#1125 closed defect (fixed)
Valgrind reports InvalidRead in gen_sh_audio() (demux_mov.c:660)
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Component: | demuxer |
| Version: | HEAD | Severity: | normal |
| Keywords: | Cc: | ethiodad@…, catchconv-bugreports@… | |
| Blocked By: | Blocking: | ||
| Reproduced by developer: | no | Analyzed by developer: | no |
Description
In the tgz archive which can be downloaded from the URL
http://www.metafuzz.com/testcases/27210-30-569050978-InvalidRead.tgz, there is
an mp4 file (30-quicktime.mp4) where Valgrind reports an invalid read of 2 byte at an invalid memory location. This bug causes MPlayer to crash.
I confirmed that this bug is reproducible in the latest subversion of MPlayer, r27185-4.1.2.
My System Information:
OS: Linux Debian x32
kernel: Linux debian 2.6.18-6-486 #1 Fri Jun 6 21:47:01 UTC 2008 i686 GNU/Linux
libc version: libc-2.3.6.so
gcc version 4.1.2 20061115
ld version 2.17
My Hardware Information:
32-bit Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz
Multimedia audio controller: Ensoniq ES1371 [AudioPCI-97] (rev 02)
To reproduce:
wget http://www.metafuzz.com/testcases/27210-30-569050978-InvalidRead.tgz
tar xzvf 27210-30-569050978-InvalidRead.tgz
valgrind mplayer 30-quicktime.mp4
The following is the output from Valgrind:
==12615== Memcheck, a memory error detector.
==12615== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==12615== Using LibVEX rev 1854, a library for dynamic binary translation.
==12615== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==12615== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==12615== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==12615== For more details, rerun with: -v
==12615==
MPlayer dev-SVN-r27185-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2
Playing 27210-30-569050978-InvalidRead.tgz_FILES/30-quicktime.mp4.
libavformat file format detected.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x8634110]Could not find codec parameters (Audio: 0x0000)
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x8634110]Could not find codec parameters (Data: 0x0000)
LAVF_header: av_find_stream_info() failed
ISO: File Type Major Brand: ISO/IEC 14496-1 (MPEG-4 system) v2
Quicktime/MOV file format detected.
Hmm, strange MOV, parsing mdat in lschunks?
* constant samplesize & variable duration not yet supported! *
Contact the author if you have such sample file!
[mov] Audio stream found, -aid 0
==12615== Invalid read of size 2
==12615== Stack hash: 3274597955
==12615== at 0x813866D: gen_sh_audio (demux_mov.c:660)
==12615== by 0x813B3D0: lschunks (demux_mov.c:1313)
==12615== by 0x813C375: mov_read_header (demux_mov.c:1927)
==12615== by 0x811E33E: demux_open_stream (demuxer.c:864)
==12615== by 0x811E611: demux_open (demuxer.c:991)
==12615== by 0x80778BE: main (mplayer.c:3238)
==12615== Address 0x8 is not stack'd, malloc'd or (recently) free'd
MPlayer interrupted by signal 11 in module: demux_open
- MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
- MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.
==12615==
==12615== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 19 from 1)
==12615== malloc/free: in use at exit: 98,385 bytes in 2,182 blocks.
==12615== malloc/free: 2,324 allocs, 142 frees, 1,375,196 bytes allocated.
==12615== For counts of detected errors, rerun with: -v
==12615== searching for pointers to 2,182 not-freed blocks.
==12615== checked 2,814,780 bytes.
==12615==
==12615== LEAK SUMMARY:
==12615== definitely lost: 0 bytes in 0 blocks.
==12615== possibly lost: 0 bytes in 0 blocks.
==12615== still reachable: 98,385 bytes in 2,182 blocks.
==12615== suppressed: 0 bytes in 0 blocks.
==12615== Rerun with --leak-check=full to see details of leaked memory.
