented Oct 9, 2018

Caused by GPMF_parser.c:1023:27:

complextype[0] = type;
inputtypesize = GPMF_SizeofType(type);
inputtypeelements = 1;
elements = sample_size / inputtypesize;

if type not in GPMF_SampleType, GPMF_SizeofType will return 0.

Workaround:

diff --git a/GPMF_parser.c b/GPMF_parser.c
index 511ec5b..7529723 100644
--- a/GPMF_parser.c
+++ b/GPMF_parser.c
@@ -1019,6 +1019,8 @@ GPMF_ERR GPMF_ScaledData(GPMF_stream *ms, void *buffer, uint32_t buffersize, uin
                {
                        complextype[0] = type;
                        inputtypesize = GPMF_SizeofType(type);
+                       if(inputtypesize == 0)
+                               return GPMF_ERROR_MEMORY;
                        inputtypeelements = 1;
                        elements = sample_size / inputtypesize;
                }

UBSan Report:

UndefinedBehaviorSanitizer:DEADLYSIGNAL
==239233==ERROR: UndefinedBehaviorSanitizer: FPE on unknown address 0x000000453702 (pc 0x000000453702 bp 0x7ffee0a33780 sp 0x7ffee0a31f20 T239233)
    #0 0x453701 in GPMF_ScaledData /home/xm1994/dive-test/sources/gpmf-parser/fuzz/../GPMF_parser.c:1025:27
    #1 0x44d2fd in LLVMFuzzerTestOneInput /home/xm1994/dive-test/sources/gpmf-parser/fuzz/fuzzer.c:22:25
    #2 0x416a2c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:515:13

Base64 encoded payload:

REVWQwAC//tBQ0NM/w==

REVWQwABE5BEVslETQQAAQAAAAFEVk5NYwEAC0hlcm82IEJsYWNrAFRJQ0tMBAABAAU5oVNUUk0AAQVIVFNNUEwEAAEAAAPaq7bFS0wEAAEABTmjU1ROTWMBADJBY2NlbGVyb21ldGVyICh1cC9kb3duLCByaWdodC9sZWZ0LCBmb3J3YXJkL2JhY2spAAAAVE1QQ2YEAAFByAAAU0lVTmMEAAFtL3OyU0NBTHMCAAEBogAAQUNDTBA7ARcFTxBPAP8FWxBTAL8FWxBLAIMFaxBPAG8FZxBHAJ8FWxAjAL8FQxAbANcFSxALAN8FQ3Bvc3V1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1df//////////D/P/2QOPD88ABwNzD78AKwNjD4MAVwM/D0sAkwM0Dw8AzwODDzsAKs8Dww+LAKcEEw/bAHcEPxAzAHMEjxBDAHMEmxBfAJsEqxBjAKsEsxBTAK8Enw/nAJsEgw+nANsERw9TAN8EPw8qVwDbBEMPdwDnBGMPfwD3BG8P3wDfBIsQMwCbBJsQdwBPBKcQpwAABMcQo3MGAMwQMwQLECsAUwPLECcAPwObEB8AEwOTEBP/9f//////////D/P/2QOPD88ABwNzD78AKwMAg2NXDwM/D0sAkwM3Dw8AzwODDzsAKs8Dww+LAKcEEw/bAHcYAwD/BOMQBwELBQsQOwEXBU8QTwD/BVsQUwC/BVsQSwCDBWsQTwBvBWcQRwCfBVsQIwC/BUMQGwDXBUsQCwDfBUNwb3N1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXX//////////w/z/9kDjw/PAAcDcw+/ACsDYw+DAFcDPw9LAJMDNA8PAM8Dgw87ACrPA8MPiwCnBBMP2wB3BD8QMwBzBI8QQwBzBJsQXwCbBKsQYwCrBLMQUwCvBJ8P5wCbBIMPpwDbBEcPUwDfBD8PKlcA2wRDD3cA5wRjD38A9wRvD98A3wSLEDMAmwSbEHcATwSnEKcAAATHEKP/oQT/EL//oQUPELP/vQUfEJ//7QUnEIf//QUzEDNERVZDAAERLERWSURMBAABAAAAAURWTk1jAQALSGVybzYgQmxhY2sAU1RSTQABBThUU01QdXV1dXV1dXV1dXJlIHRpbURFVkMAAROQRFbJREwEAAEAAAABRFZOTWUgKHNodXR0ZXIgc3BlZWQpAAAAU0lVTmMBAAFzAFMAVQBDEBsA1wVLEAsA3wVDcG9zdXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXJlIHRpbURFVkMAAROQRFbJREwEAAEAAAABRFZOTWUgKHNodXR0ZXIgc3BlZWQpAAAAU0lVTmMBAAFzAFMAVQBIVGYEAB48CIQpPAiEKTwIhCk8CIQpPAiEKTwIhCmDDzsAKs8Dww8AwwRbD08A2wRHD1MA3wQ/DypXAAAA////9///////+//9AAH/+//+AAAAAP/+//8ABAAAAAAABP/+AAIAAf/+AAMAAf/+AAIAAP/8//7//wAAAAAAAAABAAAAAAAD2wRDD//+//Y=

Fuzzer sourcecode:

#include <stdlib.h>
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include "../GPMF_parser.h"

int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
    char * tmpbuf[4096];
GPMF_stream gs_stream;
if(GPMF_OK == GPMF_Init(&gs_stream, Data, Size))
{
    uint32_t samples;
    do
    {
        switch(GPMF_Key(&gs_stream))
        {
            case STR2FOURCC("ACCL"):
          // Found accelerometer
          samples = GPMF_Repeat(&gs_stream);
          if(GPMF_OK == GPMF_ScaledData(&gs_stream, tmpbuf, 4096, 0, samples, GPMF_TYPE_FLOAT))
            {  /* Process scaled values */ }
          break;

        case STR2FOURCC("cust"):
          // Found my custom data
          samples = GPMF_Repeat(&gs_stream);
          if(GPMF_OK == GPMF_FormattedData(&gs_stream, tmpbuf, 4096, 0, samples))
            { /* Process raw formatted data -- unscaled */ }
          break;

        default: // if you don’t know the Key you can skip to the next
          break;
    }
} while (GPMF_OK == GPMF_Next(&gs_stream, GPMF_RECURSE_LEVELS)); // Scan through all GPMF data
}
    return 0;
}
@dnewman-gpsw
Copy link
Collaborator

Thank you. I have added this fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants