Opened 11 years ago

Closed 9 years ago

Last modified 9 years ago

#1107 closed defect (invalid)

Valgrind reports InvalidRead in vorbis_parse_setup_hdr_codebooks() bitstream.h:659

Reported by: daw-bugzilla@… Owned by: reimar
Priority: normal Component: ad
Version: HEAD Severity: normal
Keywords: Cc: dmolnar@…, nstockma@…, catchconv-bugreports@…, sckhan@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

I have an .ogg file where Valgrind reports an invalid read (memory access). Valgrind seems to be reporting that vorbis_parse_setup_hdr_codebooks() has read two bytes past the end of a buffer.

I haven't tried to determine whether this has any security consequences, but InvalidRead? errors can sometimes be a security risk. This is reproducible on Linux Fedora 9, with the latest Subversion head mplayer (r27133). I'm on a 32-bit (i686, dual-CPU, AMD Athlon MP2800+) machine.

Reproduce as follows:

wget http://www.metafuzz.com/testcases/325305-464-3685913543-InvalidRead.tgz
tar xzvf 325305-464-3685913543-InvalidRead?.tgz
valgrind mplayer 464-snippet3.ogg

Here is the output from Valgrind:

==28558== Memcheck, a memory error detector.
==28558== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==28558== Using LibVEX rev 1804, a library for dynamic binary translation.
==28558== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==28558== Using valgrind-3.3.0, a dynamic binary instrumentation framework.
==28558== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==28558== For more details, rerun with: -v
==28558==
MPlayer dev-SVN-r27133-4.3.0 (C) 2000-2008 MPlayer Team
CPU: Intel Celeron 2/Pentium III Tualatin (Family: 6, Model: 11, Stepping: 1)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 0
Compiled for x86 CPU with extensions: MMX MMX2 3DNow 3DNowEx SSE

Playing 464-snippet3.ogg.
libavformat file format detected.
[ogg @ 0x869e0b4]-130 bytes of comment header remain
[ogg @ 0x869e0b4]truncated comment header, 4 comments not found
[ogg @ 0x869e0b4]Could not find codec parameters (Invalid Codec type -1)
[ogg @ 0x869e0b4]Could not find codec parameters (Invalid Codec type -1)
[lavf] Audio stream found, -aid 0
Clip info:

author: Rotersand
genre: laswic

==========================================================================
Opening audio decoder: [ffmpeg] FFmpeg/libavcodec audio decoders
==28558== Invalid read of size 4
==28558== at 0x85535F0: vorbis_parse_setup_hdr_codebooks (bitstream.h:659)
==28558== by 0x8554469: vorbis_decode_init (vorbis_dec.c:816)
==28558== by 0x8319F4B: avcodec_open (utils.c:830)
==28558== by 0x81BAE09: init (ad_ffmpeg.c:90)
==28558== by 0x80E516D: init_audio (dec_audio.c:95)
==28558== by 0x80E54F5: init_best_audio_codec (dec_audio.c:270)
==28558== by 0x8079D35: reinit_audio_chain (mplayer.c:1585)
==28558== by 0x807B665: main (mplayer.c:3583)
==28558== Address 0x460eda0 is 384 bytes inside a block of size 387 alloc'd
==28558== at 0x4004A0A: memalign (vg_replace_malloc.c:460)
==28558== by 0x85A3057: av_malloc (mem.c:61)
==28558== by 0x85A30D6: av_mallocz (mem.c:134)
==28558== by 0x81BAF15: init (ad_ffmpeg.c:74)
==28558== by 0x80E516D: init_audio (dec_audio.c:95)
==28558== by 0x80E54F5: init_best_audio_codec (dec_audio.c:270)
==28558== by 0x8079D35: reinit_audio_chain (mplayer.c:1585)
==28558== by 0x807B665: main (mplayer.c:3583)
==28558==
==28558== Invalid read of size 4
==28558== at 0x8553625: vorbis_parse_setup_hdr_codebooks (bitstream.h:659)
==28558== by 0x8554469: vorbis_decode_init (vorbis_dec.c:816)
==28558== by 0x8319F4B: avcodec_open (utils.c:830)
==28558== by 0x81BAE09: init (ad_ffmpeg.c:90)
==28558== by 0x80E516D: init_audio (dec_audio.c:95)
==28558== by 0x80E54F5: init_best_audio_codec (dec_audio.c:270)
==28558== by 0x8079D35: reinit_audio_chain (mplayer.c:1585)
==28558== by 0x807B665: main (mplayer.c:3583)
==28558== Address 0x460eda5 is 2 bytes after a block of size 387 alloc'd
==28558== at 0x4004A0A: memalign (vg_replace_malloc.c:460)
==28558== by 0x85A3057: av_malloc (mem.c:61)
==28558== by 0x85A30D6: av_mallocz (mem.c:134)
==28558== by 0x81BAF15: init (ad_ffmpeg.c:74)
==28558== by 0x80E516D: init_audio (dec_audio.c:95)
==28558== by 0x80E54F5: init_best_audio_codec (dec_audio.c:270)
==28558== by 0x8079D35: reinit_audio_chain (mplayer.c:1585)
==28558== by 0x807B665: main (mplayer.c:3583)
[vorbis @ 0x86b44b0] Invalid code lengths while generating vlcs.
[vorbis @ 0x86b44b0] Vorbis setup header packet corrupt (codebooks).
[vorbis @ 0x86b44b0]Setup header corrupt.
Could not open codec.
ADecoder init failed :(
ADecoder init failed :(
Opening audio decoder: [libvorbis] Ogg/Vorbis? audio decoder
OggVorbis?: header n. 1 broken! len=238
ADecoder init failed :(
ADecoder init failed :(
Cannot find codec for audio format 0x566F.
Read DOCS/HTML/en/codecs.html!
Audio: no sound
Video: no video

Exiting... (End of file)
==28558==
==28558== ERROR SUMMARY: 10 errors from 2 contexts (suppressed: 31 from 1)
==28558== malloc/free: in use at exit: 71,998 bytes in 33 blocks.
==28558== malloc/free: 2,914 allocs, 2,881 frees, 3,555,125 bytes allocated.
==28558== For counts of detected errors, rerun with: -v
==28558== searching for pointers to 33 not-freed blocks.
==28558== checked 2,852,508 bytes.
==28558==
==28558== LEAK SUMMARY:
==28558== definitely lost: 1,599 bytes in 5 blocks.
==28558== possibly lost: 0 bytes in 0 blocks.
==28558== still reachable: 70,399 bytes in 28 blocks.
==28558== suppressed: 0 bytes in 0 blocks.
==28558== Rerun with --leak-check=full to see details of leaked memory.

This bug was found using the zzuf fuzzer. This bug was found as part of the
metafuzz project; see http://metafuzz.com/, stack hash 3685913543.

Change History (5)

comment:1 Changed 11 years ago by daw-bugzilla@…

  • Cc catchconv-bugreports@… added

comment:2 Changed 9 years ago by compn

  • Owner changed from r_togni@… to reimar

comment:3 Changed 9 years ago by reimar

  • Resolution set to invalid
  • Status changed from new to closed

No more issues in SVN, almost certainly one of the many vorbis decoder issues that were fixed as part of Chrome bug reports.
INVALID because I expect it to have been an FFmpeg bug in the first place.

comment:4 Changed 9 years ago by reimar

  • Cc sckhan@… added

comment:5 Changed 9 years ago by reimar

  • Cc nstockma@… added
Note: See TracTickets for help on using tickets.