Opened 11 years ago

Closed 8 years ago

Last modified 8 years ago

#1116 closed defect (duplicate)

Valgrind reports Invalid Read in vorbis_parse_setup_hdr_codebooks (bitstream.h:659)

Reported by: nstockma@… Owned by: reimar
Priority: normal Component: ad
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

Here's an ogg file where Valgrind reports an invalid read of size 4. The ogg file (41-snippet3.ogg) can be found inside the .tgz archive at the URL above. The bug is easily reproducible. Note that it does not cause MPlayer to crash.

Also, I noticed there is another reported bug (#1107 found here: http://bugzilla.mplayerhq.hu/show_bug.cgi?id=1107) that occurs at "bitstream.h:659". However, the stacks are different so this may be a different bug or perhaps may just provide more insight when compared with bug 1107.

I confirmed that this bug is reproducible on Linux OS, Debian x32 with the
latest subversion of MPlayer, dev-SVN-r27139-4.1.2

I used a 32-bit Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz.

To reproduce:

wget http://www.metafuzz.com/testcases/325305-41-2014726817-InvalidRead.tgz
tar xzfv 325305-41-2014726817-InvalidRead?.tgz
valgrind mplayer 41-snippet3.ogg

Here is the output from valgrind and mplayer on my machine:

user@debian:~/Desktop$ valgrind mplayer 41-snippet3.ogg
==4683== Memcheck, a memory error detector.
==4683== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==4683== Using LibVEX rev 1854, a library for dynamic binary translation.
==4683== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==4683== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==4683== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==4683== For more details, rerun with: -v
==4683==
MPlayer dev-SVN-r27139-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 41-snippet3.ogg.
libavformat file format detected.
[ogg @ 0x8633bb0]-90 bytes of comment header remain
[ogg @ 0x8633bb0]truncated comment header, 3 comments not found
=====================================================================================
==4683== Invalid read of size 4
==4683== Stack hash: 1170997395
==4683== at 0x84F3A4A: vorbis_parse_setup_hdr_codebooks (bitstream.h:659)
==4683== by 0x84F49C7: vorbis_decode_init (vorbis_dec.c:816)
==4683== by 0x82ED86D: avcodec_open (utils.c:830)
==4683== by 0x82642BA: av_find_stream_info (utils.c:1760)
==4683== by 0x81A314E: demux_open_lavf (demux_lavf.c:466)
==4683== by 0x811E2DE: demux_open_stream (demuxer.c:864)
==4683== by 0x811E5B1: demux_open (demuxer.c:991)
==4683== by 0x80777AE: main (mplayer.c:3238)
==4683== Address 0x4327d87 is 3,575 bytes inside a block of size 3,578 alloc'd
==4683== Stack hash: 4139107295
==4683== at 0x401D96E: realloc (vg_replace_malloc.c:429)
==4683== by 0x82A6E1F: vorbis_header (oggparsevorbis.c:149)
==4683== by 0x82A58FF: ogg_packet (oggdec.c:369)
==4683== by 0x82A5A61: ogg_read_header (oggdec.c:408)
==4683== by 0x82618E8: av_open_input_stream (utils.c:397)
==4683== by 0x81A312D: demux_open_lavf (demux_lavf.c:459)
==4683== by 0x811E2DE: demux_open_stream (demuxer.c:864)
==4683== by 0x811E5B1: demux_open (demuxer.c:991)
==4683== by 0x80777AE: main (mplayer.c:3238)
==4683==
==4683== Conditional jump or move depends on uninitialised value(s)
==4683== Stack hash: 3235180863
==4683== at 0x84F3AA6: vorbis_parse_setup_hdr_codebooks (vorbis_dec.c:333)
==4683== by 0x84F49C7: vorbis_decode_init (vorbis_dec.c:816)
==4683== by 0x82ED86D: avcodec_open (utils.c:830)
==4683== by 0x82642BA: av_find_stream_info (utils.c:1760)
==4683== by 0x81A314E: demux_open_lavf (demux_lavf.c:466)
==4683== by 0x811E2DE: demux_open_stream (demuxer.c:864)
==4683== by 0x811E5B1: demux_open (demuxer.c:991)
==4683== by 0x80777AE: main (mplayer.c:3238)
==4683==
==4683== Conditional jump or move depends on uninitialised value(s)
==4683== Stack hash: 1595793293
==4683== at 0x84F3AAC: vorbis_parse_setup_hdr_codebooks (vorbis_dec.c:393)
==4683== by 0x84F49C7: vorbis_decode_init (vorbis_dec.c:816)
==4683== by 0x82ED86D: avcodec_open (utils.c:830)
==4683== by 0x82642BA: av_find_stream_info (utils.c:1760)
==4683== by 0x81A314E: demux_open_lavf (demux_lavf.c:466)
==4683== by 0x811E2DE: demux_open_stream (demuxer.c:864)
==4683== by 0x811E5B1: demux_open (demuxer.c:991)
==4683== by 0x80777AE: main (mplayer.c:3238)
[vorbis @ 0x8649d50] Invalid code lengths while generating vlcs.
[vorbis @ 0x8649d50] Vorbis setup header packet corrupt (codebooks).
[vorbis @ 0x8649d50]Setup header corrupt.
[vorbis @ 0x8649d50]Codebook lookup type not supported.

