Bug 777262 – riff-media: floating point exception in gst_riff_create_audio_caps

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 777262 - (CVE-2017-5837) riff-media: floating point exception in gst_riff_create_audio_caps

(CVE-2017-5837)
Summary:	riff-media: floating point exception in gst_riff_create_audio_caps


Status:	RESOLVED FIXED

Product:	GStreamer
Classification:	Platform
Component:	gst-plugins-base
Version:	unspecified
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	1.10.3
Assigned To:	GStreamer Maintainers
QA Contact:	GStreamer Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2017-01-15 09:37 UTC by Hanno Böck
Modified:	2017-02-14 06:21 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
fpe poc (352 bytes, video/x-msvideo) 2017-01-15 09:37 UTC, Hanno Böck	Details

Description Hanno Böck 2017-01-15 09:37:52 UTC

Created attachment 343488 [details]
fpe poc

Attached file will crash gstreamer with a floating point exception.

Comment 1 Hanno Böck 2017-01-15 09:41:50 UTC

asan stack trace:

==2291==ERROR: AddressSanitizer: FPE on unknown address 0x7f7aa1563af2 (pc 0x7f7aa1563af2 bp 0x7f7aa154b060 sp 0x7f7aa154aec0 T2)
    #0 0x7f7aa1563af1 in gst_riff_create_audio_caps /f/gstreamer/gst-plugins-base/gst-libs/gst/riff/riff-media.c:1620:30
    #1 0x7f7aa17fceed in gst_avi_demux_parse_stream /f/gstreamer/gst-plugins-good/gst/avi/gstavidemux.c:2334:14
    #2 0x7f7aa17ec818 in gst_avi_demux_stream_header_pull /f/gstreamer/gst-plugins-good/gst/avi/gstavidemux.c:4063:19
    #3 0x7f7aa17e6786 in gst_avi_demux_loop /f/gstreamer/gst-plugins-good/gst/avi/gstavidemux.c:5687:13
    #4 0x7f7aaea938b3 in gst_task_func /f/gstreamer/gstreamer/gst/gsttask.c:334:5
    #5 0x7f7aadc90b2d in g_thread_pool_thread_proxy /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthreadpool.c:307
    #6 0x7f7aadc90154 in g_thread_proxy /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthread.c:784
    #7 0x7f7aad70e453 in start_thread (/lib64/libpthread.so.0+0x7453)
    #8 0x7f7aad23e5dc in clone (/lib64/libc.so.6+0xe75dc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /f/gstreamer/gst-plugins-base/gst-libs/gst/riff/riff-media.c:1620:30 in gst_riff_create_audio_caps
Thread T2 (avidemux0:sink) created by T1 (typefind:sink) here:
    #0 0x42df2d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42df2d)
    #1 0x7f7aadcad1bf in g_system_thread_new /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthread-posix.c:1170

Thread T1 (typefind:sink) created by T0 here:
    #0 0x42df2d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42df2d)
    #1 0x7f7aadcad1bf in g_system_thread_new /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthread-posix.c:1170

==2291==ABORTING

Comment 2 Sebastian Dröge (slomo) 2017-01-15 17:33:07 UTC

commit 81d3ba3fa212bb25fe2ac661993887c4b69af6f1
Author: Sebastian Dröge <sebastian@centricular.com>
Date:   Sun Jan 15 18:31:56 2017 +0100

    riff-media: Check for valid channels/rate before using the values
    
    Otherwise we might divide by zero or otherwise create invalid caps.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=777262

Comment 3 Salvatore Bonaccorso 2017-02-14 06:21:00 UTC

This is CVE-2017-5837