Mplayer crashed by conditional jump and invalid write at 0x818B4D9 and 0x401FB4A

[zlai88@…]

The fussed file 82-tennis_kid.mp4 (in the archive at the URL above) caused Mplayer to crash by bad usage of CPU/FPU/RAM. Valgrind reports conditional jump or move at multiple places and invalid write at 0x401FB4A.

This is reproducible on Linux Debian Etch, with the latest Subversion head
mplayer (r27249). The machine used is VMWare Player.

Reproduce as follows:
wget ​http://www.eecs.berkeley.edu/~zhl210/443098-82-2346858623-UninitCondition.tgz
tar xzf 443098-82-2346858623-UninitCondition.tgz
Valgrind mplayer 82-tennis_kid.mp4

Here is the output by Valgrind:

==19658== Memcheck, a memory error detector.
==19658== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==19658== Using LibVEX rev 1854, a library for dynamic binary translation.
==19658== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==19658== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==19658== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==19658== For more details, rerun with: -v
==19658==
MPlayer dev-SVN-r27249-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 82-tennis_kid.mp4.
libavformat file format detected.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863daf0]stream 1, missing mandatory atoms, broken header
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863daf0]Could not find codec parameters (Data: 0x0000)
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863daf0]Could not find codec parameters (Audio: mp4a / 0x6134706D, 24000 Hz, stereo)
LAVF_header: av_find_stream_info() failed
ISO: Unknown File Type Major Brand: MSNV
Quicktime/MOV file format detected.
* constant samplesize & variable duration not yet supported! *
Contact the author if you have such sample file!
MOV: durmap and chunkmap sample count differ (0 vs 1423)
[mov] Audio stream found, -aid 1
==========================================================================
Opening audio decoder: [faad] AAC (MPEG2/4 Advanced Audio Coding)
AUDIO: 48000 Hz, 2 ch, s16le, 524.3 kbit/34.13% (ratio: 65536->192000)
Selected audio codec: [faad] afm: faad (FAAD AAC (MPEG-2/MPEG-4 Audio) decoder)
==========================================================================
AO: [oss] 48000Hz 2ch s16le (2 bytes per sample)
Video: no video
Starting playback...
==19658== Conditional jump or move depends on uninitialised value(s)
==19658== Stack hash: 1276892818
==19658== at 0x811EBD3: ds_fill_buffer (demuxer.c:467)
==19658== by 0x811F117: ds_get_packet_pts (demuxer.c:619)
==19658== by 0x818B4BF: decode_audio (ad_faad.c:263)
==19658== by 0x80DAA74: decode_audio (dec_audio.c:383)
==19658== by 0x80784E9: main (mplayer.c:2044)
==19658==
==19658== Conditional jump or move depends on uninitialised value(s)
==19658== Stack hash: 1280641140
==19658== at 0x811EBD5: ds_fill_buffer (demuxer.c:467)
==19658== by 0x811F117: ds_get_packet_pts (demuxer.c:619)
==19658== by 0x818B4BF: decode_audio (ad_faad.c:263)
==19658== by 0x80DAA74: decode_audio (dec_audio.c:383)
==19658== by 0x80784E9: main (mplayer.c:2044)
==19658==
==19658== Conditional jump or move depends on uninitialised value(s)
==19658== Stack hash: 2116035592
==19658== at 0x818B4D3: decode_audio (ad_faad.c:265)
==19658== by 0x80DAA74: decode_audio (dec_audio.c:383)
==19658== by 0x80784E9: main (mplayer.c:2044)
==19658==
==19658== Conditional jump or move depends on uninitialised value(s)
==19658== Stack hash: 2116043806
==19658== at 0x818B4D9: decode_audio (ad_faad.c:265)
==19658== by 0x80DAA74: decode_audio (dec_audio.c:383)
==19658== by 0x80784E9: main (mplayer.c:2044)
FAAD: Failed to decode frame: Scalefactor out of range
==19658==
==19658== Invalid write of size 1
==19658== Stack hash: 1868544119
==19658== at 0x401FB4A: memcpy (mc_replace_strmem.c:402)
==19658== by 0x811CCBD: ds_read_packet (stream.h:218)
==19658== by 0x8139EF9: demux_mov_fill_buffer (demux_mov.c:2173)
==19658== by 0x811EA74: ds_fill_buffer (demuxer.c:498)
==19658== by 0x811F117: ds_get_packet_pts (demuxer.c:619)
==19658== by 0x818B4BF: decode_audio (ad_faad.c:263)
==19658== by 0x80DAA74: decode_audio (dec_audio.c:383)
==19658== by 0x80784E9: main (mplayer.c:2044)
==19658== Address 0x0 is not stack'd, malloc'd or (recently) free'd

MPlayer interrupted by signal 11 in module: decode_audio

• MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
• MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.