#(Please note that here in my description I am ommitting many repetitions of the 3 lines that come before and after this note.)

[vorbis @ 0x8649d50] Vorbis setup header packet corrupt (codebooks).
[vorbis @ 0x8649d50]Setup header corrupt.
[vorbis @ 0x8649d50]Codebook lookup type not supported.
[vorbis @ 0x8649d50] Vorbis setup header packet corrupt (codebooks).
[vorbis @ 0x8649d50]Setup header corrupt.
==4683==
==4683== Invalid read of size 4
==4683== Stack hash: 2842184121
==4683== at 0x84F3A88: vorbis_parse_setup_hdr_codebooks (bitstream.h:659)
==4683== by 0x84F49C7: vorbis_decode_init (vorbis_dec.c:816)
==4683== by 0x82ED86D: avcodec_open (utils.c:830)
==4683== by 0x82642BA: av_find_stream_info (utils.c:1760)
==4683== by 0x81A314E: demux_open_lavf (demux_lavf.c:466)
==4683== by 0x811E2DE: demux_open_stream (demuxer.c:864)
==4683== by 0x811E5B1: demux_open (demuxer.c:991)
==4683== by 0x80777AE: main (mplayer.c:3238)
==4683== Address 0x43284b4 is 1,652 bytes inside a block of size 65,307 free'd
==4683== Stack hash: 547164708
==4683== at 0x401D43C: free (vg_replace_malloc.c:323)
==4683== by 0x82A5552: ogg_read_page (oggdec.c:189)
==4683== by 0x82A5761: ogg_packet (oggdec.c:319)
==4683== by 0x82A596F: ogg_read_packet (oggdec.c:504)
==4683== by 0x825CCC2: av_read_packet (utils.c:512)
==4683== by 0x826244C: av_read_frame_internal (utils.c:864)
==4683== by 0x8263345: av_find_stream_info (utils.c:1970)
==4683== by 0x81A314E: demux_open_lavf (demux_lavf.c:466)
==4683== by 0x811E2DE: demux_open_stream (demuxer.c:864)
==4683== by 0x811E5B1: demux_open (demuxer.c:991)
==4683== by 0x80777AE: main (mplayer.c:3238)
[vorbis @ 0x8649d50]Codebook lookup type not supported.
[vorbis @ 0x8649d50] Vorbis setup header packet corrupt (codebooks).
[vorbis @ 0x8649d50]Setup header corrupt.
[vorbis @ 0x8649d50]Codebook lookup type not supported.
[vorbis @ 0x8649d50] Vorbis setup header packet corrupt (codebooks).
[vorbis @ 0x8649d50]Setup header corrupt.

#(As before, I am again omitting repetitious lines of output here)

[vorbis @ 0x8649d50] Vorbis setup header packet corrupt (codebooks).
[vorbis @ 0x8649d50]Setup header corrupt.
[vorbis @ 0x8649d50]Codebook lookup type not supported.
[vorbis @ 0x8649d50] Vorbis setup header packet corrupt (codebooks).
[vorbis @ 0x8649d50]Setup header corrupt.
[ogg @ 0x8633bb0]Could not find codec parameters (Audio: vorbis, 67152964 Hz, stereo, 160 kb/s)
[ogg @ 0x8633bb0]Could not find codec parameters (Invalid Codec type -1)
[ogg @ 0x8633bb0]Could not find codec parameters (Invalid Codec type -1)
LAVF_header: av_find_stream_info() failed

Exiting... (End of file)
==4683==
==4683== ERROR SUMMARY: 104286 errors from 4 contexts (suppressed: 19 from 1)
==4683== malloc/free: in use at exit: 36,475 bytes in 14 blocks.
==4683== malloc/free: 5,530 allocs, 5,516 frees, 53,934,865 bytes allocated.
==4683== For counts of detected errors, rerun with: -v
==4683== searching for pointers to 14 not-freed blocks.
==4683== checked 2,747,448 bytes.
==4683==
==4683== LEAK SUMMARY:
==4683== definitely lost: 3,575 bytes in 3 blocks.
==4683== possibly lost: 0 bytes in 0 blocks.
==4683== still reachable: 32,900 bytes in 11 blocks.
==4683== suppressed: 0 bytes in 0 blocks.
==4683== Rerun with --leak-check=full to see details of leaked memory.

I have not attempted to review this bug to determine whether it represents a
security risk or not.

This bug was found using the zzuf fuzzer. It was found as part of the
SUPERB-TRUST 2008 project ( see http://www.truststc.org/superb/ ) and the
metafuzz project ( see http://metafuzz.com/, stack hash 2014726817 ).

Let me know if I can provide more information.

Change History (4)

comment:1 Changed 11 years ago by daw-bugzilla@…

  • Cc catchconv-bugreports@… added

comment:2 Changed 8 years ago by compn

  • Owner changed from r_togni@… to reimar

comment:3 Changed 8 years ago by reimar

  • Resolution set to invalid
  • Status changed from new to closed

This was fixed quite some time ago in FFmpeg (INVALID because I am quite certain this was an issue in FFmpeg and would easily have been reproducible using the ffmpeg binary).

comment:4 Changed 8 years ago by reimar

  • Resolution changed from invalid to duplicate

This actually looks like a duplicate.

Note: See TracTickets for help on using tickets.