Mplayer crashes on MP4 file and Valgrind reports invalid write of size 1 and uninitialized values

[quach@…]

* Overview: Found a test case .mp4 file for mplayer where mplayer crashes and valgrind 3.3.1
reports invalid write of size 1 and uninitialized values.

The test case is "82-tennis_kid.mp4" available at the URL
​http://www.metafuzz.com/testcases/791243-82-3960551551-UninitCondition.tgz

* mplayer version

dev-SVN-r27245-4.1.2

* To reproduce:

1) Play 82-tennis_kid.mp4 using mplayer under Valgrind 3.3.1

* My OS:

Debian Etch Linux, Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz

uname -a:

Linux debian 2.6.18-6-486 #1 Fri Jun 6 21:47:01 UTC 2008 i686 GNU/Linux

gdb backtrace
#0 0xb7e9eb3c in memcpy () from /lib/tls/i686/cmov/libc.so.6
#1 0x0811ccbe in ds_read_packet (ds=0x89a7a50, stream=0x89a68a8,

len=<value optimized out>, pts=4.6545138359069824, pos=2176, flags=0)
at ./stream/stream.h:218

#2 0x08139f2a in demux_mov_fill_buffer (demuxer=0x89a7160, ds=0x89a7a50)

at libmpdemux/demux_mov.c:2173

#3 0x0811ea75 in ds_fill_buffer (ds=0x89a7a50) at libmpdemux/demuxer.c:498
#4 0x0811f118 in ds_get_packet_pts (ds=0x89a7a50, start=0xbf830564,

pts=0xbf830558) at libmpdemux/demuxer.c:619

#5 0x0818b4f0 in decode_audio (sh=0x89adf88, buf=0x89bd500 "", minlen=65536,

maxlen=114688) at libmpcodecs/ad_faad.c:263

#6 0x080daa75 in decode_audio (sh_audio=0x89adf88, minlen=65536)

at libmpcodecs/dec_audio.c:383

#7 0x080784ea in main (argc=2, argv=0xbf831884) at mplayer.c:2044

Disassembly at point of crash

Dump of assembler code from 0xb7ec0b1c to 0xb7ec0b5c:
0xb7ec0b1c <memcpy_chk+12>: pop %es
0xb7ec0b1d <memcpy_chk+13>: add %cl,0x244c8bf6(%ecx)
0xb7ec0b23 <memcpy+3>: or $0x89,%al
0xb7ec0b25 <memcpy+5>: clc
0xb7ec0b26 <memcpy+6>: mov 0x4(%esp),%edi
0xb7ec0b2a <memcpy+10>: mov %esi,%edx
0xb7ec0b2c <memcpy+12>: mov 0x8(%esp),%esi
0xb7ec0b30 <memcpy+16>: cld
0xb7ec0b31 <memcpy+17>: shr %ecx
0xb7ec0b33 <memcpy+19>: jae 0xb7ec0b36 <memcpy+22>
0xb7ec0b35 <memcpy+21>: movsb %ds:(%esi),%es:(%edi)
0xb7ec0b36 <memcpy+22>: shr %ecx
0xb7ec0b38 <memcpy+24>: jae 0xb7ec0b3c <memcpy+28>
0xb7ec0b3a <memcpy+26>: movsw %ds:(%esi),%es:(%edi)
0xb7ec0b3c <memcpy+28>: rep movsl %ds:(%esi),%es:(%edi)
0xb7ec0b3e <memcpy+30>: mov %eax,%edi
0xb7ec0b40 <memcpy+32>: mov %edx,%esi
0xb7ec0b42 <memcpy+34>: mov 0x4(%esp),%eax
0xb7ec0b46 <memcpy+38>: ret
0xb7ec0b47 <memcpy+39>: nop
0xb7ec0b48 <memcpy+40>: nop
0xb7ec0b49 <memcpy+41>: nop
0xb7ec0b4a <memcpy+42>: nop
0xb7ec0b4b <memcpy+43>: nop
0xb7ec0b4c <memcpy+44>: nop
0xb7ec0b4d <memcpy+45>: nop
0xb7ec0b4e <memcpy+46>: nop
0xb7ec0b4f <memcpy+47>: nop
0xb7ec0b50 <memcpy+48>: push %ebp
0xb7ec0b51 <memcpy+49>: mov %esp,%ebp
0xb7ec0b53 <memcpy+51>: sub $0xc,%esp
0xb7ec0b56 <memcpy+54>: mov %esi,0x4(%esp)
0xb7ec0b5a <memcpy+58>: mov 0x10(%ebp),%esi
End of assembler dump.

Contents of registers at point of crash
eax 0x3ffffa59 1073740377
ecx 0x1e0 480
edx 0x89a67c8 144336840
ebx 0x780 1920
esp 0xbfcaf71c 0xbfcaf71c
ebp 0xbfcaf778 0xbfcaf778
esi 0x89a68a8 144337064
edi 0x0 0
eip 0xb7ec0b3c 0xb7ec0b3c <memcpy+28>
eflags 0x200202 [ IF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 -32768 (raw 0xc00e8000000000000000)
st4 32767 (raw 0x400dfffe000000000000)
st5 -32768 (raw 0xc00e8000000000000000)
st6 1.571419239044189453125 (raw 0x3fffc924440000000000)
st7 -9223372036854775808 (raw 0xc03e8000000000000000)
fctrl 0x37f 895
fstat 0x20 32
ftag 0xffff 65535
fiseg 0x73 115
fioff 0x811cc29 135384105
foseg 0x7b 123
fooff 0x89b2254 144384596
fop 0x558 1368
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
mm0 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm1 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm2 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm3 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},

