Opened 16 years ago
Last modified 16 years ago
#1142 new defect
InvalidRead
| Reported by: | Owned by: | reimar | |
|---|---|---|---|
| Priority: | if idle | Component: | ao |
| Version: | HEAD | Severity: | normal |
| Keywords: | Cc: | catchconv-bugreports@… | |
| Blocked By: | Blocking: | ||
| Reproduced by developer: | no | Analyzed by developer: | no |
Description
I worked in the lab as part of the SUPERB-TRUST 2008 for the security project
and found these bugs in the file 67-13.mp4. The errors is Crash and 4 Invalid
Read in ifilter_bank (filtbank.c:273). You can download the file with the following links and can run the command below:
www.metafuzz.com
wget http://www.metafuzz.com/testcases/600740-46-2760444434-SyscallParam.tgz
tar xzfv 600740-46-2760444434-SyscallParam.tgz
valgrind mplayer 67-13.mp4
http://www.cs.berkeley.edu/~nalvarez/67-13.mp4
I have this version:
MPlayer dev-SVN-r27243-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz (Family: 6, Model: 15, Stepping: 13)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2
MPlayer interrupted by signal 11 in module: decode_audio
- MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
- MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.
==21988== Memcheck, a memory error detector.
==21988== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==21988== Using LibVEX rev 1854, a library for dynamic binary translation.
==21988== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==21988== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==21988== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==21988== For more details, rerun with: -v
==21988==
==21988== My PID = 21988, parent PID = 20486. Prog and args are:
==21988== mplayer
==21988== 46-13.mp4
==21988==
==21988== Invalid read of size 4
==21988== Stack hash: 2600776672
==21988== at 0x81AC9A6: ifilter_bank (filtbank.c:273)
==21988== by 0x81C41B6: reconstruct_single_channel (specrec.c:928)
==21988== by 0x81CA435: decode_sce_lfe (syntax.c:597)
==21988== by 0x81CAC68: raw_data_block (syntax.c:434)
==21988== by 0x81AB6C9: aac_frame_decode (decoder.c:872)
==21988== by 0x818B4A1: decode_audio (ad_faad.c:269)
==21988== by 0x80DAA04: decode_audio (dec_audio.c:383)
==21988== by 0x8078479: main (mplayer.c:2044)
==21988== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==21988==
==21988== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 19 from 1)
==21988== malloc/free: in use at exit: 586,164 bytes in 2,220 blocks.
==21988== malloc/free: 2,422 allocs, 202 frees, 7,928,058 bytes allocated.
==21988== For counts of detected errors, rerun with: -v
==21988== searching for pointers to 2,220 not-freed blocks.
==21988== checked 3,351,752 bytes.
==21988==
==21988== LEAK SUMMARY:
==21988== definitely lost: 0 bytes in 0 blocks.
==21988== possibly lost: 0 bytes in 0 blocks.
==21988== still reachable: 586,164 bytes in 2,220 blocks.
==21988== suppressed: 0 bytes in 0 blocks.
==21988== Rerun with --leak-check=full to see details of leaked memory.
I tried same input file with version MPlayer dev-SVN-r27249-4.1.2 still crashes. Here is Gdb outputs:
user@debian:~$ gdb mplayer
GNU gdb 6.4.90-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) run -v 46-13.mp4
Starting program: /usr/local/bin/mplayer -v 46-13.mp4
Failed to read a valid object file image from memory.
[Thread debugging using libthread_db enabled]
[New Thread -1209935648 (LWP 12295)]
MPlayer dev-SVN-r27249-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz (Family: 6, Model: 15, Stepping: 13)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2
get_path('codecs.conf') -> '/home/user/.mplayer/codecs.conf'
Reading /home/user/.mplayer/codecs.conf: Can't open '/home/user/.mplayer/codecs.conf': No such file or directory
Reading /usr/local/etc/mplayer/codecs.conf: Can't open '/usr/local/etc/mplayer/codecs.conf': No such file or directory
Using built-in default codecs.conf.
Configuration: --enable-debug=3
CommandLine: '-v' '46-13.mp4'
get_path('font/font.desc') -> '/home/user/.mplayer/font/font.desc'
font: can't open file: /home/user/.mplayer/font/font.desc
font: can't open file: /usr/local/share/mplayer/font/font.desc
Using MMX (with tiny bit MMX2) Optimized OnScreenDisplay
Using nanosleep() timing
get_path('input.conf') -> '/home/user/.mplayer/input.conf'
Can't open input config file /home/user/.mplayer/input.conf: No such file or directory
Can't open input config file /usr/local/etc/mplayer/input.conf: No such file or directory
Falling back on default (hardcoded) input config
get_path('46-13.mp4.conf') -> '/home/user/.mplayer/46-13.mp4.conf'
Playing 46-13.mp4.
get_path('sub/') -> '/home/user/.mplayer/sub/'
[file] File size is 5068944 bytes
STREAM: [file] 46-13.mp4
STREAM: Description: File
STREAM: Author: Albeu
STREAM: Comment: based on the code from ??? (probably Arpi)
LAVF_check: QuickTime/MPEG-4/Motion JPEG 2000 format
libavformat file format detected.
stream_seek: WARNING! Can't seek to 0x4D589D !
