Bug 1769287
| Summary: | Divide-by-zero crash in libmp4v2 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | ryan <ryan> |
| Component: | libmp4v2 | Assignee: | David King <amigadave> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 31 | CC: | amigadave, dominik, matthias, moez.roy, sergio |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | libmp4v2-2.1.0-0.19.trunkREV507.fc31 libmp4v2-2.1.0-0.19.trunkREV507.fc30 libmp4v2-2.1.0-0.19.trunkREV507.fc29 libmp4v2-2.1.0-0.19.trunkREV507.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-08 08:52:06 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
thanks for the report , can you use gdb ? I don't know what lldb ? I need to know the name of the function, MP4Read ? Sorry, my mistake, forgot the -debuginfo package.
Try now:
(lldb) bt
* thread #1, name = 'cmus', stop reason = signal SIGFPE: integer divide by zero
* frame #0: 0x00007f39aa4c48fc libmp4v2.so.2`mp4v2::impl::MP4Integer32Property::SetCount(unsigned int) + 44
frame #1: 0x00007f39aa4bfdef libmp4v2.so.2`mp4v2::impl::MP4TableProperty::AddProperty(mp4v2::impl::MP4Property*) + 143
frame #2: 0x00007f39aa48e832 libmp4v2.so.2`mp4v2::impl::MP4StandardAtom::MP4StandardAtom(mp4v2::impl::MP4File&, char const*) + 7602
frame #3: 0x00007f39aa4a45db libmp4v2.so.2`mp4v2::impl::MP4Atom::factory(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*, char const*) + 235
frame #4: 0x00007f39aa4a5c93 libmp4v2.so.2`mp4v2::impl::MP4Atom::CreateAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*, char const*) + 35
frame #5: 0x00007f39aa4a63e6 libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) + 326
frame #6: 0x00007f39aa4a684f libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadChildAtoms() + 239
frame #7: 0x00007f39aa4a7a88 libmp4v2.so.2`mp4v2::impl::MP4Atom::Read() + 88
frame #8: 0x00007f39aa4a647e libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) + 478
frame #9: 0x00007f39aa4a684f libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadChildAtoms() + 239
frame #10: 0x00007f39aa4a7a88 libmp4v2.so.2`mp4v2::impl::MP4Atom::Read() + 88
frame #11: 0x00007f39aa4a647e libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) + 478
frame #12: 0x00007f39aa4a684f libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadChildAtoms() + 239
frame #13: 0x00007f39aa4a7a88 libmp4v2.so.2`mp4v2::impl::MP4Atom::Read() + 88
frame #14: 0x00007f39aa4a647e libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) + 478
frame #15: 0x00007f39aa4a684f libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadChildAtoms() + 239
frame #16: 0x00007f39aa4a7a88 libmp4v2.so.2`mp4v2::impl::MP4Atom::Read() + 88
frame #17: 0x00007f39aa4a647e libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) + 478
frame #18: 0x00007f39aa4a684f libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadChildAtoms() + 239
frame #19: 0x00007f39aa4a7a88 libmp4v2.so.2`mp4v2::impl::MP4Atom::Read() + 88
frame #20: 0x00007f39aa4a647e libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) + 478
frame #21: 0x00007f39aa4a684f libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadChildAtoms() + 239
frame #22: 0x00007f39aa4a7a88 libmp4v2.so.2`mp4v2::impl::MP4Atom::Read() + 88
frame #23: 0x00007f39aa4b3708 libmp4v2.so.2`mp4v2::impl::MP4File::ReadFromFile() + 104
frame #24: 0x00007f39aa4b6a2d libmp4v2.so.2`mp4v2::impl::MP4File::Read(char const*, MP4FileProvider_s const*) + 29
frame #25: 0x00007f39aa49febe libmp4v2.so.2`MP4Read + 46
frame #26: 0x00007f39aae63a4b mp4.so`mp4_open(ip_data=0x00000000021bf2b8) at mp4.c:177:21
