Opened 12 years ago

Closed 12 years ago

#1135 closed defect (fixed)

InvalidRead

Reported by: nicholenae@… Owned by: reimar
Priority: important Component: ao
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

I worked in the lab as part of the SUPERB-TRUST 2008 for the security project
and found these bugs in the file 15-5.wav. The errors is Invalid
Read. You can download the file with the following links and can run the
command below:

You can find this bug in:

www.metafuzz.com
http://www.metafuzz.com/testcases/147782-15-2018353836-InvalidRead.tgz
tar xzfv 147782-15-2018353836-InvalidRead?.tgz
valgrind mplayer 15-5.wav

I have this version :

MPlayer dev-SVN-r27185-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz (Family: 6, Model: 15,
Stepping: 13)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

==4533== Invalid read of size 1
==4533== Stack hash: 3454925888
==4533== at 0x401FAC0: memcpy (mc_replace_strmem.c:402)
==4533== by 0x8198D05: init (ad_ffmpeg.c:76)
==4533== by 0x80DB072: init_audio (dec_audio.c:95)
==4533== by 0x80DB468: init_best_audio_codec (dec_audio.c:270)
==4533== by 0x8076698: reinit_audio_chain (mplayer.c:1585)
==4533== by 0x8078041: main (mplayer.c:3583)
==4533== Address 0x42faf2d is 685 bytes inside a block of size 70,144 free'd
==4533== Stack hash: 71787532
==4533== at 0x401D43C: free (vg_replace_malloc.c:323)
==4533== by 0x80DACFA: uninit_audio (dec_audio.c:310)
==4533== by 0x80DB229: init_audio (dec_audio.c:97)
==4533== by 0x80DB468: init_best_audio_codec (dec_audio.c:270)
==4533== by 0x8076698: reinit_audio_chain (mplayer.c:1585)
==4533== by 0x8078041: main (mplayer.c:3583)
==4533==
==4533== Invalid read of size 1
==4533== Stack hash: 4009677544
==4533== at 0x401FAC8: memcpy (mc_replace_strmem.c:402)
==4533== by 0x8198D05: init (ad_ffmpeg.c:76)
==4533== by 0x80DB072: init_audio (dec_audio.c:95)
==4533== by 0x80DB468: init_best_audio_codec (dec_audio.c:270)
==4533== by 0x8076698: reinit_audio_chain (mplayer.c:1585)
==4533== by 0x8078041: main (mplayer.c:3583)
==4533== Address 0x42faf2c is 684 bytes inside a block of size 70,144 free'd
==4533== Stack hash: 71787532
==4533== at 0x401D43C: free (vg_replace_malloc.c:323)
==4533== by 0x80DACFA: uninit_audio (dec_audio.c:310)
==4533== by 0x80DB229: init_audio (dec_audio.c:97)
==4533== by 0x80DB468: init_best_audio_codec (dec_audio.c:270)
==4533== by 0x8076698: reinit_audio_chain (mplayer.c:1585)
==4533== by 0x8078041: main (mplayer.c:3583)
==4533==
==4533== Invalid read of size 1
==4533== Stack hash: 200117947
==4533== at 0x401FACF: memcpy (mc_replace_strmem.c:402)
==4533== by 0x8198D05: init (ad_ffmpeg.c:76)
==4533== by 0x80DB072: init_audio (dec_audio.c:95)
==4533== by 0x80DB468: init_best_audio_codec (dec_audio.c:270)
==4533== by 0x8076698: reinit_audio_chain (mplayer.c:1585)
==4533== by 0x8078041: main (mplayer.c:3583)
==4533== Address 0x42faf2b is 683 bytes inside a block of size 70,144 free'd
==4533== Stack hash: 71787532
==4533== at 0x401D43C: free (vg_replace_malloc.c:323)
==4533== by 0x80DACFA: uninit_audio (dec_audio.c:310)
==4533== by 0x80DB229: init_audio (dec_audio.c:97)
==4533== by 0x80DB468: init_best_audio_codec (dec_audio.c:270)
==4533== by 0x8076698: reinit_audio_chain (mplayer.c:1585)
==4533== by 0x8078041: main (mplayer.c:3583)
==4533==
==4533== Invalid read of size 1
==4533== Stack hash: 685525646
==4533== at 0x401FAD6: memcpy (mc_replace_strmem.c:402)
==4533== by 0x8198D05: init (ad_ffmpeg.c:76)
==4533== by 0x80DB072: init_audio (dec_audio.c:95)
==4533== by 0x80DB468: init_best_audio_codec (dec_audio.c:270)
==4533== by 0x8076698: reinit_audio_chain (mplayer.c:1585)
==4533== by 0x8078041: main (mplayer.c:3583)
==4533== Address 0x42faf2a is 682 bytes inside a block of size 70,144 free'd
==4533== Stack hash: 71787532
==4533== at 0x401D43C: free (vg_replace_malloc.c:323)
==4533== by 0x80DACFA: uninit_audio (dec_audio.c:310)
==4533== by 0x80DB229: init_audio (dec_audio.c:97)
==4533== by 0x80DB468: init_best_audio_codec (dec_audio.c:270)
==4533== by 0x8076698: reinit_audio_chain (mplayer.c:1585)
==4533== by 0x8078041: main (mplayer.c:3583)
AUDIO: 11025 Hz, 1 ch, s16le, 20.0 kbit/11.34% (ratio: 2500->22050)

==4566== ERROR SUMMARY: 1002 errors from 4 contexts (suppressed: 19 from 1)
==4566== malloc/free: in use at exit: 52,428 bytes in 29 blocks.
==4566== malloc/free: 2,373 allocs, 2,344 frees, 1,640,739 bytes allocated.
==4566== For counts of detected errors, rerun with: -v
==4566== searching for pointers to 29 not-freed blocks.
==4566== checked 2,762,688 bytes.
==4566==
==4566== LEAK SUMMARY:
==4566== definitely lost: 0 bytes in 0 blocks.
==4566== possibly lost: 0 bytes in 0 blocks.
==4566== still reachable: 52,428 bytes in 29 blocks.
==4566== suppressed: 0 bytes in 0 blocks.
==4566== Rerun with --leak-check=full to see details of leaked memory.

Change History (1)

comment:1 Changed 12 years ago by reimar

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in SVN r27246

Note: See TracTickets for help on using tickets.