Opened 11 years ago

Closed 11 years ago

#1143 closed defect (duplicate)

Mplayer [Crash] and Valgrind reports Invalid Write in lschunks_intrak (demux_mov.c:1797)

Reported by: nstockma@… Owned by: r_togni@…
Priority: normal Component: demuxer
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

Here's an mp4 file where Valgrind reports an Invalid Write and Mplayer crashes.

The mp4 file (3-salma.mp4) can be found inside the .tgz archive at the URL
above. The bug is easily reproducible.

I confirmed that this bug is reproducible on Linux OS, Debian x32 with the
following subversion of MPlayer: dev-SVN-r27243-4.1.2

I used a 32-bit Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz.

To reproduce:

wget http://www.metafuzz.com/testcases/441923-3-1696562928-InvalidWrite.tgz
tar xzfv 441923-3-1696562928-InvalidWrite?.tgz
valgrind mplayer 3-salma.mp4

Here is the output from Valgrind and Mplayer on my machine:

user@debian:~/Desktop$ valgrind mplayer 3-salma.mp4
==6025== Memcheck, a memory error detector.
==6025== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==6025== Using LibVEX rev 1854, a library for dynamic binary translation.
==6025== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==6025== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==6025== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==6025== For more details, rerun with: -v
==6025==
MPlayer dev-SVN-r27243-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 3-salma.mp4.
libavformat file format detected.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863c670]error reading header: -1
LAVF_header: av_open_input_stream() failed
Quicktime/MOV file format detected.
Warning! pts=-1669225600 length=8496000
=======================================================================================
==6025== Invalid write of size 4
==6025== Stack hash: 2541841697
==6025== at 0x813D95D: lschunks_intrak (demux_mov.c:1797)
==6025== by 0x813A3B0: lschunks (demux_mov.c:1283)
==6025== by 0x813C892: lschunks_intrak (demux_mov.c:1874)
==6025== by 0x813A3B0: lschunks (demux_mov.c:1283)
==6025== by 0x813C892: lschunks_intrak (demux_mov.c:1874)
==6025== by 0x813A3B0: lschunks (demux_mov.c:1283)
==6025== by 0x813C892: lschunks_intrak (demux_mov.c:1874)
==6025== by 0x813A3B0: lschunks (demux_mov.c:1283)
==6025== by 0x813AA2E: lschunks (demux_mov.c:1311)
==6025== by 0x813C305: mov_read_header (demux_mov.c:1931)
==6025== by 0x811E2BE: demux_open_stream (demuxer.c:864)
==6025== by 0x811E591: demux_open (demuxer.c:991)
==6025== Address 0x4 is not stack'd, malloc'd or (recently) free'd

MPlayer interrupted by signal 11 in module: demux_open

  • MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
  • MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.

==6025==
==6025== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 19 from 1)
==6025== malloc/free: in use at exit: 100,655 bytes in 2,189 blocks.
==6025== malloc/free: 2,326 allocs, 137 frees, 1,258,596 bytes allocated.
==6025== For counts of detected errors, rerun with: -v
==6025== searching for pointers to 2,189 not-freed blocks.
==6025== checked 2,832,392 bytes.
==6025==
==6025== LEAK SUMMARY:
==6025== definitely lost: 1,664 bytes in 5 blocks.
==6025== possibly lost: 0 bytes in 0 blocks.
==6025== still reachable: 98,991 bytes in 2,184 blocks.
==6025== suppressed: 0 bytes in 0 blocks.
==6025== Rerun with --leak-check=full to see details of leaked memory.

The following is a backtrace using gdb:

(gdb) bt
#0 lschunks_intrak (demuxer=0x898d800, level=4, id=1937011578, pos=6207686,

len=9452, trak=0x898f3f8) at libmpdemux/demux_mov.c:1797

#1 0x0813a3b1 in lschunks (demuxer=0x898d800, level=4, endpos=6226594,

trak=0x898f3f8) at libmpdemux/demux_mov.c:1283

#2 0x0813c893 in lschunks_intrak (demuxer=0x898d800, level=3, id=1937007212,

pos=6206642, len=6226594, trak=0x898f3f8) at libmpdemux/demux_mov.c:1874

#3 0x0813a3b1 in lschunks (demuxer=0x898d800, level=3, endpos=6226594,

trak=0x898f3f8) at libmpdemux/demux_mov.c:1283

#4 0x0813c893 in lschunks_intrak (demuxer=0x898d800, level=2, id=1835626086,

pos=6206578, len=6226594, trak=0x898f3f8) at libmpdemux/demux_mov.c:1874

#5 0x0813a3b1 in lschunks (demuxer=0x898d800, level=2, endpos=6226594,

trak=0x898f3f8) at libmpdemux/demux_mov.c:1283

#6 0x0813c893 in lschunks_intrak (demuxer=0x898d800, level=1, id=1835297121,

pos=6206493, len=6226594, trak=0x898f3f8) at libmpdemux/demux_mov.c:1874

#7 0x0813a3b1 in lschunks (demuxer=0x898d800, level=1, endpos=6226594,

trak=0x898f3f8) at libmpdemux/demux_mov.c:1283

#8 0x0813aa2f in lschunks (demuxer=0x898d800, level=0, endpos=140542966,

trak=0x0) at libmpdemux/demux_mov.c:1311

#9 0x0813c306 in mov_read_header (demuxer=0x898d800)

