Opened 16 years ago
Last modified 16 years ago
#1129 new defect
InvalidRead
| Reported by: | Owned by: | reimar | |
|---|---|---|---|
| Priority: | if idle | Component: | ao |
| Version: | HEAD | Severity: | normal |
| Keywords: | Cc: | catchconv-bugreports@… | |
| Blocked By: | Blocking: | ||
| Reproduced by developer: | no | Analyzed by developer: | no |
Description
I worked in the lab as part of the SUPERB-TRUST 2008 for the security project and found these bugs in the file 17-mus2.mp3. The errors are Crash. You can download the file with the following links and can run the command below:
http://www.metafuzz.com/testcases/857469-17-1336058427-SyscallParam.tgz
857469-17-1336058427-SyscallParam.tgz
17-mus2.mp3
I have this version :
==21183== My PID = 21183, parent PID = 27019. Prog and args are:
==21183== mplayer
==21183== 17-mus2.mp3
==21183==
==21183== Invalid read of size 4
==21183== Stack hash: 880620957
==21183== at 0x81E7325: do_layer3 (layer3.c:1157)
==21183== by 0x8169144: demux_open_y4m (demux_y4m.c:192)
==21183== Address 0xbf000000 is not stack'd, malloc'd or (recently) free'd
==21183==
==21183== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 19 from 1)
==21183== malloc/free: in use at exit: 232,183 bytes in 2,203 blocks.
==21183== malloc/free: 2,662 allocs, 459 frees, 1,557,847 bytes allocated.
==21183== For counts of detected errors, rerun with: -v
==21183== searching for pointers to 2,203 not-freed blocks.
==21183== checked 2,953,044 bytes.
==21183==
==21183== LEAK SUMMARY:
==21183== definitely lost: 0 bytes in 0 blocks.
==21183== possibly lost: 0 bytes in 0 blocks.
==21183== still reachable: 232,183 bytes in 2,203 blocks.
==21183== suppressed: 0 bytes in 0 blocks.
MPlayer interrupted by signal 11 in module: decode_audio
- MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
- MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1209677600 (LWP 22060)]
0x081e7325 in do_layer3 (fr=0x87126a0, single=-1) at mp3lib/layer3.c:1157
1157 register real bu = *--xr2,bd = *xr1;
Change History (3)
comment:1 by , 16 years ago
comment:2 by , 16 years ago
I tried same input file with version MPlayer dev-SVN-r27249-4.1.2 still
crashes. Here is Gdb outputs:
(gdb) run -v 17-mus2.mp3
Starting program: /usr/local/bin/mplayer -v 17-mus2.mp3
Failed to read a valid object file image from memory.
[Thread debugging using libthread_db enabled]
[New Thread -1209796384 (LWP 13620)]
MPlayer dev-SVN-r27249-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz (Family: 6, Model: 15, Stepping: 13)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2
get_path('codecs.conf') -> '/home/user/.mplayer/codecs.conf'
Reading /home/user/.mplayer/codecs.conf: Can't open '/home/user/.mplayer/codecs.conf': No such file or directory
Reading /usr/local/etc/mplayer/codecs.conf: Can't open '/usr/local/etc/mplayer/codecs.conf': No such file or directory
Using built-in default codecs.conf.
Configuration: --enable-debug=3
CommandLine: '-v' '17-mus2.mp3'
get_path('font/font.desc') -> '/home/user/.mplayer/font/font.desc'
font: can't open file: /home/user/.mplayer/font/font.desc
font: can't open file: /usr/local/share/mplayer/font/font.desc
Using MMX (with tiny bit MMX2) Optimized OnScreenDisplay
Using nanosleep() timing
get_path('input.conf') -> '/home/user/.mplayer/input.conf'
Can't open input config file /home/user/.mplayer/input.conf: No such file or directory
Can't open input config file /usr/local/etc/mplayer/input.conf: No such file or directory
Falling back on default (hardcoded) input config
get_path('17-mus2.mp3.conf') -> '/home/user/.mplayer/17-mus2.mp3.conf'
Playing 17-mus2.mp3.
get_path('sub/') -> '/home/user/.mplayer/sub/'
[file] File size is 3737600 bytes
STREAM: [file] 17-mus2.mp3
STREAM: Description: File
STREAM: Author: Albeu
STREAM: Comment: based on the code from ??? (probably Arpi)
LAVF_check: MPEG audio
Checking for YUV4MPEG2
ASF_check: not ASF guid!
Checking for NuppelVideo
Checking for REAL
Checking for SMJPEG
Searching demuxer type for filename 17-mus2.mp3 ext: .mp3
Trying demuxer 17 based on filename extension
==> Found audio stream: 0
demux_audio: seeking from 0x390800 to start pos 0xCC0
demux_audio: audio data 0xCC0 - 0x390780
Audio file file format detected.
Clip info:
Title: Micro M�tro
Artist: Dj PomX 6514 Oiki
Album:
Year: 2018
Comment: duplate
Genre: Drum & Bass
==========================================================================
Opening audio decoder: [mp3lib] MPEG layer-2, layer-3
dec_audio: Allocating 4608 + 65536 = 70144 bytes for output buffer.
mp3lib: using SSE optimized decore!
