Opened 11 years ago

Closed 11 years ago

#1126 closed defect (duplicate)

mplayer crashed using .m4a format

Reported by: ethiodad@… Owned by: reimar
Priority: normal Component: core
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

Vagrind reproted mplayer crashed while playing a fuzzed file format of .m4a. The .m4a file that crashed the mplayer is shown below

http://www.cs.berkeley.edu/~ethiodad/tile-4.m4a

here is the Valgrind report:

==3771== Memcheck, a memory error detector.
==3771== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==3771== Using LibVEX rev 1854, a library for dynamic binary translation.
==3771== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==3771== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==3771== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==3771== For more details, rerun with: -v
==3771==
MPlayer dev-SVN-r27185-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing tile-4.m4a.
libavformat file format detected.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x862a5f0]Could not find codec parameters (Audio: 0x0000)
LAVF_header: av_find_stream_info() failed
ISO: File Type Major Brand: Apple iTunes AAC-LC Audio
Quicktime/MOV file format detected.
* constant samplesize & variable duration not yet supported! *
Contact the author if you have such sample file!
[mov] Audio stream found, -aid 0
==3771== Invalid read of size 2
==3771== Stack hash: 3090119355
==3771== at 0x8135F6D: gen_sh_audio (demux_mov.c:660)
==3771== by 0x813AC98: lschunks (demux_mov.c:1313)
==3771== by 0x813B6F5: mov_read_header (demux_mov.c:1927)
==3771== by 0x811BD8E: demux_open_stream (demuxer.c:864)
==3771== by 0x811C061: demux_open (demuxer.c:991)
==3771== by 0x807530E: main (mplayer.c:3238)
==3771== Address 0x8 is not stack'd, malloc'd or (recently) free'd

MPlayer interrupted by signal 11 in module: demux_open

  • MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
  • MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.==3771==

==3771== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 17 from 1)
==3771== malloc/free: in use at exit: 98,216 bytes in 2,181 blocks.
==3771== malloc/free: 2,321 allocs, 140 frees, 1,372,942 bytes allocated.
==3771== For counts of detected errors, rerun with: -v
==3771== searching for pointers to 2,181 not-freed blocks.
==3771== checked 2,810,128 bytes.
==3771==
==3771== LEAK SUMMARY:
==3771== definitely lost: 0 bytes in 0 blocks.
==3771== possibly lost: 0 bytes in 0 blocks.
==3771== still reachable: 98,216 bytes in 2,181 blocks.
==3771== suppressed: 0 bytes in 0 blocks.
==3771== Rerun with --leak-check=full to see details of leaked memory.

And I also provided the gdb report below.

Starting program: /home/user/mplayer/mplayer -v tile-4.m4a
Failed to read a valid object file image from memory.
[Thread debugging using libthread_db enabled]
[New Thread -1209932096 (LWP 3051)]
MPlayer dev-SVN-r27185-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz (Family: 6, Model: 15, Stepping: 13)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2
get_path('codecs.conf') -> '/home/user/.mplayer/codecs.conf'
Reading /home/user/.mplayer/codecs.conf: Can't open '/home/user/.mplayer/codecs.conf': No such file or directory
Reading /usr/local/etc/mplayer/codecs.conf: Can't open '/usr/local/etc/mplayer/codecs.conf': No such file or directory
Using built-in default codecs.conf.
Configuration: --enable-debug=3
CommandLine?: '-v' 'tile-4.m4a'
get_path('font/font.desc') -> '/home/user/.mplayer/font/font.desc'
font: can't open file: /home/user/.mplayer/font/font.desc
font: can't open file: /usr/local/share/mplayer/font/font.desc
Using MMX (with tiny bit MMX2) Optimized OnScreenDisplay?
Using nanosleep() timing
get_path('input.conf') -> '/home/user/.mplayer/input.conf'
Can't open input config file /home/user/.mplayer/input.conf: No such file or directory
Can't open input config file /usr/local/etc/mplayer/input.conf: No such file or directory
Falling back on default (hardcoded) input config
get_path('tile-4.m4a.conf') -> '/home/user/.mplayer/tile-4.m4a.conf'

Playing tile-4.m4a.
get_path('sub/') -> '/home/user/.mplayer/sub/'
[file] File size is 6016390 bytes
STREAM: [file] tile-4.m4a
STREAM: Description: File
STREAM: Author: Albeu
STREAM: Comment: based on the code from ??? (probably Arpi)
LAVF_check: QuickTime?/MPEG-4/Motion JPEG 2000 format
libavformat file format detected.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x862a5f0]Could not find codec parameters (Audio: 0x0000)
LAVF_header: av_find_stream_info() failed
Checking for YUV4MPEG2
ASF_check: not ASF guid!
Checking for NuppelVideo?
Checking for REAL
Checking for SMJPEG
Checking for Nullsoft Streaming Video
Checking for MOV
ISO: File Type Major Brand: Apple iTunes AAC-LC Audio
ISO: File Type Minor Version: 0
ISO: File Type Compatible Brand #0: M4A
ISO: File Type Compatible Brand #1: mp42
ISO: File Type Compatible Brand #2: isom
ISO: File Type Compatible Brand #3:
MOV: Movie header found!
MOV: Movie DATA found!
Quicktime/MOV file format detected.
MOV: Movie header (100 bytes): tscale=44100 dur=16579584


MOV: Track #0:
MOV: Track header!
tkhd len=84 ver=0 flags=0x0 id=1 dur=16579584 lay=0 vol=256
MOV: Media stream!
MOV: Media header!
MOV: Handler header: /soun ()
MOV: unknown handler class: 0x0 ()
MOV: Media info!
MOV: Sound header!
MOV: unknown chunk: dinf 1564
MOV: unknown chunk: 105976
MOV track #0: 0 chunks, 0 samples
pts=16579584 scale=44100 time=375.954
* constant samplesize & variable duration not yet supported! *
Contact the author if you have such sample file!
==> Found audio stream: 0
[mov] Audio stream found, -aid 0

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1209932096 (LWP 3051)]
0x08135f6d in gen_sh_audio (sh=0x8978520, trak=0x8978438,

timescale=<value optimized out>) at libmpdemux/demux_mov.c:660

660 version=char2short(trak->stdata,8);

This bug was found as part of the SUPERB-TRUST 2008 Research program.

Change History (1)

comment:1 Changed 11 years ago by reimar

  • Resolution set to duplicate
  • Status changed from new to closed

These reports would be more helpful if you checked at least the gdb line numbers against other reports, there are few enough developers who will work on this even if it doesn't involve filtering out duplicates.

* This bug has been marked as a duplicate of bug 1125 *

Note: See TracTickets for help on using tickets.