Opened 11 years ago

Last modified 9 years ago

#1145 new defect

Valgrind reports invalid read of 4 [vorbis_decode_init (bitstream.h:659)]

Reported by: aslani@… Owned by: reimar
Priority: normal Component: demuxer
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

For this .ogg file, Valgrind reports an invalid read of 4 byte in the latest subversion of Mplayer ,SVN-r27245-4.1.2

System Info:
OS: Debian Etch Linux, Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz

uname -a: Linux debian 2.6.18-4-486 #1 Mon Mar 26 16:39:10 UTC 2007 i686 GNU/Linux

to reproduce:

wget http://www.metafuzz.com/testcases/273958-3-2907588837-InvalidRead.tgz
tar xzf 273958-3-2907588837-InvalidRead?.tgz
valgrind mplayer 3-Mehmoonie.ogg

Result from Valgrind ::::

==32493== Invalid read of size 4 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
==32493== Stack hash: 1036641884
==32493== at 0x84FFC4A: vorbis_decode_init (bitstream.h:659)
==32493== by 0x82EDFDD: avcodec_open (utils.c:831)
==32493== by 0x826453A: av_find_stream_info (utils.c:1760)
==32493== by 0x81A31BE: demux_open_lavf (demux_lavf.c:466)
==32493== by 0x811E32E: demux_open_stream (demuxer.c:864)
==32493== by 0x811E601: demux_open (demuxer.c:991)
==32493== by 0x807799E: main (mplayer.c:3238)
==32493== Address 0x43292b6 is 4,054 bytes inside a block of size 4,056 alloc'd==32493== Stack hash: 3863113973
==32493== at 0x401D96E: realloc (vg_replace_malloc.c:429)
==32493== by 0x82A741F: vorbis_header (oggparsevorbis.c:149)
==32493== by 0x82A5EFF: ogg_packet (oggdec.c:369)
==32493== by 0x82A6061: ogg_read_header (oggdec.c:408)
==32493== by 0x8261B5E: av_open_input_stream (utils.c:398)
==32493== by 0x81A319D: demux_open_lavf (demux_lavf.c:459)
==32493== by 0x811E32E: demux_open_stream (demuxer.c:864)
==32493== by 0x811E601: demux_open (demuxer.c:991)
==32493== by 0x807799E: main (mplayer.c:3238)
==32493==
==32493== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 19 from 1)
==32493== malloc/free: in use at exit: 36,961 bytes in 15 blocks.
==32493== malloc/free: 4,806 allocs, 4,791 frees, 4,347,890 bytes allocated.
==32493== For counts of detected errors, rerun with: -v
==32493== searching for pointers to 15 not-freed blocks.
==32493== checked 2,861,856 bytes.
==32493==
==32493== LEAK SUMMARY:
==32493== definitely lost: 4,053 bytes in 3 blocks.
==32493== possibly lost: 0 bytes in 0 blocks.
==32493== still reachable: 32,908 bytes in 12 blocks.
==32493== suppressed: 0 bytes in 0 blocks.

This bug was found as part of the SUPERB-TRUST 2008 / metafuzz project;

See : http://metafuzz.com/ http://www.truststc.org/superb/

Change History (2)

comment:1 Changed 11 years ago by aslani@…


reproduced in MPlayer dev-SVN-r27262-4.1.2 similar to [ bug #1178 ],except that in 1178, MPlayer crashes.
Backtrace::

$valgrind --leak-check=full --show-reachable=yes mplayer 3-Mehmoonie.ogg

==14735== Memcheck, a memory error detector.
==14735== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==14735== Using LibVEX rev 1854, a library for dynamic binary translation.
==14735== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==14735== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==14735== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==14735== For more details, rerun with: -v
==14735==
Playing 3-Mehmoonie.ogg.
libavformat file format detected.
==14735== Invalid read of size 4
==14735== Stack hash: 3937173639
==14735== at 0x84FFC4A: vorbis_decode_init (bitstream.h:659)
==14735== by 0x82EDE9D: avcodec_open (utils.c:831)
==14735== by 0x82643DA: av_find_stream_info (utils.c:1760)
==14735== by 0x81A3045: demux_open_lavf (demux_lavf.c:466)
==14735== by 0x811E20E: demux_open_stream (demuxer.c:864)
==14735== by 0x811E4E1: demux_open (demuxer.c:991)
==14735== by 0x807799E: main (mplayer.c:3238)
==14735== Address 0x43292b6 is 4,054 bytes inside a block of size 4,056 alloc'd==14735== Stack hash: 2176887360
==14735== at 0x401D96E: realloc (vg_replace_malloc.c:429)
==14735== by 0x82A72BF: vorbis_header (oggparsevorbis.c:149)
==14735== by 0x82A5D9F: ogg_packet (oggdec.c:369)
==14735== by 0x82A5F01: ogg_read_header (oggdec.c:408)
==14735== by 0x82619FE: av_open_input_stream (utils.c:398)
==14735== by 0x81A3024: demux_open_lavf (demux_lavf.c:459)
==14735== by 0x811E20E: demux_open_stream (demuxer.c:864)
==14735== by 0x811E4E1: demux_open (demuxer.c:991)
==14735== by 0x807799E: main (mplayer.c:3238)
[lavf] Audio stream found, -aid 0
Clip info:

name: 07_ Mehmoonie
author: Noosh Afarin (www.Sarzamin.org
album: Koocheye Rangi

==========================================================================
Opening audio decoder: [ffmpeg] FFmpeg/libavcodec audio decoders
AUDIO: 44100 Hz, 2 ch, s16le, 112.0 kbit/7.94% (ratio: 14000->176400)
Selected audio codec: [ffvorbis] afm: ffmpeg (FFmpeg Vorbis decoder)
==========================================================================
AO: [oss] 44100Hz 2ch s16le (2 bytes per sample)
Video: no video
Starting playback...
A: 6.0 (06.0) of 6.3 (06.3) 40.9%