MP3lib: init layer2&3 finished, tables done
mpg123: Can't rewind stream by 272 bits!
MPEG 1.0, Layer III, 32000 Hz 192 kbit Joint-Stereo, BPF: 864
Channels: 2, copyright: No, original: No, CRC: Yes, emphasis: 0
AUDIO: 32000 Hz, 2 ch, s16le, 192.0 kbit/18.75% (ratio: 24000->128000)
Selected audio codec: [mp3] afm: mp3lib (mp3lib MPEG layer-2, layer-3)
==========================================================================
Building audio filter chain for 32000Hz/2ch/s16le -> 0Hz/0ch/??...
[libaf] Adding filter dummy
[dummy] Was reinitialized: 32000Hz/2ch/s16le
[dummy] Was reinitialized: 32000Hz/2ch/s16le
Trying every known audio driver...
ao2: 32000 Hz 2 chans s16le
audio_setup: using '/dev/dsp' dsp device
audio_setup: using '/dev/mixer' mixer device
audio_setup: using 'pcm' mixer device
audio_setup: sample format: s16le (requested: s16le)
audio_setup: using 2 channels (requested: 2)
audio_setup: using 32000 Hz samplerate (requested: 32000)
audio_setup: frags: 8/8 (8192 bytes/frag) free: 65536
AO: [oss] 32000Hz 2ch s16le (2 bytes per sample)
AO: Description: OSS/ioctl audio output
AO: Author: A'rpi
Building audio filter chain for 32000Hz/2ch/s16le -> 32000Hz/2ch/s16le...
[dummy] Was reinitialized: 32000Hz/2ch/s16le
[dummy] Was reinitialized: 32000Hz/2ch/s16le
Video: no video
Freeing 0 unused video chunks.
Starting playback...
mpg123: Can't rewind stream by 13 bits!
mpg123: Can't rewind stream by 29 bits!
mpg123: Can't rewind stream by 44 bits!
mpg123: Can't rewind stream by 63 bits!
mpg123: Can't rewind stream by 22 bits!
mpg123: Can't rewind stream by 10 bits!
mpg123: Can't rewind stream by 175 bits!
mpg123: Can't rewind stream by 27 bits!
mpg123: Can't rewind stream by 33 bits!
mpg123: Can't rewind stream by 70 bits!
mpg123: Can't rewind stream by 97 bits!
mpg123: Can't rewind stream by 59 bits!
mpg123: Can't rewind stream by 79 bits!
Increasing filtered audio buffer size from 0 to 65536
mpg123: Can't rewind stream by 292 bits!
mpg123: Can't rewind stream by 38 bits!
mpg123: Can't rewind stream by 33 bits!%
mpg123: Can't rewind stream by 76 bits!
mpg123: Can't rewind stream by 42 bits!
mpg123: Can't rewind stream by 69 bits!
mpg123: Can't rewind stream by 11 bits!
mpg123: Can't rewind stream by 30 bits!
big_values too large!
mpg123: Can't rewind stream by 26 bits!
mpg123: Can't rewind stream by 49 bits!
mpg123: Can't rewind stream by 100 bits!
mpg123: Can't rewind stream by 2 bits!6%
mpg123: Can't rewind stream by 25 bits!%
mpg123: Can't rewind stream by 86 bits!
mpg123: Can't rewind stream by 81 bits!
mpg123: Can't rewind stream by 14 bits!
mpg123: Can't rewind stream by 27 bits!
mpg123: Can't rewind stream by 146 bits!
mpg123: Can't rewind stream by 24 bits!%
mpg123: Can't rewind stream by 100 bits!
mpg123: Can't rewind stream by 98 bits!%
big_values too large!5.0 (02:35.0) 0.5%
big_values too large!
mpg123: Can't rewind stream by 1143 bits!
big_values too large!
mpg123: Can't rewind stream by 282 bits!
mpg123: Can't rewind stream by 16 bits!%
mpg123: Can't rewind stream by 47 bits!%
mpg123: Can't rewind stream by 42 bits!%
mpg123: Can't rewind stream by 21 bits!%
mpg123: Can't rewind stream by 1 bits!5%
mpg123: Can't rewind stream by 44 bits!
mpg123: Can't rewind stream by 25 bits!
mpg123: Can't rewind stream by 7 bits!5%
mpg123: Can't rewind stream by 53 bits!
big_values too large!5.0 (02:35.0) 0.5%
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1209796384 (LWP 13620)]
0x081e7313 in do_layer3 (fr=0x871c7c0, single=-1)
at mp3lib/layer3.c:1157
1157 register real bu = *--xr2,bd = *xr1;
(gdb) bt
#0 0x081e7313 in do_layer3 (fr=0x871c7c0, single=-1)
at mp3lib/layer3.c:1157
#1 0x08169136 in demux_open_y4m (demuxer=0x0)
at libmpdemux/demux_y4m.c:190
Previous frame inner to this frame (corrupt stack?)