==19658==
==19658== ERROR SUMMARY: 17 errors from 5 contexts (suppressed: 21 from 1)
==19658== malloc/free: in use at exit: 419,472 bytes in 2,251 blocks.
==19658== malloc/free: 2,422 allocs, 170 frees, 1,700,223 bytes allocated.
==19658== For counts of detected errors, rerun with: -v
==19658== searching for pointers to 2,251 not-freed blocks.
==19658== checked 3,220,020 bytes.
==19658==
==19658== LEAK SUMMARY:
==19658== definitely lost: 17,088 bytes in 3 blocks.
==19658== possibly lost: 0 bytes in 0 blocks.
==19658== still reachable: 402,384 bytes in 2,248 blocks.
==19658== suppressed: 0 bytes in 0 blocks.
==19658== Rerun with --leak-check=full to see details of leaked memory.

Here is the backtrace using gdb:

MPlayer dev-SVN-r27249-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz (Family: 6, Model: 15, Stepping: 13)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2
get_path('codecs.conf') -> '/home/user/.mplayer/codecs.conf'
Reading /home/user/.mplayer/codecs.conf: Can't open '/home/user/.mplayer/codecs.conf': No such file or directory
Reading /usr/local/etc/mplayer/codecs.conf: Can't open '/usr/local/etc/mplayer/codecs.conf': No such file or directory
Using built-in default codecs.conf.
Configuration: --enable-debug=3
CommandLine: '-v' '82-tennis_kid.mp4'
get_path('font/font.desc') -> '/home/user/.mplayer/font/font.desc'
font: can't open file: /home/user/.mplayer/font/font.desc
font: can't open file: /usr/local/share/mplayer/font/font.desc
Using MMX (with tiny bit MMX2) Optimized OnScreenDisplay
Using nanosleep() timing
get_path('input.conf') -> '/home/user/.mplayer/input.conf'
Can't open input config file /home/user/.mplayer/input.conf: No such file or directory
Can't open input config file /usr/local/etc/mplayer/input.conf: No such file or
directory
Falling back on default (hardcoded) input config
get_path('82-tennis_kid.mp4.conf') -> '/home/user/.mplayer/82-tennis_kid.mp4.conf'

Playing 82-tennis_kid.mp4.
get_path('sub/') -> '/home/user/.mplayer/sub/'

[file] File size is 4847495 bytes
STREAM: [file] 82-tennis_kid.mp4
STREAM: Description: File
STREAM: Author: Albeu
STREAM: Comment: based on the code from ??? (probably Arpi)
LAVF_check: QuickTime/MPEG-4/Motion JPEG 2000 format
libavformat file format detected.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863daf0]stream 1, missing mandatory atoms, broken header
stream_seek: WARNING! Can't seek to 0x49F787 !
stream_seek: WARNING! Can't seek to 0x49F79B !
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863daf0]Could not find codec parameters (Data: 0x0000)
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863daf0]Could not find codec parameters (Audio: mp4a / 0x6134706D, 24000 Hz, stereo)
LAVF_header: av_find_stream_info() failed
Checking for YUV4MPEG2
ASF_check: not ASF guid!
Checking for NuppelVideo
Checking for REAL
Checking for SMJPEG
Checking for Nullsoft Streaming Video
Checking for MOV
ISO: Unknown File Type Major Brand: MSNV
ISO: File Type Minor Version: 512
ISO: File Type Compatible Brand #0: MSNV
MOV: unknown chunk: uuid 148
MOV: Movie DATA found!
MOV: Movie header found!
MOV: unknown chunk: 4812533
stream_seek: WARNING! Can't seek to 0x93657C !
Quicktime/MOV file format detected.
MOV: unknown chunk: mwhd 100

---

MOV: Track #0:
MOV: unknown chunk: tkhf 84
MOV: Edit atom!
MOV: Edit list table (1 entries) (ver:0,flags:0)
MOV: entry#0: duration: 5447442 start time: 0 speed: 1.0x
MOV: Media stream!
MOV: Media header!
MOV: unknown chunk: $<F1> 3080248
MOV: unknown chunk: uuid 44
MOV track #0: 0 chunks, 0 samples
pts=5447442 scale=90000 time=60.527
* constant samplesize & variable duration not yet supported! *
Contact the author if you have such sample file!
Unknown track type found (type: 0)