frame #27: 0x0000000000421af4 cmus`ip_open at input.c:463:8
frame #28: 0x0000000000421a0a cmus`ip_open at input.c:481
frame #29: 0x0000000000421a00 cmus`ip_open(ip=0x00000000021bf2b0) at input.c:599
frame #30: 0x000000000042b45c cmus`_producer_play at player.c:660:8
frame #31: 0x000000000042c9da cmus`player_set_file(ti=0x000000000178fb30) at player.c:1164:3
frame #32: 0x000000000043c6b9 cmus`mpris_next(m=0x00000000021cef10, _userdata=<unavailable>, _ret_error=<unavailable>) at mpris.c:118:2
frame #33: 0x00007f39aac27d1b libsystemd.so.0`___lldb_unnamed_symbol760$$libsystemd.so.0 + 971
frame #34: 0x00007f39aac1068a libsystemd.so.0`___lldb_unnamed_symbol657$$libsystemd.so.0 + 4410
frame #35: 0x000000000043cd56 cmus`mpris_process at mpris.c:522:10
frame #36: 0x000000000040d6b5 cmus`main at ui_curses.c:2275:4
frame #37: 0x00007f39aaa131a3 libc.so.6`__libc_start_main + 243
frame #38: 0x000000000040daee cmus`_start + 46
And with gdb:
(gdb) bt
#0 mp4v2::impl::MP4Integer32Array::Resize (newSize=0, this=0x226cfd0) at src/mp4array.h:131
#1 mp4v2::impl::MP4Integer32Property::SetCount (this=0x226cfb0, count=0) at src/mp4property.h:205
#2 0x00007fc5bb9afdef in mp4v2::impl::MP4TableProperty::AddProperty (this=this@entry=0x226cf70, pProperty=pProperty@entry=0x226cfb0) at src/mp4property.cpp:694
#3 0x00007fc5bb97e832 in mp4v2::impl::MP4StandardAtom::MP4StandardAtom (this=0x226c670, file=..., type=<optimized out>) at src/mp4property.h:57
#4 0x00007fc5bb9945db in mp4v2::impl::MP4Atom::factory (file=..., parent=<optimized out>, type=0x7ffc56cb89ab "stts") at src/mp4atom.cpp:1020
#5 0x00007fc5bb995c93 in mp4v2::impl::MP4Atom::CreateAtom (file=..., parent=<optimized out>, type=<optimized out>) at src/mp4atom.cpp:78
#6 0x00007fc5bb9963e6 in mp4v2::impl::MP4Atom::ReadAtom (file=..., pParentAtom=0x22a50c0) at src/mp4atom.cpp:174
#7 0x00007fc5bb99684f in mp4v2::impl::MP4Atom::ReadChildAtoms (this=0x22a50c0) at src/mp4atom.cpp:435
#8 0x00007fc5bb997a88 in mp4v2::impl::MP4Atom::Read (this=0x22a50c0) at src/mp4atom.cpp:241
#9 0x00007fc5bb99647e in mp4v2::impl::MP4Atom::ReadAtom (file=..., pParentAtom=0x22a0e00) at src/mp4atom.cpp:201
#10 0x00007fc5bb99684f in mp4v2::impl::MP4Atom::ReadChildAtoms (this=0x22a0e00) at src/mp4atom.cpp:435
#11 0x00007fc5bb997a88 in mp4v2::impl::MP4Atom::Read (this=0x22a0e00) at src/mp4atom.cpp:241
#12 0x00007fc5bb99647e in mp4v2::impl::MP4Atom::ReadAtom (file=..., pParentAtom=0x229fa50) at src/mp4atom.cpp:201
#13 0x00007fc5bb99684f in mp4v2::impl::MP4Atom::ReadChildAtoms (this=0x229fa50) at src/mp4atom.cpp:435
#14 0x00007fc5bb997a88 in mp4v2::impl::MP4Atom::Read (this=0x229fa50) at src/mp4atom.cpp:241
#15 0x00007fc5bb99647e in mp4v2::impl::MP4Atom::ReadAtom (file=..., pParentAtom=0x2395120) at src/mp4atom.cpp:201
#16 0x00007fc5bb99684f in mp4v2::impl::MP4Atom::ReadChildAtoms (this=0x2395120) at src/mp4atom.cpp:435
#17 0x00007fc5bb997a88 in mp4v2::impl::MP4Atom::Read (this=0x2395120) at src/mp4atom.cpp:241
#18 0x00007fc5bb99647e in mp4v2::impl::MP4Atom::ReadAtom (file=..., pParentAtom=0x2394760) at src/mp4atom.cpp:201
#19 0x00007fc5bb99684f in mp4v2::impl::MP4Atom::ReadChildAtoms (this=0x2394760) at src/mp4atom.cpp:435
#20 0x00007fc5bb997a88 in mp4v2::impl::MP4Atom::Read (this=0x2394760) at src/mp4atom.cpp:241
#21 0x00007fc5bb99647e in mp4v2::impl::MP4Atom::ReadAtom (file=..., pParentAtom=0x22aeea0) at src/mp4atom.cpp:201
#22 0x00007fc5bb99684f in mp4v2::impl::MP4Atom::ReadChildAtoms (this=0x22aeea0) at src/mp4atom.cpp:435