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863daf0]Could not find codec parameters (Data: 0x0000)
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863daf0]Could not find codec parameters (Audio: mp4a / 0x6134706D, 44100 Hz, stereo)
LAVF_header: av_find_stream_info() failed
Checking for YUV4MPEG2
ASF_check: not ASF guid!
Checking for NuppelVideo
Checking for REAL
Checking for SMJPEG
Checking for Nullsoft Streaming Video
Checking for MOV
ISO: File Type Major Brand: ISO Base Media
ISO: File Type Minor Version: 1
ISO: File Type Compatible Brand #0: isom
MOV: Movie DATA found!
MOV: Movie header found!
Quicktime/MOV file format detected.
MOV: Movie header (100 bytes): tscale=600 dur=55197
MOV: unknown chunk: iod� 13
MOV: Track #0:
MOV: Track header!
tkhd len=84 ver=0 flags=0x0 id=1 dur=55197 lay=0 vol=0
MOV: unknown chunk: meia 12817
MOV track #0: 0 chunks, 0 samples
pts=0 scale=0 time= nan
* constant samplesize & variable duration not yet supported! *
Contact the author if you have such sample file!
Unknown track type found (type: 0)
MOV: Track #1:
MOV: Track header!
tkhd len=84 ver=0 flags=0x0 id=10 dur=55059 lay=0 vol=256
MOV: Media stream!
MOV: Media header!
MOV: Handler header: /soun () PAC ISO Audio Handler
MOV: unknown handler class: 0x0 ()
MOV: Media info!
MOV: Sound header!
MOV: unknown chunk: dinf 28
MOV: Sample info!
MOV: Description list! (cnt:1)
MOV: desc #0: mp4a (59 bytes)
MOV: Sample duration table! (1 blocks)
Warning! pts=4046848 length=4046856
MOV: Sample->Chunk mapping table! (2 blocks) (ver:0,flags:0)
MOV: Sample size table! (entries=3952 ss=4096) (ver:0,flags:0)
MOV: Chunk offset table! (396 chunks)
MOV track #1: 396 chunks, 0 samples
pts=4046856 scale=44100 time=91.765
==> Found audio stream: 1
[mov] Audio stream found, -aid 1
Audio bits: 16 chans: 2 rate: 44100
MOV: Found MPEG4 audio Elementary Stream Descriptor atom (39)!
ESDS MPEG4 version: 0 flags: 0x000000
ESDS MPEG4 ES Descriptor (25Bytes):
ESDS MPEG4 Decoder Config Descriptor (17Bytes):
ESDS MPEG4 Decoder Specific Descriptor (18Bytes)
Fourcc: mp4a
Quicktime Clip Info:
MOV: longest streams: A: #1 (396 samples) V: #-1 (0 samples)
==========================================================================
Opening audio decoder: [faad] AAC (MPEG2/4 Advanced Audio Coding)
dec_audio: Allocating 4608 bytes for input buffer.
dec_audio: Allocating 49152 + 65536 = 114688 bytes for output buffer.
FAAD: Decoder init done (0Bytes)!
FAAD: Negotiated samplerate: 44100Hz channels: 2
FAAD: got 117kbit/s bitrate from MP4 header!
AUDIO: 44100 Hz, 2 ch, s16le, 117.5 kbit/8.33% (ratio: 14692->176400)
Selected audio codec: [faad] afm: faad (FAAD AAC (MPEG-2/MPEG-4 Audio) decoder)
==========================================================================
Building audio filter chain for 44100Hz/2ch/s16le -> 0Hz/0ch/??...
[libaf] Adding filter dummy
[dummy] Was reinitialized: 44100Hz/2ch/s16le
[dummy] Was reinitialized: 44100Hz/2ch/s16le
Trying every known audio driver...
ao2: 44100 Hz 2 chans s16le
audio_setup: using '/dev/dsp' dsp device
audio_setup: using '/dev/mixer' mixer device
audio_setup: using 'pcm' mixer device
audio_setup: sample format: s16le (requested: s16le)
audio_setup: using 2 channels (requested: 2)
audio_setup: using 44100 Hz samplerate (requested: 44100)
audio_setup: frags: 8/8 (8192 bytes/frag) free: 65536
AO: [oss] 44100Hz 2ch s16le (2 bytes per sample)
AO: Description: OSS/ioctl audio output
AO: Author: A'rpi
Building audio filter chain for 44100Hz/2ch/s16le -> 44100Hz/2ch/s16le...
[dummy] Was reinitialized: 44100Hz/2ch/s16le
[dummy] Was reinitialized: 44100Hz/2ch/s16le
Video: no video
Freeing 0 unused video chunks.
Starting playback...
