Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#1133 closed defect (fixed)

Invalid Read of size 4

Reported by: ethiodad@… Owned by: reimar
Priority: normal Component: core
Version: HEAD Severity: normal
Keywords: Cc: dmolnar@…, catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

Here's a .wma file where Valgrind reports an invalid read of 4 bytes.

http://www.cs.berkeley.edu/~ethiodad/tamriyalesh-2.wma

I confirmed that this bug is present in mplayer SVN-r27240. Valgrind report is shown below.

==16281== Memcheck, a memory error detector.
==16281== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==16281== Using LibVEX rev 1854, a library for dynamic binary translation.
==16281== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==16281== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==16281== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==16281== For more details, rerun with: -v
==16281==
MPlayer dev-SVN-r27240-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing tamriyalesh-2.wma.1.
ASF file format detected.
[asfheader] Audio stream found, -aid 1
==16281== Invalid read of size 4
==16281== Stack hash: 3729392900
==16281== at 0x81161DF: read_asf_header (asfheader.c:608)
==16281== by 0x8121967: demux_open_asf (demux_asf.c:621)
==16281== by 0x811E22F: demux_open_stream (demuxer.c:811)
==16281== by 0x811E621: demux_open (demuxer.c:991)
==16281== by 0x807790E: main (mplayer.c:3238)
==16281== Address 0x42f4611 is 0 bytes after a block of size 5,409 alloc'd
==16281== Stack hash: 1289225747
==16281== at 0x401D898: malloc (vg_replace_malloc.c:207)
==16281== by 0x8114DE6: read_asf_header (asfheader.c:383)
==16281== by 0x8121967: demux_open_asf (demux_asf.c:621)
==16281== by 0x811E22F: demux_open_stream (demuxer.c:811)
==16281== by 0x811E621: demux_open (demuxer.c:991)
==16281== by 0x807790E: main (mplayer.c:3238)
Invalid length in ASF header!
libavformat file format detected.
Seek failed
LAVF_header: av_open_input_stream() failed

Exiting... (End of file)
==16281==
==16281== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 19 from 1)
==16281== malloc/free: in use at exit: 38,876 bytes in 12 blocks.
==16281== malloc/free: 2,405 allocs, 2,393 frees, 1,502,770 bytes allocated.
==16281== For counts of detected errors, rerun with: -v
==16281== searching for pointers to 12 not-freed blocks.
==16281== checked 2,763,444 bytes.
==16281==
==16281== LEAK SUMMARY:
==16281== definitely lost: 5,976 bytes in 1 blocks.
==16281== possibly lost: 0 bytes in 0 blocks.
==16281== still reachable: 32,900 bytes in 11 blocks.
==16281== suppressed: 0 bytes in 0 blocks.
==16281== Rerun with --leak-check=full to see details of leaked memory.

This bug was found doing a research for SUPERB-TRUST 2008.

Change History (3)

comment:1 Changed 12 years ago by reimar

  • Resolution set to fixed
  • Status changed from new to closed

Not particularly relevant, but the code was quite stupid and over-complicated, so fixed in SVN r27243

comment:2 Changed 12 years ago by daw-bugzilla@…

  • Cc catchconv-bugreports@… added

comment:3 Changed 12 years ago by ethiodad@…

(In reply to comment #1)

Not particularly relevant, but the code was quite stupid and over-complicated,
so fixed in SVN r27243

Thank You for replying. But I checked the file in the latest version of mplayer SVN r27249 and it seems that valgrind catched so many bugs with the same .mp3 file. And here is the report that I got from Valgrind.

