Opened 11 years ago

Last modified 9 years ago

#1118 new defect

Valgrind reports Invalid Read in vorbis_decode_init (bitstream.h:659)

Reported by: nstockma@… Owned by: reimar
Priority: normal Component: ad
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

Here's an ogg file where Valgrind reports an invalid read of size 4. The ogg
file (91-snippet3.ogg) can be found inside the .tgz archive at the URL above.
The bug is easily reproducible. Note that it does not cause MPlayer to crash.

Also, I noticed that bug 1107 and bug 1116 occur at "bitstream.h:659" although their stacks are slightly different than this one's.

I confirmed that this bug is reproducible on Linux OS, Debian x32 with the
latest subversion of MPlayer, dev-SVN-r27184-4.1.2

I used a 32-bit Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz.

To reproduce:

wget http://www.metafuzz.com/testcases/325305-91-35847345-Leak_DefinitelyLost.tgz
tar xzfv 325305-91-35847345-Leak_DefinitelyLost.tgz
valgrind mplayer 91-snippet3.ogg

Here is the output from valgrind and mplayer on my machine:

user@debian:~/Desktop$ valgrind mplayer 91-snippet3.ogg
==10450== Memcheck, a memory error detector.
==10450== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==10450== Using LibVEX rev 1854, a library for dynamic binary translation.
==10450== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==10450== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==10450== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==10450== For more details, rerun with: -v
==10450==
MPlayer dev-SVN-r27184-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 91-snippet3.ogg.
[Ogg] stream 0: audio (Vorbis), -aid 0
[Ogg] stream 0: audio (Vorbis), -aid 0
libavformat file format detected.
[ogg @ 0x8633f90]-74 bytes of comment header remain
[ogg @ 0x8633f90]truncated comment header, 3 comments not found
================================================================================================
==10450== Invalid read of size 4
==10450== Stack hash: 2114588356
==10450== at 0x84F4C62: vorbis_decode_init (bitstream.h:659)
==10450== by 0x82ED97D: avcodec_open (utils.c:831)
==10450== by 0x826437A: av_find_stream_info (utils.c:1760)
==10450== by 0x81A31AE: demux_open_lavf (demux_lavf.c:466)
==10450== by 0x811E33E: demux_open_stream (demuxer.c:864)
==10450== by 0x811E611: demux_open (demuxer.c:991)
==10450== by 0x80778BE: main (mplayer.c:3238)
==10450== Address 0x43550ff is 271 bytes inside a block of size 272 alloc'd
==10450== Stack hash: 4110741887
==10450== at 0x401D96E: realloc (vg_replace_malloc.c:429)
==10450== by 0x82A6F2F: vorbis_header (oggparsevorbis.c:149)
==10450== by 0x82A5A0F: ogg_packet (oggdec.c:369)
==10450== by 0x82A5B71: ogg_read_header (oggdec.c:408)
==10450== by 0x82619A8: av_open_input_stream (utils.c:397)
==10450== by 0x81A318D: demux_open_lavf (demux_lavf.c:459)
==10450== by 0x811E33E: demux_open_stream (demuxer.c:864)
==10450== by 0x811E611: demux_open (demuxer.c:991)
==10450== by 0x80778BE: main (mplayer.c:3238)
[vorbis @ 0x864a130]Third header is not the setup header.
[vorbis @ 0x864a130]Third header is not the setup header.
[vorbis @ 0x864a130]Third header is not the setup header.

#The above line is repeated a large number of times, most of which I omitted.

[vorbis @ 0x864a130]Third header is not the setup header.
[vorbis @ 0x864a130]Third header is not the setup header.
[vorbis @ 0x864a130]Third header is not the setup header.
[ogg @ 0x8633f90]Could not find codec parameters (Audio: vorbis, 44100 Hz, stereo, 160 kb/s)
[ogg @ 0x8633f90]Could not find codec parameters (Invalid Codec type -1)
LAVF_header: av_find_stream_info() failed

Exiting... (End of file)
==10450==
==10450== ERROR SUMMARY: 141 errors from 1 contexts (suppressed: 19 from 1)
==10450== malloc/free: in use at exit: 9,724,945 bytes in 2,270 blocks.
==10450== malloc/free: 5,401 allocs, 3,131 frees, 12,459,740 bytes allocated.
==10450== For counts of detected errors, rerun with: -v
==10450== searching for pointers to 2,270 not-freed blocks.
==10450== checked 2,802,488 bytes.
==10450==
==10450== LEAK SUMMARY:
==10450== definitely lost: 9,603,981 bytes in 2,247 blocks.
==10450== possibly lost: 88,064 bytes in 12 blocks.
==10450== still reachable: 32,900 bytes in 11 blocks.
==10450== suppressed: 0 bytes in 0 blocks.
==10450== Rerun with --leak-check=full to see details of leaked memory.

I have not attempted to review this bug to determine whether it represents a
security risk or not.

This bug was found using the zzuf fuzzer. It was found as part of the
SUPERB-TRUST 2008 project ( see http://www.truststc.org/superb/ ) and the
metafuzz project ( see http://metafuzz.com/, stack hash 35847345).

Let me know if I can provide more information.

Change History (2)

comment:1 Changed 11 years ago by reimar

Problem is in FFmpeg/libavcodec. Please try to reproduce with ffmpeg or ffplay and report it to them.

comment:2 Changed 9 years ago by compn

  • Owner changed from r_togni@… to reimar
Note: See TracTickets for help on using tickets.