FAAD: Failed to decode frame: Gain control not yet implemented
FAAD: Failed to decode frame: Channel coupling not yet implemented
FAAD: Failed to decode frame: Gain control not yet implemented
FAAD: Failed to decode frame: Gain control not yet implemented
FAAD: Failed to decode frame: Channel coupling not yet implemented
FAAD: Failed to decode frame: Gain control not yet implemented
FAAD: Failed to decode frame: Maximum number of scalefactor bands exceeded
FAAD: Failed to decode frame: Maximum number of scalefactor bands exceeded
FAAD: Failed to decode frame: Gain control not yet implemented
FAAD: Failed to decode frame: Gain control not yet implemented
FAAD: Failed to decode frame: Maximum number of scalefactor bands exceeded
FAAD: Failed to decode frame: Invalid number of channels
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1209935648 (LWP 12295)]
0x081aca06 in ifilter_bank (fb=0x89c8310, window_sequence=2 '\002',
273 time_out[i] = overlap[i];
(gdb) bt
#0 0x081aca06 in ifilter_bank (fb=0x89c8310, window_sequence=2 '\002',
#1 0x081c4217 in reconstruct_single_channel (hDecoder=0x89aa678,
#2 0x081ca496 in decode_sce_lfe (hDecoder=0x89aa678, hInfo=0x8714620,
#3 0x081cacc9 in raw_data_block (hDecoder=0x89aa678, hInfo=0x8714620,
#4 0x081ab72a in aac_frame_decode (hDecoder=0x89aa678, hInfo=0x8714620,
#5 0x0818b502 in decode_audio (sh=0x89aa578, buf=0x89ac230 "", minlen=65536,
#6 0x080daa75 in decode_audio (sh_audio=0x89aa578, minlen=65536)
#7 0x080784ea in main (argc=3, argv=0xbff48824) at mplayer.c:2044
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x81ac9e6 to 0x81aca26:
0x081ac9e6 <ifilter_bank+1910>: incl 0x8b287ef6(%ebp)
0x081ac9ec <ifilter_bank+1916>: popf
0x081ac9ed <ifilter_bank+1917>: mov $0xbaffffdf,%esp
0x081ac9f2 <ifilter_bank+1922>: add %eax,(%eax)
0x081ac9f4 <ifilter_bank+1924>: add %al,(%eax)
0x081ac9f6 <ifilter_bank+1926>: lea 0x1(%ebx),%ecx
0x081ac9f9 <ifilter_bank+1929>: lea 0x0(%esi),%esi
0x081aca00 <ifilter_bank+1936>: mov 0x20(%ebp),%esi
0x081aca03 <ifilter_bank+1939>: mov 0x1c(%ebp),%ebx
0x081aca06 <ifilter_bank+1942>: mov 0xfffffffc(%esi,%edx,4),%eax
0x081aca0a <ifilter_bank+1946>: mov %eax,0xfffffffc(%ebx,%edx,4)
0x081aca0e <ifilter_bank+1950>: inc %edx
0x081aca0f <ifilter_bank+1951>: cmp %ecx,%edx
0x081aca11 <ifilter_bank+1953>: jne 0x81aca00 <ifilter_bank+1936>
0x081aca13 <ifilter_bank+1955>: mov 0xffffdfb8(%ebp),%ebx
0x081aca19 <ifilter_bank+1961>: test %ebx,%ebx
0x081aca1b <ifilter_bank+1963>: jle 0x81aceab <ifilter_bank+3131>
0x081aca21 <ifilter_bank+1969>: mov 0xffffdfb8(%ebp),%eax
End of assembler dump.
(gdb) info all-registers
eax 0x20 32
ecx 0x1c1 449
edx 0x1 1
ebx 0x0 0
esp 0xbff3e8e0 0xbff3e8e0
ebp 0xbff40998 0xbff40998
esi 0x0 0
edi 0x400 1024
eip 0x81aca06 0x81aca06 <ifilter_bank+1942>
eflags 0x10206 [ PF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0.00189805845730006694793701171875 (raw 0x3ff5f8c8460000000000)
st5 0.0883679687976837158203125 (raw 0x3ffbb4fa440000000000)
---Type <return> to continue, or q <return> to quit---
st6 0 (raw 0x00000000000000000000)
st7 -0 (raw 0x80000000000000000000)
fctrl 0x37f 895
fstat 0x21 33
ftag 0xffff 65535
fiseg 0x73 115
fioff 0x81b0a1b 135989787
foseg 0x7b 123
fooff 0xbff40984 -1074525820
fop 0x159 345
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
---Type <return> to continue, or q <return> to quit---
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
mm0 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
mm1 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
---Type <return> to continue, or q <return> to quit---
mm2 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
mm3 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
mm4 {uint64 = 0xf8c8460000000000, v2_int32 = {0x0, 0xf8c84600},
mm5 {uint64 = 0xb4fa440000000000, v2_int32 = {0x0, 0xb4fa4400},
mm6 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
mm7 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
(gdb) q
The program is running. Exit anyway? (y or n) y
user@debian:~$