user@debian:~/mplayer/valgrind-3.3.1-stackhash$ valgrind mplayer tamriyalesh-2.wma.1
==1409== Memcheck, a memory error detector.
==1409== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==1409== Using LibVEX rev 1854, a library for dynamic binary translation.
==1409== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==1409== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==1409== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==1409== For more details, rerun with: -v
==1409==
MPlayer dev-SVN-r27249-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing tamriyalesh-2.wma.1.
ASF file format detected.
[asfheader] Audio stream found, -aid 1
==========================================================================
Opening audio decoder: [imaadpcm] IMA ADPCM audio decoder
AUDIO: 44100 Hz, 2 ch, s16le, 176.6 kbit/12.52% (ratio: 22079->176400)
Selected audio codec: [dk4adpcm] afm: imaadpcm (Duck DK4 ADPCM (rogue format number))
==========================================================================
AO: [oss] 44100Hz 2ch s16le (2 bytes per sample)
Video: no video
Starting playback...
==1409== Use of uninitialised value of size 4
==1409== Stack hash: 4202424218
==1409== at 0x80D9827: decode_nibbles (ad_imaadpcm.c:139)
==1409== by 0x80D9B5B: dk4_ima_adpcm_decode_block (ad_imaadpcm.c:303)
==1409== by 0x80D9BFF: decode_audio (ad_imaadpcm.c:325)
==1409== by 0x80DAA74: decode_audio (dec_audio.c:383)
==1409== by 0x80784E9: main (mplayer.c:2044)
==1409==
==1409== Use of uninitialised value of size 4
==1409== Stack hash: 4228662472
==1409== at 0x80D9835: decode_nibbles (ad_imaadpcm.c:140)
==1409== by 0x80D9B5B: dk4_ima_adpcm_decode_block (ad_imaadpcm.c:303)
==1409== by 0x80D9BFF: decode_audio (ad_imaadpcm.c:325)
==1409== by 0x80DAA74: decode_audio (dec_audio.c:383)
==1409== by 0x80784E9: main (mplayer.c:2044)
==1409==
==1409== Use of uninitialised value of size 4
==1409== Stack hash: 94873022
==1409== at 0x80D988B: decode_nibbles (ad_imaadpcm.c:148)
==1409== by 0x80D9B5B: dk4_ima_adpcm_decode_block (ad_imaadpcm.c:303)
==1409== by 0x80D9BFF: decode_audio (ad_imaadpcm.c:325)
==1409== by 0x80DAA74: decode_audio (dec_audio.c:383)
==1409== by 0x80784E9: main (mplayer.c:2044)
==1409==
==1409== Conditional jump or move depends on uninitialised value(s)
==1409== Stack hash: 257925029
==1409== at 0x80D98E2: decode_nibbles (common.h:224)
==1409== by 0x80D9B5B: dk4_ima_adpcm_decode_block (ad_imaadpcm.c:303)
==1409== by 0x80D9BFF: decode_audio (ad_imaadpcm.c:325)
==1409== by 0x80DAA74: decode_audio (dec_audio.c:383)
==1409== by 0x80784E9: main (mplayer.c:2044)
==1409==
==1409== Use of uninitialised value of size 4
==1409== Stack hash: 319772342
==1409== at 0x80D9903: decode_nibbles (ad_imaadpcm.c:158)
==1409== by 0x80D9B5B: dk4_ima_adpcm_decode_block (ad_imaadpcm.c:303)
==1409== by 0x80D9BFF: decode_audio (ad_imaadpcm.c:325)
==1409== by 0x80DAA74: decode_audio (dec_audio.c:383)
==1409== by 0x80784E9: main (mplayer.c:2044)
==1409==
==1409== Syscall param write(buf) points to uninitialised byte(s)
==1409== Stack hash: 2550802113
==1409== at 0x4000792: (within /lib/ld-2.3.6.so)
==1409== Address 0x4313fb8 is 0 bytes inside a block of size 65,536 alloc'd
==1409== Stack hash: 2167162419
==1409== at 0x401D898: malloc (vg_replace_malloc.c:207)
==1409== by 0x401D9DC: realloc (vg_replace_malloc.c:429)
==1409== by 0x80DAB5E: decode_audio (dec_audio.c:401)
==1409== by 0x80784E9: main (mplayer.c:2044)
==1409== (02:08.7) of 294.0 (04:54.0) 43.9%
==1409== More than 10000000 total errors detected. I'm not reporting any more.
==1409== Final error counts will be inaccurate. Go fix your program!
==1409== Rerun with --error-limit=no to disable this cutoff. Note
==1409== that errors may occur in your program without prior warning from
==1409== Valgrind, because errors are no longer being displayed.
==1409==
A: 294.3 (04:54.2) of 294.0 (04:54.0) 32.3%

Exiting... (End of file)
==1409==
==1409== ERROR SUMMARY: 10000000 errors from 6 contexts (suppressed: 19 from 1)
==1409== malloc/free: in use at exit: 38,884 bytes in 13 blocks.
==1409== malloc/free: 6,058 allocs, 6,045 frees, 9,222,147 bytes allocated.
==1409== For counts of detected errors, rerun with: -v
==1409== searching for pointers to 13 not-freed blocks.
==1409== checked 2,861,904 bytes.
==1409==
==1409== LEAK SUMMARY:
==1409== definitely lost: 5,976 bytes in 1 blocks.
==1409== possibly lost: 0 bytes in 0 blocks.
==1409== still reachable: 32,908 bytes in 12 blocks.
==1409== suppressed: 0 bytes in 0 blocks.
==1409== Rerun with --leak-check=full to see details of leaked memory.

Would you please check it again. Thank You.

Note: See TracTickets for help on using tickets.