at libmpdemux/demux_mov.c:1931

#10 0x0811e2bf in demux_open_stream (stream=0x898e188,

file_format=<value optimized out>, force=0, audio_id=-1, video_id=-1,
dvdsub_id=-2, filename=0x89843f0 "../Desktop/3-salma.mp4")

at libmpdemux/demuxer.c:864
#11 0x0811e592 in demux_open (vs=0x898e188, file_format=0, audio_id=-1,

video_id=-1, dvdsub_id=-2, filename=0x89843f0 "../Desktop/3-salma.mp4")
at libmpdemux/demuxer.c:991

#12 0x0807792f in main (argc=4, argv=0xbfd42444) at mplayer.c:3238
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x813d93d to 0x813d97d:
0x0813d93d <lschunks_intrak+4861>: xor %esi,%esi
0x0813d93f <lschunks_intrak+4863>: mov 0x18(%ebp),%ecx
0x0813d942 <lschunks_intrak+4866>: mov %esi,%ebx
0x0813d944 <lschunks_intrak+4868>: inc %esi
0x0813d945 <lschunks_intrak+4869>: mov 0xfffffedc(%ebp),%edx
0x0813d94b <lschunks_intrak+4875>: shl $0x4,%ebx
0x0813d94e <lschunks_intrak+4878>: mov 0x58(%ecx),%eax
0x0813d951 <lschunks_intrak+4881>: add %eax,%ebx
0x0813d953 <lschunks_intrak+4883>: mov 0x1c(%edx),%eax
0x0813d956 <lschunks_intrak+4886>: call 0x8139890 <stream_read_dword>
0x0813d95b <lschunks_intrak+4891>: cmp %esi,%edi
0x0813d95d <lschunks_intrak+4893>: mov %eax,0x4(%ebx)
0x0813d960 <lschunks_intrak+4896>: jne 0x813d93f <lschunks_intrak+4863>
0x0813d962 <lschunks_intrak+4898>: xor %eax,%eax
0x0813d964 <lschunks_intrak+4900>: jmp 0x813c895 <lschunks_intrak+597>
0x0813d969 <lschunks_intrak+4905>: mov 0xfffffedc(%ebp),%edx
0x0813d96f <lschunks_intrak+4911>: mov $0x85ebbb0,%edi
0x0813d974 <lschunks_intrak+4916>: mov 0x1c(%edx),%eax
0x0813d977 <lschunks_intrak+4919>: call 0x8139890 <stream_read_dword>
0x0813d97c <lschunks_intrak+4924>: mov 0xfffffedc(%ebp),%ecx
End of assembler dump.
(gdb) info all-registers
eax 0x197b 6523
ecx 0x898f3f8 144241656
edx 0x197b 6523
ebx 0x0 0
esp 0xbfd40370 0xbfd40370
ebp 0xbfd404d8 0xbfd404d8
esi 0x1 1
edi 0x20000938 536873272
eip 0x813d95d 0x813d95d <lschunks_intrak+4893>
eflags 0x210202 [ IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 1 (raw 0x3fff8000000000000000)
st6 1 (raw 0x3fff8000000000000000)
st7 -9223372036854775808 (raw 0xc03e8000000000000000)
fctrl 0x37f 895
fstat 0x20 32
ftag 0xffff 65535
fiseg 0x73 115
fioff 0x811d106 135385350
foseg 0x7b 123
fooff 0x898d828 144234536
fop 0x55e 1374
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
mm0 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm1 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm2 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm3 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm4 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm5 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},

v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x80}}

mm6 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},

v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x80}}

mm7 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},

v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x80}}

This bug was found using the Zzuf fuzzer. It was found as part of the
SUPERB-TRUST 2008 project ( see http://www.truststc.org/superb/ ) and the
metafuzz project ( see http://metafuzz.com/, stack hash 1696562928).

From what I can tell by comparing the stack and backtrace it is not a duplicate bug but if it is then I would certainly appreciate any other tips you may have on how to search and compare it to other bugs in order not to keep reporting duplicates.
Thank you!

Please let me know if I can provide more information.

Change History (1)

comment:1 Changed 11 years ago by reimar

  • Resolution set to duplicate
  • Status changed from new to closed

While it is a different part of the code, the basic situation is the same as for bug 1113

* This bug has been marked as a duplicate of bug 1113 *

Note: See TracTickets for help on using tickets.