Opened 11 years ago

Closed 11 years ago

#1128 closed defect (duplicate)

Conditional jump

Reported by: nicholenae@… Owned by: reimar
Priority: normal Component: ao
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

I worked in the lab as part of the SUPERB-TRUST 2008 for the security project and found these bugs in the file 20-mus2.mp3. The errors are : Conditional jump or move depends on uninitialised value. You can download the file with the following links and can run the command below:

wgethttp://www.cs.berkeley.edu/~nalvarez/20-mus2.mp3
wget http://www.metafuzz.com/testcases/857469-20-2288620779-UninitValue.tgz
tar xzfv 857469-20-2288620779-UninitValue?.tgz
valgrind mplayer 20-mus2.mp3

I have this version :

MPlayer dev-SVN-r27139-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz (Family: 6, Model: 15, Stepping: 13)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

==19194==
==19194== ERROR SUMMARY: 14 errors from 9 contexts (suppressed: 19 from 1)
==19194== malloc/free: in use at exit: 52,428 bytes in 29 blocks.
==19194== malloc/free: 19,253 allocs, 19,224 frees, 12,805,418 bytes allocated.
==19194== For counts of detected errors, rerun with: -v
==19194== searching for pointers to 29 not-freed blocks.
==19194== checked 2,762,672 bytes.
==19194==
==19194== LEAK SUMMARY:
==19194== definitely lost: 0 bytes in 0 blocks.
==19194== possibly lost: 0 bytes in 0 blocks.
==19194== still reachable: 52,428 bytes in 29 blocks.
==19194== suppressed: 0 bytes in 0 blocks.

==19370== Memcheck, a memory error detector.
==19370== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.==19370== Using LibVEX rev 1854, a library for dynamic binary translation.
==19370== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==19370== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==19370== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.==19370== For more details, rerun with: -v
==19370==
==19370== My PID = 19370, parent PID = 27019. Prog and args are:
==19370== mplayer
==19370== 20-mus2.mp3
==19370==
==19370== Use of uninitialised value of size 4
==19370== Stack hash: 306191668
==19370== at 0x40A8A37: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==19370==
==19370== Conditional jump or move depends on uninitialised value(s)
==19370== Stack hash: 3485767050
==19370== at 0x40A8A65: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==19370==
==19370== Conditional jump or move depends on uninitialised value(s)
==19370== Stack hash: 3174169343
==19370== at 0x40A8A6E: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==19370==
==19370== Conditional jump or move depends on uninitialised value(s)
==19370== Stack hash: 2550973929
==19370== at 0x40A8A80: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==19370==
==19370== Conditional jump or move depends on uninitialised value(s)
==19370== Stack hash: 3567166085
==19370== at 0x40A8A8C: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==19370==

I uploaded this mp3 file to metafuzz.com in Debian VM using psi-cluster command. After sending it to metafuzz, I tested the file using the valgrind command and these bug were found.

Change History (1)

comment:1 Changed 11 years ago by reimar

  • Resolution set to duplicate
  • Status changed from new to closed

* This bug has been marked as a duplicate of bug 1119 *

Note: See TracTickets for help on using tickets.