v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x80}}

mm4 {uint64 = 0xfffe000000000000, v2_int32 = {0x0, 0xfffe0000},

v4_int16 = {0x0, 0x0, 0x0, 0xfffe}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0xfe, 0xff}}

mm5 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},

v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x80}}

mm6 {uint64 = 0xc924440000000000, v2_int32 = {0x0, 0xc9244400},

v4_int16 = {0x0, 0x0, 0x4400, 0xc924}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x44, 0x24, 0xc9}}

mm7 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},

v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x80}}

Valgrind output, from command
==18611== Memcheck, a memory error detector.
==18611== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==18611== Using LibVEX rev 1854, a library for dynamic binary translation.
==18611== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==18611== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==18611== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==18611== For more details, rerun with: -v
==18611==
MPlayer dev-SVN-r27245-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 82-tennis_kid.mp4.
libavformat file format detected.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863db30]stream 1, missing mandatory atoms, broken header
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863db30]Could not find codec parameters (Data: 0x0000)
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863db30]Could not find codec parameters (Audio: mp4a / 0x6134706D, 24000 Hz, stereo)
LAVF_header: av_find_stream_info() failed
ISO: Unknown File Type Major Brand: MSNV
Quicktime/MOV file format detected.
* constant samplesize & variable duration not yet supported! *
Contact the author if you have such sample file!
MOV: durmap and chunkmap sample count differ (0 vs 1423)
[mov] Audio stream found, -aid 1
==========================================================================
Opening audio decoder: [faad] AAC (MPEG2/4 Advanced Audio Coding)
AUDIO: 48000 Hz, 2 ch, s16le, 524.3 kbit/34.13% (ratio: 65536->192000)
Selected audio codec: [faad] afm: faad (FAAD AAC (MPEG-2/MPEG-4 Audio) decoder)
==========================================================================
AO: [oss] 48000Hz 2ch s16le (2 bytes per sample)
Video: no video
Starting playback...
==18611== Conditional jump or move depends on uninitialised value(s)
==18611== Stack hash: 1276958530
==18611== at 0x811EBD3: ds_fill_buffer (demuxer.c:467)
==18611== by 0x811F117: ds_get_packet_pts (demuxer.c:619)
==18611== by 0x818B4EF: decode_audio (ad_faad.c:263)
==18611== by 0x80DAA74: decode_audio (dec_audio.c:383)
==18611== by 0x80784E9: main (mplayer.c:2044)
==18611==
==18611== Conditional jump or move depends on uninitialised value(s)
==18611== Stack hash: 1280706852
==18611== at 0x811EBD5: ds_fill_buffer (demuxer.c:467)
==18611== by 0x811F117: ds_get_packet_pts (demuxer.c:619)
==18611== by 0x818B4EF: decode_audio (ad_faad.c:263)
==18611== by 0x80DAA74: decode_audio (dec_audio.c:383)
==18611== by 0x80784E9: main (mplayer.c:2044)
==18611==
==18611== Conditional jump or move depends on uninitialised value(s)
==18611== Stack hash: 2116101304
==18611== at 0x818B503: decode_audio (ad_faad.c:265)
==18611== by 0x80DAA74: decode_audio (dec_audio.c:383)
==18611== by 0x80784E9: main (mplayer.c:2044)
==18611==
==18611== Conditional jump or move depends on uninitialised value(s)
==18611== Stack hash: 2116109518
==18611== at 0x818B509: decode_audio (ad_faad.c:265)
==18611== by 0x80DAA74: decode_audio (dec_audio.c:383)
==18611== by 0x80784E9: main (mplayer.c:2044)
FAAD: Failed to decode frame: Scalefactor out of range
==18611==
==18611== Invalid write of size 1
==18611== Stack hash: 902152471
==18611== at 0x401FB4A: memcpy (mc_replace_strmem.c:402)
==18611== by 0x811CCBD: ds_read_packet (stream.h:218)
==18611== by 0x8139F29: demux_mov_fill_buffer (demux_mov.c:2173)
==18611== by 0x811EA74: ds_fill_buffer (demuxer.c:498)
==18611== by 0x811F117: ds_get_packet_pts (demuxer.c:619)
==18611== by 0x818B4EF: decode_audio (ad_faad.c:263)
==18611== by 0x80DAA74: decode_audio (dec_audio.c:383)
==18611== by 0x80784E9: main (mplayer.c:2044)
==18611== Address 0x0 is not stack'd, malloc'd or (recently) free'd

MPlayer interrupted by signal 11 in module: decode_audio

• MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
• MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.

==18611==
==18611== ERROR SUMMARY: 17 errors from 5 contexts (suppressed: 21 from 1)
==18611== malloc/free: in use at exit: 419,472 bytes in 2,251 blocks.
==18611== malloc/free: 2,422 allocs, 170 frees, 1,700,168 bytes allocated.
==18611== For counts of detected errors, rerun with: -v
==18611== searching for pointers to 2,251 not-freed blocks.
==18611== checked 3,220,100 bytes.
==18611==
==18611== LEAK SUMMARY:
==18611== definitely lost: 17,088 bytes in 3 blocks.
==18611== possibly lost: 0 bytes in 0 blocks.
==18611== still reachable: 402,384 bytes in 2,248 blocks.
==18611== suppressed: 0 bytes in 0 blocks.
==18611== Rerun with --leak-check=full to see details of leaked memory.

This bug was found as part of the metafuzz project; see ​http://metafuzz.com/

[reimar]

* Bug 1149 has been marked as a duplicate of this bug. *

[reimar]

* Bug 1160 has been marked as a duplicate of this bug. *

[compn]

demuxer_mov is depreciated and no longer default
please test with latest svn and generate new report.

[compn]

.