#23 0x00007fc5bb997a88 in mp4v2::impl::MP4Atom::Read (this=0x22aeea0) at src/mp4atom.cpp:241
#24 0x00007fc5bb9a3708 in mp4v2::impl::MP4File::ReadFromFile (this=0x22a13c0) at src/mp4file.cpp:430
#25 0x00007fc5bb9a6a2d in mp4v2::impl::MP4File::Read (this=0x22a13c0, name=<optimized out>, provider=<optimized out>) at src/mp4file.cpp:96
#26 0x00007fc5bb98febe in MP4Read () at src/mp4.cpp:102
#27 0x00007fc5bc353a4b in mp4_open (ip_data=0x23ad6f8) at ip/mp4.c:177
#28 0x0000000000421af4 in open_file_locked (ip=0x23ad6f0) at input.c:463
#29 open_file (ip=0x23ad6f0) at input.c:481
#30 ip_open (ip=0x23ad6f0) at input.c:599
#31 0x000000000042b45c in _producer_play () at player.c:660
#32 0x000000000042c8cd in player_pause () at player.c:1127
#33 player_pause () at player.c:1117
#34 0x000000000043c659 in mpris_toggle_pause (m=0x22a0620, _userdata=<optimized out>, _ret_error=<optimized out>) at mpris.c:139
#35 0x00007fc5bc117d1b in object_find_and_run.lto_priv () from /lib64/libsystemd.so.0
#36 0x00007fc5bc10068a in bus_process_internal () from /lib64/libsystemd.so.0
#37 0x000000000043cd56 in mpris_process () at mpris.c:523
#38 0x000000000040d6b5 in main_loop () at ui_curses.c:2275
#39 main (argc=<optimized out>, argv=<optimized out>) at ui_curses.c:2556tlibmp
Looks like SetCount(0) is then passed to Resize(), with a division by newSize without a check for zero here:
https://github.com/sergiomb2/libmp4v2/blob/84edb32a783383b70b6ef9364bbc710fa0c92e32/src/mp4array.h#L106
(In reply to ryan from comment #2) > #0 mp4v2::impl::MP4Integer32Array::Resize (newSize=0, this=0x226cfd0) at src/mp4array.h:131 > #1 mp4v2::impl::MP4Integer32Property::SetCount (this=0x226cfb0, count=0) at src/mp4property.h:205 > Looks like SetCount(0) is then passed to Resize(), with a division by > newSize without a check for zero here: > > https://github.com/sergiomb2/libmp4v2/blob/ > 84edb32a783383b70b6ef9364bbc710fa0c92e32/src/mp4array.h#L106 yeah thanks I choose this patch [1] in favor of another, I will fix it [1] https://github.com/sergiomb2/libmp4v2/commit/f5f814801ecd312a1418e2226dadfea72badec49 FEDORA-2019-d53d4a79ac has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d53d4a79ac FEDORA-2019-1030f4816a has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-1030f4816a FEDORA-2019-6469ad8129 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6469ad8129 FEDORA-EPEL-2019-25eb663796 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-25eb663796 Fixed in F31 by https://bodhi.fedoraproject.org/updates/FEDORA-2019-d53d4a79ac, thanks! libmp4v2-2.1.0-0.19.trunkREV507.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d53d4a79ac libmp4v2-2.1.0-0.19.trunkREV507.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-1030f4816a libmp4v2-2.1.0-0.19.trunkREV507.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-25eb663796 libmp4v2-2.1.0-0.19.trunkREV507.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6469ad8129 libmp4v2-2.1.0-0.19.trunkREV507.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. libmp4v2-2.1.0-0.19.trunkREV507.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. libmp4v2-2.1.0-0.19.trunkREV507.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. libmp4v2-2.1.0-0.19.trunkREV507.