Opened 16 years ago

Closed 13 years ago

#1138 closed defect (worksforme)

Valgrind reports InvalidRead in ifilter_bank() (filtbank.c:305)

Reported by: thiennga408@… Owned by: reimar
Priority: if idle Component: ad
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: no Analyzed by developer: no

Description

In the tgz archive which can be downloaded from the URL
http://www.metafuzz.com/testcases/366117-2-1598053829-InvalidRead.tgz, there is
an aac file (2-sample.aac) where Valgrind reports an invalid read of 4 byte
at an invalid memory location. This bug causes MPlayer to crash.

I confirmed that this bug is reproducible in the latest subversion of MPlayer,
r27242-4.1.2.

My System Information:
OS: Linux Debian x32
kernel: Linux debian 2.6.18-6-486 #1 Fri Jun 6 21:47:01 UTC 2008 i686 GNU/Linux
libc version: libc-2.3.6.so
gcc version 4.1.2 20061115
ld version 2.17

My Hardware Information:
32-bit Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz
Multimedia audio controller: Ensoniq ES1371 [AudioPCI-97] (rev 02)

To reproduce:
wget http://www.metafuzz.com/testcases/366117-2-1598053829-InvalidRead.tgz
tar xzvf 366117-2-1598053829-InvalidRead.tgz
valgrind mplayer 2-sample.aac

The following is the output from Valgrind:

==4929== Memcheck, a memory error detector.
==4929== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==4929== Using LibVEX rev 1854, a library for dynamic binary translation.
==4929== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==4929== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==4929== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==4929== For more details, rerun with: -v
==4929==
MPlayer dev-SVN-r27242-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 366117-2-1598053829-InvalidRead.tgz_FILES/2-sample.aac.
libavformat file format detected.
==4929== Conditional jump or move depends on uninitialised value(s)
==4929== Stack hash: 665612290
==4929== at 0x851A6E1: aac_sync (aac_parser.c:39)
==4929== by 0x851A80D: ff_aac_ac3_parse (aac_ac3_parser.c:46)
==4929== by 0x82EA45B: av_parser_parse (parser.c:155)
==4929== by 0x8262835: av_read_frame_internal (utils.c:829)
==4929== by 0x82635E5: av_find_stream_info (utils.c:1970)
==4929== by 0x81A31DE: demux_open_lavf (demux_lavf.c:466)
==4929== by 0x811E36E: demux_open_stream (demuxer.c:864)
==4929== by 0x811E641: demux_open (demuxer.c:991)
==4929== by 0x807792E: main (mplayer.c:3238)
[lavf] Audio stream found, -aid 0
==========================================================================
Opening audio decoder: [faad] AAC (MPEG2/4 Advanced Audio Coding)

Unsupported LATM configuration: 8 programs/ 64 subframes, 8 layers, allstreams: 1
AUDIO: 16000 Hz, 2 ch, s16le, 156.4 kbit/30.54% (ratio: 19547->64000)
Selected audio codec: [faad] afm: faad (FAAD AAC (MPEG-2/MPEG-4 Audio) decoder)
==========================================================================
AO: [oss] 16000Hz 2ch s16le (2 bytes per sample)
Video: no video
Starting playback...
FAAD: error: Maximum number of scalefactor bands exceeded, trying to resync!
FAAD: error: Maximum number of scalefactor bands exceeded, trying to resync!
FAAD: error: Maximum number of scalefactor bands exceeded, trying to resync!
FAAD: error: Maximum number of scalefactor bands exceeded, trying to resync!
FAAD: error: Scalefactor out of range, trying to resync!
FAAD: error: Gain control not yet implemented, trying to resync!
FAAD: error: Maximum number of scalefactor bands exceeded, trying to resync!
FAAD: error: Maximum number of scalefactor bands exceeded, trying to resync!
FAAD: error: Maximum number of scalefactor bands exceeded, trying to resync!
FAAD: error: Scalefactor out of range, trying to resync!
FAAD: error: Pulse coding not allowed in short blocks, trying to resync!
FAAD: error: Maximum number of scalefactor bands exceeded, trying to resync!
FAAD: error: Gain control not yet implemented, trying to resync!
FAAD: error: Scalefactor out of range, trying to resync!
FAAD: error: Pulse coding not allowed in short blocks, trying to resync!
FAAD: error: Maximum number of scalefactor bands exceeded, trying to resync!
FAAD: error: Unexpected channel configuration change, trying to resync!
FAAD: Failed to decode frame: Unexpected channel configuration change
FAAD: error: Gain control not yet implemented, trying to resync!
==4929==
==4929== Invalid read of size 4
==4929== Stack hash: 1360788677
==4929== at 0x81AC546: ifilter_bank (filtbank.c:305)
==4929== by 0x81C4266: reconstruct_single_channel (specrec.c:928)
==4929== by 0x81CA4E5: decode_sce_lfe (syntax.c:597)
==4929== by 0x81CADB4: raw_data_block (syntax.c:446)
==4929== by 0x81AB779: aac_frame_decode (decoder.c:872)
==4929== by 0x818B472: decode_audio (ad_faad.c:235)
==4929== by 0x80DAA04: decode_audio (dec_audio.c:383)
==4929== by 0x8078479: main (mplayer.c:2044)
==4929== Address 0x0 is not stack'd, malloc'd or (recently) free'd

MPlayer interrupted by signal 11 in module: decode_audio

  • MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.- MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.

