Valgrind reports InvalidRead in vorbis_parse_setup_hdr_codebooks() bitstream.h:659

[daw-bugzilla@…]

I have an .ogg file where Valgrind reports an invalid read (memory access). Valgrind seems to be reporting that vorbis_parse_setup_hdr_codebooks() has read two bytes past the end of a buffer.

I haven't tried to determine whether this has any security consequences, but InvalidRead errors can sometimes be a security risk. This is reproducible on Linux Fedora 9, with the latest Subversion head mplayer (r27133). I'm on a 32-bit (i686, dual-CPU, AMD Athlon MP2800+) machine.

Reproduce as follows:

wget ​http://www.metafuzz.com/testcases/325305-464-3685913543-InvalidRead.tgz
tar xzvf 325305-464-3685913543-InvalidRead.tgz
valgrind mplayer 464-snippet3.ogg

Here is the output from Valgrind:

==28558== Memcheck, a memory error detector.
==28558== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==28558== Using LibVEX rev 1804, a library for dynamic binary translation.
==28558== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==28558== Using valgrind-3.3.0, a dynamic binary instrumentation framework.
==28558== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==28558== For more details, rerun with: -v
==28558==
MPlayer dev-SVN-r27133-4.3.0 (C) 2000-2008 MPlayer Team
CPU: Intel Celeron 2/Pentium III Tualatin (Family: 6, Model: 11, Stepping: 1)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 0
Compiled for x86 CPU with extensions: MMX MMX2 3DNow 3DNowEx SSE

Playing 464-snippet3.ogg.
libavformat file format detected.
[ogg @ 0x869e0b4]-130 bytes of comment header remain
[ogg @ 0x869e0b4]truncated comment header, 4 comments not found
[ogg @ 0x869e0b4]Could not find codec parameters (Invalid Codec type -1)
[ogg @ 0x869e0b4]Could not find codec parameters (Invalid Codec type -1)
[lavf] Audio stream found, -aid 0
Clip info:

author: Rotersand
genre: laswic

==========================================================================
Opening audio decoder: [ffmpeg] FFmpeg/libavcodec audio decoders
==28558== Invalid read of size 4
==28558== at 0x85535F0: vorbis_parse_setup_hdr_codebooks (bitstream.h:659)
==28558== by 0x8554469: vorbis_decode_init (vorbis_dec.c:816)
==28558== by 0x8319F4B: avcodec_open (utils.c:830)
==28558== by 0x81BAE09: init (ad_ffmpeg.c:90)
==28558== by 0x80E516D: init_audio (dec_audio.c:95)
==28558== by 0x80E54F5: init_best_audio_codec (dec_audio.c:270)
==28558== by 0x8079D35: reinit_audio_chain (mplayer.c:1585)
==28558== by 0x807B665: main (mplayer.c:3583)
==28558== Address 0x460eda0 is 384 bytes inside a block of size 387 alloc'd
==28558== at 0x4004A0A: memalign (vg_replace_malloc.c:460)
==28558== by 0x85A3057: av_malloc (mem.c:61)
==28558== by 0x85A30D6: av_mallocz (mem.c:134)
==28558== by 0x81BAF15: init (ad_ffmpeg.c:74)
==28558== by 0x80E516D: init_audio (dec_audio.c:95)
==28558== by 0x80E54F5: init_best_audio_codec (dec_audio.c:270)
==28558== by 0x8079D35: reinit_audio_chain (mplayer.c:1585)
==28558== by 0x807B665: main (mplayer.c:3583)
==28558==
==28558== Invalid read of size 4
==28558== at 0x8553625: vorbis_parse_setup_hdr_codebooks (bitstream.h:659)
==28558== by 0x8554469: vorbis_decode_init (vorbis_dec.c:816)
==28558== by 0x8319F4B: avcodec_open (utils.c:830)
==28558== by 0x81BAE09: init (ad_ffmpeg.c:90)
==28558== by 0x80E516D: init_audio (dec_audio.c:95)
==28558== by 0x80E54F5: init_best_audio_codec (dec_audio.c:270)
==28558== by 0x8079D35: reinit_audio_chain (mplayer.c:1585)
==28558== by 0x807B665: main (mplayer.c:3583)
==28558== Address 0x460eda5 is 2 bytes after a block of size 387 alloc'd
==28558== at 0x4004A0A: memalign (vg_replace_malloc.c:460)
==28558== by 0x85A3057: av_malloc (mem.c:61)
==28558== by 0x85A30D6: av_mallocz (mem.c:134)
==28558== by 0x81BAF15: init (ad_ffmpeg.c:74)
==28558== by 0x80E516D: init_audio (dec_audio.c:95)
==28558== by 0x80E54F5: init_best_audio_codec (dec_audio.c:270)
==28558== by 0x8079D35: reinit_audio_chain (mplayer.c:1585)
==28558== by 0x807B665: main (mplayer.c:3583)
[vorbis @ 0x86b44b0] Invalid code lengths while generating vlcs.
[vorbis @ 0x86b44b0] Vorbis setup header packet corrupt (codebooks).
[vorbis @ 0x86b44b0]Setup header corrupt.
Could not open codec.
ADecoder init failed :(
ADecoder init failed :(
Opening audio decoder: [libvorbis] Ogg/Vorbis audio decoder
OggVorbis: header n. 1 broken! len=238
ADecoder init failed :(
ADecoder init failed :(
Cannot find codec for audio format 0x566F.
Read DOCS/HTML/en/codecs.html!
Audio: no sound
Video: no video

Exiting... (End of file)
==28558==
==28558== ERROR SUMMARY: 10 errors from 2 contexts (suppressed: 31 from 1)
==28558== malloc/free: in use at exit: 71,998 bytes in 33 blocks.
==28558== malloc/free: 2,914 allocs, 2,881 frees, 3,555,125 bytes allocated.
==28558== For counts of detected errors, rerun with: -v
==28558== searching for pointers to 33 not-freed blocks.
==28558== checked 2,852,508 bytes.
==28558==
==28558== LEAK SUMMARY:
==28558== definitely lost: 1,599 bytes in 5 blocks.
==28558== possibly lost: 0 bytes in 0 blocks.
==28558== still reachable: 70,399 bytes in 28 blocks.
==28558== suppressed: 0 bytes in 0 blocks.
==28558== Rerun with --leak-check=full to see details of leaked memory.

This bug was found using the zzuf fuzzer. This bug was found as part of the
metafuzz project; see ​http://metafuzz.com/, stack hash 3685913543.

[reimar]

No more issues in SVN, almost certainly one of the many vorbis decoder issues that were fixed as part of Chrome bug reports.
INVALID because I expect it to have been an FFmpeg bug in the first place.