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x81e72f3 to 0x81e7333:
0x081e72f3 <do_layer3+2307>: je 0x81e7606 <do_layer3+3094>
0x081e72f9 <do_layer3+2313>: mov 0xffffd8d8(%ebp),%ebx
0x081e72ff <do_layer3+2319>: mov %eax,%esi
0x081e7301 <do_layer3+2321>: mov %ebx,%ecx
0x081e7303 <do_layer3+2323>: mov %ebx,%edx
0x081e7305 <do_layer3+2325>: xor %eax,%eax
0x081e7307 <do_layer3+2327>: mov %esi,%esi
0x081e7309 <do_layer3+2329>: lea 0x0(%edi),%edi
0x081e7310 <do_layer3+2336>: sub $0x4,%edx
0x081e7313 <do_layer3+2339>: flds (%edx)
0x081e7315 <do_layer3+2341>: flds (%ecx)
0x081e7317 <do_layer3+2343>: flds 0x8726380(,%eax,4)
0x081e731e <do_layer3+2350>: fmul %st(2),%st
0x081e7320 <do_layer3+2352>: flds 0x8726360(,%eax,4)
0x081e7327 <do_layer3+2359>: fmul %st(2),%st
0x081e7329 <do_layer3+2361>: fsubrp %st,%st(1)
0x081e732b <do_layer3+2363>: fstps (%edx)
0x081e732d <do_layer3+2365>: fmuls 0x8726380(,%eax,4)
End of assembler dump.
(gdb) info all-registers
eax 0x0 0
ecx 0xbfcf2010 -1076944880
edx 0xbfcf200c -1076944884
ebx 0xbfcf2010 -1076944880
esp 0xbfceadf0 0xbfceadf0
ebp 0xbfced608 0xbfced608
esi 0xb1b503a1 -1313537119
edi 0x0 0
eip 0x81e7313 0x81e7313 <do_layer3+2339>
eflags 0x10296 [ PF AF SF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 -nan(0xffba0075ffba0075) (raw 0xffffffba0075ffba0075)
st1 -nan(0x46ff8b0046ff8b) (raw 0xffff0046ff8b0046ff8b)
st2 -nan(0xfffff5ee00004b8a) (raw 0xfffffffff5ee00004b8a)
st3 -nan(0x90a28ffe9e8fc) (raw 0xffff00090a28ffe9e8fc)
st4 -0 (raw 0x80000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 -0 (raw 0x80000000000000000000)
---Type <return> to continue, or q <return> to quit---
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x4033 16435
ftag 0xffff 65535
fiseg 0x73 115
fioff 0x81e7340 136213312
foseg 0x7b 123
fooff 0xbfcf1fe4 -1076944924
fop 0x119 281
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0,
0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0},
v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0,
0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0},
v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0,
0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0},
v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0,
0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0,
---Type <return> to continue, or q <return> to quit---
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0},
v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0,
0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0},
v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0,
0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0},
v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0,
0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0},
v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0,
0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0},
v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
mm0 {uint64 = 0xffba0075ffba0075, v2_int32 = {0xffba0075,
0xffba0075}, v4_int16 = {0x75, 0xffba, 0x75, 0xffba}, v8_int8 = {
0x75, 0x0, 0xba, 0xff, 0x75, 0x0, 0xba, 0xff}}
mm1 {uint64 = 0x46ff8b0046ff8b, v2_int32 = {0x46ff8b,
---Type <return> to continue, or q <return> to quit---
0x46ff8b}, v4_int16 = {0xff8b, 0x46, 0xff8b, 0x46}, v8_int8 = {
0x8b, 0xff, 0x46, 0x0, 0x8b, 0xff, 0x46, 0x0}}
mm2 {uint64 = 0xfffff5ee00004b8a, v2_int32 = {0x4b8a,
0xfffff5ee}, v4_int16 = {0x4b8a, 0x0, 0xf5ee, 0xffff}, v8_int8 = {
0x8a, 0x4b, 0x0, 0x0, 0xee, 0xf5, 0xff, 0xff}}
mm3 {uint64 = 0x90a28ffe9e8fc, v2_int32 = {0xffe9e8fc,
0x90a28}, v4_int16 = {0xe8fc, 0xffe9, 0xa28, 0x9}, v8_int8 = {
0xfc, 0xe8, 0xe9, 0xff, 0x28, 0xa, 0x9, 0x0}}
mm4 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0,
0x0, 0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}}
mm5 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0,
0x0, 0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}}
mm6 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0,
0x0, 0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}}
mm7 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0,
0x0, 0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}}
comment:3 by , 16 years ago
| Priority: | important → if idle |
|---|
In mp3lib (imported library) -> reduce priority.
I will mention this only once: I'd like to see all these reports fixed, but there are too many and too few working on them, so I will move all invalid reads and memleaks in imported libs to lowest priority (since they are difficult to fix for me, there is often an alternative in FFmpeg and upstream might fix them).
(In reply to comment #0)
CPU: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz (Family: 6, Model: 15, Stepping: 13)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2