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Crash using cmus to play MP4 files using fedora-testing libmp4v2 package Version-Release number of selected component (if applicable): 0.18.trunkREV507.fc31 (regression from 0.17) How reproducible: 100% Steps to Reproduce: 1. Play music in MP4 container with cmus Actual results: Divide-by-zero error in libmp4v2. Expected results: Playback. Additional info: LLDB backtrace: (lldb) bt * thread #1, name = 'cmus', stop reason = signal SIGFPE: integer divide by zero * frame #0: 0x00007f2e5cabb8fc libmp4v2.so.2`___lldb_unnamed_symbol1567$$libmp4v2.so.2 + 44 frame #1: 0x00007f2e5cab6def libmp4v2.so.2`___lldb_unnamed_symbol1512$$libmp4v2.so.2 + 143 frame #2: 0x00007f2e5ca85832 libmp4v2.so.2`___lldb_unnamed_symbol974$$libmp4v2.so.2 + 7602 frame #3: 0x00007f2e5ca9b5db libmp4v2.so.2`___lldb_unnamed_symbol1136$$libmp4v2.so.2 + 235 frame #4: 0x00007f2e5ca9cc93 libmp4v2.so.2`___lldb_unnamed_symbol1137$$libmp4v2.so.2 + 35 frame #5: 0x00007f2e5ca9d3e6 libmp4v2.so.2`___lldb_unnamed_symbol1145$$libmp4v2.so.2 + 326 frame #6: 0x00007f2e5ca9d84f libmp4v2.so.2`___lldb_unnamed_symbol1146$$libmp4v2.so.2 + 239 frame #7: 0x00007f2e5ca9ea88 libmp4v2.so.2`___lldb_unnamed_symbol1150$$libmp4v2.so.2 + 88 frame #8: 0x00007f2e5ca9d47e libmp4v2.so.2`___lldb_unnamed_symbol1145$$libmp4v2.so.2 + 478 frame #9: 0x00007f2e5ca9d84f libmp4v2.so.2`___lldb_unnamed_symbol1146$$libmp4v2.so.2 + 239 frame #10: 0x00007f2e5ca9ea88 libmp4v2.so.2`___lldb_unnamed_symbol1150$$libmp4v2.so.2 + 88 frame #11: 0x00007f2e5ca9d47e libmp4v2.so.2`___lldb_unnamed_symbol1145$$libmp4v2.so.2 + 478 frame #12: 0x00007f2e5ca9d84f libmp4v2.so.2`___lldb_unnamed_symbol1146$$libmp4v2.so.2 + 239 frame #13: 0x00007f2e5ca9ea88 libmp4v2.so.2`___lldb_unnamed_symbol1150$$libmp4v2.so.2 + 88 frame #14: 0x00007f2e5ca9d47e libmp4v2.so.2`___lldb_unnamed_symbol1145$$libmp4v2.so.2 + 478 frame #15: 0x00007f2e5ca9d84f libmp4v2.so.2`___lldb_unnamed_symbol1146$$libmp4v2.so.2 + 239 frame #16: 0x00007f2e5ca9ea88 libmp4v2.so.2`___lldb_unnamed_symbol1150$$libmp4v2.so.2 + 88 frame #17: 0x00007f2e5ca9d47e libmp4v2.so.2`___lldb_unnamed_symbol1145$$libmp4v2.so.2 + 478 frame #18: 0x00007f2e5ca9d84f libmp4v2.so.2`___lldb_unnamed_symbol1146$$libmp4v2.so.2 + 239 frame #19: 0x00007f2e5ca9ea88 libmp4v2.so.2`___lldb_unnamed_symbol1150$$libmp4v2.so.2 + 88 frame #20: 0x00007f2e5ca9d47e libmp4v2.so.2`___lldb_unnamed_symbol1145$$libmp4v2.so.2 + 478 frame #21: 0x00007f2e5ca9d84f libmp4v2.so.2`___lldb_unnamed_symbol1146$$libmp4v2.so.2 + 239 frame #22: 0x00007f2e5ca9ea88 libmp4v2.so.2`___lldb_unnamed_symbol1150$$libmp4v2.so.2 + 88 frame #23: 0x00007f2e5caaa708 libmp4v2.so.2`___lldb_unnamed_symbol1362$$libmp4v2.so.2 + 104 frame #24: 0x00007f2e5caada2d libmp4v2.so.2`___lldb_unnamed_symbol1388$$libmp4v2.so.2 + 29 frame #25: 0x00007f2e5ca96ebe libmp4v2.so.2`MP4Read + 46 frame #26: 0x00007f2e5d45aa4b mp4.so`mp4_open(ip_data=0x0000000002a0a3a8) at mp4.c:177:21 frame #27: 0x0000000000421af4 cmus`ip_open at input.c:463:8 frame #28: 0x0000000000421a0a cmus`ip_open at input.c:481 frame #29: 0x0000000000421a00 cmus`ip_open(ip=0x0000000002a0a3a0) at input.c:599 frame #30: 0x000000000042b45c cmus`_producer_play at player.c:660:8 frame #31: 0x000000000042c9da cmus`player_set_file(ti=0x00000000023598f0) at player.c:1164:3 frame #32: 0x000000000043c6b9 cmus`mpris_next(m=0x0000000002a34270, _userdata=<unavailable>, _ret_error=<unavailable>) at mpris.c:118:2 frame #33: 0x00007f2e5d21ed1b libsystemd.so.0`___lldb_unnamed_symbol760$$libsystemd.so.0 + 971 frame #34: 0x00007f2e5d20768a libsystemd.so.0`___lldb_unnamed_symbol657$$libsystemd.so.0 + 4410 frame #35: 0x000000000043cd56 cmus`mpris_process at mpris.c:522:10 frame #36: 0x000000000040d6b5 cmus`main at ui_curses.c:2275:4 frame #37: 0x00007f2e5d00a1a3 libc.so.6`__libc_start_main + 243 frame #38: 0x000000000040daee cmus`_start + 46