---

MOV: Track #1:
MOV: Track header!
tkhd len=84 ver=0 flags=0x0 id=2 dur=5464320 lay=0 vol=256
MOV: unknown chunk: edt<F3> 28
MOV: Media stream!
MOV: Media header!
MOV: Handler header: /souo () SoundHandler
MOV: unknown handler class: 0x0 ()
MOV: Media info!
MOV: Sound header!
MOV: unknown chunk: dinf 28
MOV: Sample info!
MOV: Description list! (cnt:1)
MOV: desc #0: mp4a (59 bytes)
MOV: unknown chunk: stvs 16
MOV: Sample->Chunk mapping table! (1 blocks) (ver:0,flags:0)
MOV: Sample size table! (entries=1423 ss=0) (ver:0,flags:0)
MOV: Chunk offset table! (1423 chunks)
MOV: unknown chunk: uuid 44
MOV track #1: 1423 chunks, 1423 samples
pts=1457152 scale=536894912 time=0.003
MOV: durmap and chunkmap sample count differ (0 vs 1423)
==> Found audio stream: 1
[mov] Audio stream found, -aid 1
Audio bits: 16 chans: 2 rate: 24000
MOV: Found MPEG4 audio Elementary Stream Descriptor atom (39)!
ESDS MPEG4 version: 0 flags: 0x000000
ESDS MPEG4 ES Descriptor (25Bytes):

-> ESId: 0
-> streamPriority: 64

ESDS MPEG4 Decoder Config Descriptor (17Bytes):

-> objectTypeId: 64
-> streamType: 0x15
-> bufferSizeDB: 0x001800
-> maxBitrate: 0.000kbit/s
-> avgBitrate: 524.288kbit/s

ESDS MPEG4 Decoder Specific Descriptor (2Bytes)
ESDS MPEG4 Sync Layer Config Descriptor (1Bytes)

-> predefined: 2

Fourcc: mp4a

---

MOV: longest streams: A: #1 (1423 samples) V: #-1 (0 samples)
==========================================================================
Opening audio decoder: [faad] AAC (MPEG2/4 Advanced Audio Coding)
dec_audio: Allocating 4608 bytes for input buffer.
dec_audio: Allocating 49152 + 65536 = 114688 bytes for output buffer.
FAAD: Decoder init done (0Bytes)!
FAAD: Negotiated samplerate: 48000Hz channels: 2
FAAD: got 524kbit/s bitrate from MP4 header!
AUDIO: 48000 Hz, 2 ch, s16le, 524.3 kbit/34.13% (ratio: 65536->192000)
Selected audio codec: [faad] afm: faad (FAAD AAC (MPEG-2/MPEG-4 Audio) decoder)
==========================================================================
Building audio filter chain for 48000Hz/2ch/s16le -> 0Hz/0ch/??...
[libaf] Adding filter dummy
[dummy] Was reinitialized: 48000Hz/2ch/s16le
[dummy] Was reinitialized: 48000Hz/2ch/s16le
Trying every known audio driver...
ao2: 48000 Hz 2 chans s16le
audio_setup: using '/dev/dsp' dsp device
audio_setup: using '/dev/mixer' mixer device
audio_setup: using 'pcm' mixer device
audio_setup: sample format: s16le (requested: s16le)
audio_setup: using 2 channels (requested: 2)
audio_setup: using 48000 Hz samplerate (requested: 48000)
audio_setup: frags: 8/8 (8192 bytes/frag) free: 65536
AO: [oss] 48000Hz 2ch s16le (2 bytes per sample)
AO: Description: OSS/ioctl audio output
AO: Author: A'rpi
Building audio filter chain for 48000Hz/2ch/s16le -> 48000Hz/2ch/s16le...
[dummy] Was reinitialized: 48000Hz/2ch/s16le
[dummy] Was reinitialized: 48000Hz/2ch/s16le
Video: no video
Freeing 0 unused video chunks.
Starting playback...
FAAD: Failed to decode frame: Scalefactor out of range

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1209677152 (LWP 20259)]
0xb7ec9b3c in memcpy () from /lib/tls/i686/cmov/libc.so.6
(gdb) bt
#0 0xb7ec9b3c in memcpy () from /lib/tls/i686/cmov/libc.so.6
#1 0x0811ccbe in ds_read_packet (ds=0x89a7a48, stream=0x89a68a0,

len=<value optimized out>, pts=4.6545138359069824, pos=2176, flags=0)
at ./stream/stream.h:218

#2 0x08139efa in demux_mov_fill_buffer (demuxer=0x89a7158, ds=0x89a7a48)

at libmpdemux/demux_mov.c:2173

#3 0x0811ea75 in ds_fill_buffer (ds=0x89a7a48) at libmpdemux/demuxer.c:498
#4 0x0811f118 in ds_get_packet_pts (ds=0x89a7a48, start=0xbfffe414,

pts=0xbfffe408) at libmpdemux/demuxer.c:619

#5 0x0818b4c0 in decode_audio (sh=0x89adf80, buf=0x89bd4e0 "", minlen=65536,

maxlen=114688) at libmpcodecs/ad_faad.c:263

#6 0x080daa75 in decode_audio (sh_audio=0x89adf80, minlen=65536)

at libmpcodecs/dec_audio.c:383

#7 0x080784ea in main (argc=3, argv=0xbffff734) at mplayer.c:2044
(gdb) dESC[ESC[Kdisass $pc-32 $pc+32
Dump of assembler code from 0xb7ec9b1c to 0xb7ec9b5c:
0xb7ec9b1c <memcpy_chk+12>: pop %es
0xb7ec9b1d <memcpy_chk+13>: add %cl,0x244c8bf6(%ecx)
0xb7ec9b23 <memcpy+3>: or $0x89,%al
0xb7ec9b25 <memcpy+5>: clc
0xb7ec9b26 <memcpy+6>: mov 0x4(%esp),%edi
0xb7ec9b2a <memcpy+10>: mov %esi,%edx
0xb7ec9b2c <memcpy+12>: mov 0x8(%esp),%esi
0xb7ec9b30 <memcpy+16>: cld
0xb7ec9b31 <memcpy+17>: shr %ecx
0xb7ec9b33 <memcpy+19>: jae 0xb7ec9b36 <memcpy+22>
0xb7ec9b35 <memcpy+21>: movsb %ds:(%esi),%es:(%edi)
0xb7ec9b36 <memcpy+22>: shr %ecx
0xb7ec9b38 <memcpy+24>: jae 0xb7ec9b3c <memcpy+28>
0xb7ec9b3a <memcpy+26>: movsw %ds:(%esi),%es:(%edi)
0xb7ec9b3c <memcpy+28>: rep movsl %ds:(%esi),%es:(%edi)
0xb7ec9b3e <memcpy+30>: mov %eax,%edi
0xb7ec9b40 <memcpy+32>: mov %edx,%esi
0xb7ec9b42 <memcpy+34>: mov 0x4(%esp),%eax
0xb7ec9b46 <memcpy+38>: ret
0xb7ec9b47 <memcpy+39>: nop
0xb7ec9b48 <memcpy+40>: nop
0xb7ec9b49 <memcpy+41>: nop
---Type <return> to continue, or q <return> to quit---
0xb7ec9b4a <memcpy+42>: nop
0xb7ec9b4b <memcpy+43>: nop
0xb7ec9b4c <memcpy+44>: nop
0xb7ec9b4d <memcpy+45>: nop
0xb7ec9b4e <memcpy+46>: nop
0xb7ec9b4f <memcpy+47>: nop
0xb7ec9b50 <memcpy+48>: push %ebp
0xb7ec9b51 <memcpy+49>: mov %esp,%ebp
0xb7ec9b53 <memcpy+51>: sub $0xc,%esp
0xb7ec9b56 <memcpy+54>: mov %esi,0x4(%esp)
0xb7ec9b5a <memcpy+58>: mov 0x10(%ebp),%esi
End of assembler dump.
(gdb) info all-registers
eax 0x3ffffa59 1073740377
ecx 0x1e0 480
edx 0x89a67c0 144336832
ebx 0x780 1920
esp 0xbfffe28c 0xbfffe28c
ebp 0xbfffe2e8 0xbfffe2e8
esi 0x89a68a0 144337056
edi 0x0 0
eip 0xb7ec9b3c 0xb7ec9b3c <memcpy+28>
eflags 0x210202 [ IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 -32768 (raw 0xc00e8000000000000000)
st4 32767 (raw 0x400dfffe000000000000)
st5 -32768 (raw 0xc00e8000000000000000)
st6 1.571419239044189453125 (raw 0x3fffc924440000000000)

This bug was found as part of the SUPERB-TRUST 2008 project.

[reimar]

* This bug has been marked as a duplicate of bug 1147 *