==4929==
==4929== ERROR SUMMARY: 3101 errors from 2 contexts (suppressed: 19 from 1)
==4929== malloc/free: in use at exit: 388,702 bytes in 2,233 blocks.
==4929== malloc/free: 2,495 allocs, 262 frees, 1,849,262 bytes allocated.
==4929== For counts of detected errors, rerun with: -v
==4929== searching for pointers to 2,233 not-freed blocks.
==4929== checked 3,152,164 bytes.
==4929==
==4929== LEAK SUMMARY:
==4929== definitely lost: 0 bytes in 0 blocks.
==4929== possibly lost: 0 bytes in 0 blocks.
==4929== still reachable: 388,702 bytes in 2,233 blocks.
==4929== suppressed: 0 bytes in 0 blocks.
==4929== Rerun with --leak-check=full to see details of leaked memory.

The following is the backtrace using gdb:

(gdb) bt
#0 0x081ac546 in ifilter_bank (fb=0x8993488, window_sequence=3 '\003',

window_shape=1 '\001', window_shape_prev=0 '\0', freq_in=0xbfff7880,
time_out=0x0, overlap=0x0, object_type=2 '\002', frame_len=1024)
at libfaad2/filtbank.c:305

#1 0x081c4267 in reconstruct_single_channel (hDecoder=0x8994b18,

ics=0xbfff88c8, sce=0xbfff88c2, spec_data=0xbfffda6c)
at libfaad2/specrec.c:928

#2 0x081ca4e6 in decode_sce_lfe (hDecoder=0x8994b18, hInfo=0x870e5a0,

ld=0xbfffe2f0, id_syn_ele=3 '\003') at libfaad2/syntax.c:597

#3 0x081cadb5 in raw_data_block (hDecoder=0x8994b18, hInfo=0x870e5a0,

ld=0xbfffe2f0, pce=0x8995189, drc=0x89b1618) at libfaad2/syntax.c:446

#4 0x081ab77a in aac_frame_decode (hDecoder=0x8994b18, hInfo=0x870e5a0,

buffer=<value optimized out>, buffer_size=2516, sample_buffer2=0x0,
sample_buffer_size=0) at libfaad2/decoder.c:872

#5 0x0818b473 in decode_audio (sh=0x89b1520, buf=0x89b3650 "",

minlen=16512, maxlen=114688) at libmpcodecs/ad_faad.c:235

#6 0x080daa05 in decode_audio (sh_audio=0x89b1520, minlen=16384)

at libmpcodecs/dec_audio.c:383

#7 0x0807847a in main (argc=3, argv=0xbffff6a4) at mplayer.c:2044
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x81ac526 to 0x81ac566:
0x081ac526 <ifilter_bank+614>: incl 0x8b287edb(%ebp)
0x081ac52c <ifilter_bank+620>: test %edi,0x1baffff(%edi,%ebx,8)
0x081ac533 <ifilter_bank+627>: add %al,(%eax)
0x081ac535 <ifilter_bank+629>: add %cl,0xb48d0148(%ebp)
0x081ac53b <ifilter_bank+635>: add %al,%es:(%eax)
0x081ac53e <ifilter_bank+638>: add %al,(%eax)
0x081ac540 <ifilter_bank+640>: mov 0x20(%ebp),%ebx
0x081ac543 <ifilter_bank+643>: mov 0x1c(%ebp),%esi
0x081ac546 <ifilter_bank+646>: mov 0xfffffffc(%ebx,%edx,4),%eax
0x081ac54a <ifilter_bank+650>: mov %eax,0xfffffffc(%esi,%edx,4)
0x081ac54e <ifilter_bank+654>: inc %edx
0x081ac54f <ifilter_bank+655>: cmp %edx,%ecx
0x081ac551 <ifilter_bank+657>: jne 0x81ac540 <ifilter_bank+640>
0x081ac553 <ifilter_bank+659>: mov 0xffffdfb8(%ebp),%ecx
0x081ac559 <ifilter_bank+665>: test %ecx,%ecx
0x081ac55b <ifilter_bank+667>: jle 0x81ac5b7 <ifilter_bank+759>
0x081ac55d <ifilter_bank+669>: mov 0xffffdfb8(%ebp),%edx
0x081ac563 <ifilter_bank+675>: xor %eax,%eax
0x081ac565 <ifilter_bank+677>: mov $0x1,%ecx
End of assembler dump.
(gdb) info all-registers
eax 0x1c0 448
ecx 0x1c1 449
edx 0x1 1
ebx 0x0 0
esp 0xbfff5760 0xbfff5760
ebp 0xbfff7818 0xbfff7818
esi 0x0 0
edi 0x400 1024
eip 0x81ac546 0x81ac546 <ifilter_bank+646>
eflags 0x210206 [ PF IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x8f 143
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 167200836670.861663818359375 (raw 0x40249bb7c930fb725800)
st2 3650950911.1353759765625 (raw 0x401ed99d16ff22a80000)
st3 3627620140.214169025421142578125 (raw 0x401ed839172c36d3c800)
st4 8.38894702610559761524200439453125e-05 (raw 0x3ff1afedd10000000000)
st5 0.031249888241291046142578125 (raw 0x3ff9ffffc40000000000)
---Type <return> to continue, or q <return> to quit---
st6 -8691007126.42529296875 (raw 0xc02081818fa59b380000)
st7 -586142592 (raw 0xc01c8bbf4e0000000000)
fctrl 0x37f 895
fstat 0x20 32
ftag 0xffff 65535
fiseg 0x73 115
fioff 0x81b0a6b 135989867
foseg 0x7b 123
fooff 0xbfff7804 -1073776636
fop 0x159 345
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
---Type <return> to continue, or q <return> to quit---