Exiting... (End of file)
==14735==
==14735== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 19 from 1)
==14735== malloc/free: in use at exit: 36,961 bytes in 15 blocks.
==14735== malloc/free: 4,800 allocs, 4,785 frees, 4,347,404 bytes allocated.
==14735== For counts of detected errors, rerun with: -v
==14735== searching for pointers to 15 not-freed blocks.
==14735== checked 2,861,824 bytes.
==14735==
==14735==
==14735== 8 bytes in 1 blocks are still reachable in loss record 1 of 6
==14735== Stack hash: 2669096542
==14735== at 0x401D898: malloc (vg_replace_malloc.c:207)
==14735== by 0x8083A24: mp_input_set_section (input.c:1691)
==14735== by 0x8078252: main (mplayer.c:3636)
==14735==
==14735==
==14735== 60 bytes in 8 blocks are still reachable in loss record 2 of 6
==14735== Stack hash: 3830378553
==14735== at 0x401D898: malloc (vg_replace_malloc.c:207)
==14735== by 0x40E817F: strdup (in /lib/tls/i686/cmov/libc-2.3.6.so)
==14735== by 0x80B06E7: copy_str (m_option.c:385)
==14735== by 0x80AFA47: m_config_add_option (m_option.h:490)
==14735== by 0x80AFC18: m_config_register_options (m_config.c:259)
==14735== by 0x8076BA0: main (mplayer.c:2567)
==14735==
==14735==
==14735== 80 bytes in 1 blocks are still reachable in loss record 3 of 6
==14735== Stack hash: 3987117885
==14735== at 0x401D898: malloc (vg_replace_malloc.c:207)
==14735== by 0x40930B9: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==14735== by 0x4092CD3: iconv_open (in /lib/tls/i686/cmov/libc-2.3.6.so)
==14735== by 0x807C7F6: mp_msg (mp_msg.c:197)
==14735== by 0x80755EC: print_version (mplayer.c:2399)
==14735== by 0x8076BD3: main (mplayer.c:2573)
==14735==
==14735==
==14735== 120 bytes in 1 blocks are still reachable in loss record 4 of 6
==14735== Stack hash: 3664937563
==14735== at 0x401D898: malloc (vg_replace_malloc.c:207)
==14735== by 0x409B7B4: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==14735== by 0x4094480: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==14735== by 0x4093063: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==14735== by 0x4092CD3: iconv_open (in /lib/tls/i686/cmov/libc-2.3.6.so)
==14735== by 0x807C7F6: mp_msg (mp_msg.c:197)
==14735== by 0x80755EC: print_version (mplayer.c:2399)
==14735== by 0x8076BD3: main (mplayer.c:2573)
==14735==
==14735==
==14735== 4,053 bytes in 3 blocks are definitely lost in loss record 5 of 6
==14735== Stack hash: 2660950998
==14735== at 0x401C882: memalign (vg_replace_malloc.c:460)
==14735== by 0x8548F54: av_malloc (mem.c:61)
==14735== by 0x8548FD6: av_mallocz (mem.c:134)
==14735== by 0x82A71B7: vorbis_header (oggparsevorbis.c:176)
==14735== by 0x82A5D9F: ogg_packet (oggdec.c:369)
==14735== by 0x82A5F01: ogg_read_header (oggdec.c:408)
==14735== by 0x82619FE: av_open_input_stream (utils.c:398)
==14735== by 0x81A3024: demux_open_lavf (demux_lavf.c:459)
==14735== by 0x811E20E: demux_open_stream (demuxer.c:864)
==14735== by 0x811E4E1: demux_open (demuxer.c:991)
==14735== by 0x807799E: main (mplayer.c:3238)
==14735==
==14735==
==14735== 32,640 bytes in 1 blocks are still reachable in loss record 6 of 6
==14735== Stack hash: 481172370
==14735== at 0x401D898: malloc (vg_replace_malloc.c:207)
==14735== by 0x409325E: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==14735== by 0x4092CD3: iconv_open (in /lib/tls/i686/cmov/libc-2.3.6.so)
==14735== by 0x807C7F6: mp_msg (mp_msg.c:197)
==14735== by 0x80755EC: print_version (mplayer.c:2399)
==14735== by 0x8076BD3: main (mplayer.c:2573)
==14735==
==14735== LEAK SUMMARY:
==14735== definitely lost: 4,053 bytes in 3 blocks.
==14735== possibly lost: 0 bytes in 0 blocks.
==14735== still reachable: 32,908 bytes in 12 blocks.
==14735== suppressed: 0 bytes in 0 blocks.

comment:2 Changed 9 years ago by compn

  • Owner changed from r_togni@… to reimar
Note: See TracTickets for help on using tickets.