<div dir="ltr">Package: lame<div>Version: 3.99.5</div><div><br></div><div>This bug was found with american fuzzy lop (<a href="http://lcamtuf.coredump.cx/afl/">http://lcamtuf.coredump.cx/afl/</a>). I compiled lame as follows:</div><div>CC=/path/to/afl-gcc ./configure</div><div>AFL_HARDEN=1 make<br><br>GDB output:<br><div><div>Program received signal SIGFPE, Arithmetic exception.</div><div>[----------------------------------registers-----------------------------------]</div><div>RAX: 0x1a68 </div><div>RBX: 0x816720 --> 0xfbad2498 </div><div>RCX: 0x1a68 </div><div>RDX: 0x0 </div><div>RSI: 0x2b11 </div><div>RDI: 0x7fd240 --> 0xfff88e3b </div><div>RBP: 0x7fd240 --> 0xfff88e3b </div><div>RSP: 0x7ffffff31310 --> 0x0 </div><div>RIP: 0x41df9f (<init_infile+13399>:<span class="" style="white-space:pre">       </span>idiv   r15)</div><div>R8 : 0x7ffffff31450 --> 0x7fff00001a68 </div><div>R9 : 0x7ffff7fde700 (0x00007ffff7fde700)</div><div>R10: 0x64000000 ('')</div><div>R11: 0x68 ('h')</div><div>R12: 0x1a68 </div><div>R13: 0x2 </div><div>R14: 0x0 </div><div>R15: 0x0</div><div>EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)</div><div>[-------------------------------------code-------------------------------------]</div><div>   0x41df8c <init_infile+13380>:<span class="" style="white-space:pre">        </span>mov    DWORD PTR [rip+0x3af156],0x1        # 0x7cd0ec <global+12></div><div>   0x41df96 <init_infile+13390>:<span class="" style="white-space:pre">      </span>mov    r13d,0x2</div><div>   0x41df9c <init_infile+13396>:<span class="" style="white-space:pre">      </span>movsxd r15,r14d</div><div>=> 0x41df9f <init_infile+13399>:<span class="" style="white-space:pre">   </span>idiv   r15</div><div>   0x41dfa2 <init_infile+13402>:<span class="" style="white-space:pre">   </span>mov    rsi,rax</div><div>   0x41dfa5 <init_infile+13405>:<span class="" style="white-space:pre">       </span>call   0x501b90 <lame_set_num_samples></div><div>   0x41dfaa <init_infile+13410>:<span class="" style="white-space:pre"> </span>mov    DWORD PTR [rip+0x3af12c],0x1        # 0x7cd0e0 <global></div><div>   0x41dfb4 <init_infile+13420>:<span class="" style="white-space:pre"> </span>jmp    0x41ba8b <init_infile+3907></div><div>[------------------------------------stack-------------------------------------]</div><div>0000| 0x7ffffff31310 --> 0x0 </div><div>0008| 0x7ffffff31318 --> 0xffffffffffffffff </div><div>0016| 0x7ffffff31320 --> 0x7ffffff313b0 --> 0x7ffff7393af8 --> 0xc001a00000cbb </div><div>0024| 0x7ffffff31328 ("id:00000")</div><div>0032| 0x7ffffff31330 --> 0x100000000 </div><div>0040| 0x7ffffff31338 --> 0x1e </div><div>0048| 0x7ffffff31340 --> 0x100000000 </div><div>0056| 0x7ffffff31348 --> 0x3d2ef35793c76730 </div><div>[------------------------------------------------------------------------------]</div><div>Legend: code, data, rodata, value</div><div>Stopped reason: SIGFPE</div><div>0x000000000041df9f in parse_wave_header (sf=0x816720, gfp=0x7fd240) at get_audio.c:1454</div><div>1454<span class="" style="white-space:pre">    </span>        (void) lame_set_num_samples(gfp, data_length / (channels * ((bits_per_sample + 7) / 8)));</div></div><div><br></div><br>Valgrind output: </div><div><div>==15646== </div><div>==15646== Process terminating with default action of signal 8 (SIGFPE): dumping core</div><div>==15646==  Integer divide by zero at address 0x40342D82D</div><div>==15646==    at 0x41DF8C: init_infile (get_audio.c:1452)</div><div>==15646==    by 0x406B0A: lame_main (lame_main.c:151)</div><div>==15646==    by 0x402604: main (main.c:470)</div><div>Floating point exception<br><br>I've attached the test case which causes this crash.</div></div><div><br>Debian 7, kernel v3.2.63-2+deb7u2 x86_64, libc6 v2.13-38+deb7u7</div></div>