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
mm0 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm1 {uint64 = 0x9bb7c930fb725800, v2_int32 = {0xfb725800,
---Type <return> to continue, or q <return> to quit---

0x9bb7c930}, v4_int16 = {0x5800, 0xfb72, 0xc930, 0x9bb7}, v8_int8 = {
0x0, 0x58, 0x72, 0xfb, 0x30, 0xc9, 0xb7, 0x9b}}

mm2 {uint64 = 0xd99d16ff22a80000, v2_int32 = {0x22a80000,

0xd99d16ff}, v4_int16 = {0x0, 0x22a8, 0x16ff, 0xd99d}, v8_int8 = {0x0,
0x0, 0xa8, 0x22, 0xff, 0x16, 0x9d, 0xd9}}

mm3 {uint64 = 0xd839172c36d3c800, v2_int32 = {0x36d3c800,

0xd839172c}, v4_int16 = {0xc800, 0x36d3, 0x172c, 0xd839}, v8_int8 = {
0x0, 0xc8, 0xd3, 0x36, 0x2c, 0x17, 0x39, 0xd8}}

mm4 {uint64 = 0xafedd10000000000, v2_int32 = {0x0, 0xafedd100},

v4_int16 = {0x0, 0x0, 0xd100, 0xafed}, v8_int8 = {0x0, 0x0, 0x0, 0x0,

0x0, 0xd1, 0xed, 0xaf}}

mm5 {uint64 = 0xffffc40000000000, v2_int32 = {0x0, 0xffffc400},

v4_int16 = {0x0, 0x0, 0xc400, 0xffff}, v8_int8 = {0x0, 0x0, 0x0, 0x0,

0x0, 0xc4, 0xff, 0xff}}

mm6 {uint64 = 0x81818fa59b380000, v2_int32 = {0x9b380000,

0x81818fa5}, v4_int16 = {0x0, 0x9b38, 0x8fa5, 0x8181}, v8_int8 = {0x0,
0x0, 0x38, 0x9b, 0xa5, 0x8f, 0x81, 0x81}}

mm7 {uint64 = 0x8bbf4e0000000000, v2_int32 = {0x0, 0x8bbf4e00},

v4_int16 = {0x0, 0x0, 0x4e00, 0x8bbf}, v8_int8 = {0x0, 0x0, 0x0, 0x0,

0x0, 0x4e, 0xbf, 0x8b}}

This bug was found using the zzuf fuzzer.

This bug was found as part of the SUPERB-TRUST 2008 project; see
http://www.truststc.org/superb/

Please let me know if you need more information.

Change History (4)

comment:1 by reimar, 16 years ago

Priority: normalif idle

Problem is in libfaad2

comment:2 by thiennga408@…, 16 years ago

I have reported this bug to FAAC issue tracker. Here is the link to the report
https://sourceforge.net/tracker/index.php?func=detail&aid=2016415&group_id=704&atid=100704

comment:3 by compn, 13 years ago

Owner: changed from r_togni@… to reimar

comment:4 by reimar, 13 years ago

Resolution: worksforme
Status: newclosed

No longer reproducible (with -ac faad), and ffaac is the default decoder.
Patch to fix one overread with that one set to ffmpeg-devel.

Note: See TracTickets for help on using tickets.