The following is the backtrace using gdb:
(gdb) bt
#0 0x0813866d in gen_sh_audio (sh=0x8982608, trak=0x89824d8,
timescale=<value optimized out>) at libmpdemux/demux_mov.c:660
#1 0x0813b3d1 in lschunks (demuxer=0x89811d8, level=0, endpos=3070,
trak=0x89824d8) at libmpdemux/demux_mov.c:1313
#2 0x0813c376 in mov_read_header (demuxer=0x89811d8)
at libmpdemux/demux_mov.c:1927
#3 0x0811e33f in demux_open_stream (stream=0x89807c0,
file_format=<value optimized out>, force=0, audio_id=-1, video_id=-1,
dvdsub_id=-2,
filename=0x8977470 "27210-30-569050978-InvalidRead.tgz_FILES/30-quicktime.mp4") at libmpdemux/demuxer.c:864
#4 0x0811e612 in demux_open (vs=0x89807c0, file_format=0, audio_id=-1,
video_id=-1, dvdsub_id=-2,
filename=0x8977470 "27210-30-569050978-InvalidRead.tgz_FILES/30-quicktime.mp4") at libmpdemux/demuxer.c:991
#5 0x080778bf in main (argc=3, argv=0xbffff714) at mplayer.c:3238
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x813864d to 0x813868d:
0x0813864d <gen_sh_audio+45>: add %cl,0x733d0c47(%ebx)
0x08138653 <gen_sh_audio+51>: popa
0x08138654 <gen_sh_audio+52>: ja 0x81386b8 <gen_sh_audio+152>
0x08138656 <gen_sh_audio+54>: je 0x81387a0 <gen_sh_audio+384>
0x0813865c <gen_sh_audio+60>: cmp $0x726d6173,%eax
0x08138661 <gen_sh_audio+65>: je 0x8138a40 <gen_sh_audio+1056>
0x08138667 <gen_sh_audio+71>: mov 0xffffff94(%ebp),%ecx
0x0813866a <gen_sh_audio+74>: mov 0x48(%ecx),%ebx
0x0813866d <gen_sh_audio+77>: movzwl 0x8(%ebx),%eax
0x08138671 <gen_sh_audio+81>: ror $0x8,%ax
0x08138675 <gen_sh_audio+85>: movzwl %ax,%esi
0x08138678 <gen_sh_audio+88>: cmp $0x1,%esi
0x0813867b <gen_sh_audio+91>: jle 0x81386a5 <gen_sh_audio+133>
0x0813867d <gen_sh_audio+93>: mov $0x85e2dc4,%ecx
0x08138682 <gen_sh_audio+98>: mov $0x2,%edx
0x08138687 <gen_sh_audio+103>: mov %esi,0xc(%esp)
0x0813868b <gen_sh_audio+107>: mov %ecx,0x8(%esp)
End of assembler dump.
(gdb) info all-registers
eax 0x0 0
ecx 0x89824d8 144188632
edx 0x89824d8 144188632
ebx 0x0 0
esp 0xbfffe160 0xbfffe160
ebp 0xbfffe1f8 0xbfffe1f8
esi 0x89824d8 144188632
edi 0x8982608 144188936
eip 0x813866d 0x813866d <gen_sh_audio+77>
eflags 0x210297 [ CF PF AF SF IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 1 (raw 0x3fff8000000000000000)
st6 32000 (raw 0x400dfa00000000000000)
---Type <return> to continue, or q <return> to quit---
st7 4.9919999999999999928945726423989981 (raw 0x40019fbe76c8b4395800)
fctrl 0x37f 895
fstat 0x20 32
ftag 0xffff 65535
fiseg 0x73 115
fioff 0xb7e9d326 -1209412826
foseg 0x7b 123
fooff 0xbfffc088 -1073758072
fop 0x55c 1372
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
---Type <return> to continue, or q <return> to quit---
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
mm0 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm1 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
---Type <return> to continue, or q <return> to quit---
0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm2 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm3 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm4 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm5 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},
v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x80}}
mm6 {uint64 = 0xfa00000000000000, v2_int32 = {0x0, 0xfa000000},
v4_int16 = {0x0, 0x0, 0x0, 0xfa00}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0xfa}}
mm7 {uint64 = 0x9fbe76c8b4395800, v2_int32 = {0xb4395800,
0x9fbe76c8}, v4_int16 = {0x5800, 0xb439, 0x76c8, 0x9fbe}, v8_int8 = {0x0,
0x58, 0x39, 0xb4, 0xc8, 0x76, 0xbe, 0x9f}}
This bug was found as part of the SUPERB-TRUST 2008 project; see http://www.truststc.org/superb/
Please let me know if you need more information.
SVN r27194