Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Divide-by-zero in AC3Codec::decodeDtsHdFrame #428

Closed
cemonatk opened this issue May 24, 2021 · 0 comments
Closed

Divide-by-zero in AC3Codec::decodeDtsHdFrame #428

cemonatk opened this issue May 24, 2021 · 0 comments
Labels
bug Something isn't working

Comments

@cemonatk
Copy link

cemonatk commented May 24, 2021

Hi, please see asan output and poc file below.

Found by Cem Onat Karagun of Diesec.

System info:

Ubuntu 21.04
tsMuxeR version git-f6ab2a2

To run PoC after unzip:

$ ./tsmuxer decoder_poc

decoder_poc.zip

References:

https://cwe.mitre.org/data/definitions/369.html

ASAN output:

tsMuxeR version git-f6ab2a2. github.com/justdan96/tsMuxer
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2890753==ERROR: AddressSanitizer: FPE on unknown address 0x000000444db8 (pc 0x000000444db8 bp 0x7ffd085984a0 sp 0x7ffd085983a0 T0)
    #0 0x444db8 in AC3Codec::decodeDtsHdFrame(unsigned char*, unsigned char*) /src/build/../tsMuxer/ac3Codec.cpp:377:65
    #1 0x4478d9 in AC3Codec::decodeFrame(unsigned char*, unsigned char*, int&) /src/build/../tsMuxer/ac3Codec.cpp:428:34
    #2 0x7c61df in SimplePacketizerReader::checkStream(unsigned char*, int, AbstractStreamReader::ContainerType, int, int) /src/build/../tsMuxer/simplePacketizerReader.cpp:257:13
    #3 0x6cf93a in METADemuxer::detectTrackReader(unsigned char*, int, AbstractStreamReader::ContainerType, int, int) /src/build/../tsMuxer/metaDemuxer.cpp:755:20
    #4 0x6c7255 in METADemuxer::DetectStreamReader(BufferedReaderManager&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) /src/build/../tsMuxer/metaDemuxer.cpp:684:35
    #5 0x5df87e in detectStreamReader(char const*, MPLSParser*, bool) /src/build/../tsMuxer/main.cpp:120:34
    #6 0x5efd05 in main /src/build/../tsMuxer/main.cpp:698:17
    #7 0x7f2c99a1a564 in __libc_start_main csu/../csu/libc-start.c:332:16
    #8 0x2ebded in _start (/home/Fuzzer_Instance_29/txmux/tsMuxer/bin/tsMuxeR+0x2ebded)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /src/build/../tsMuxer/ac3Codec.cpp:377:65 in AC3Codec::decodeDtsHdFrame(unsigned char*, unsigned char*)
==2890753==ABORTING
@cemonatk cemonatk changed the title Denial of Service in AC3Codec::decodeDtsHdFrame Divide-by-zero in AC3Codec::decodeDtsHdFrame May 24, 2021
xavery pushed a commit that referenced this issue Jun 9, 2021
Early return when mh.group1_samplerate (Sample rate of first substream) is 0, to avoid division by 0 error.

Solves #417 and #428 .
@xavery xavery closed this as completed Jun 9, 2021
@jcdr428 jcdr428 added the bug Something isn't working label Jun 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants