Error in Audio Decoding: Invalid Read and Conditional jump or move depends on uninitialised value(s)

[sckhan@…]

The following report is for the SUPERB-TRUST 2008, the cyber security project.

#Error found at test case .ogg file for mplayer version (dev-SVN-r27249-4.1.2) valgrind report the memory reallocation error.

#The test case is "47-chesh.ogg" can be found at the URL

*​http://www.cs.berkeley.edu/~sckhan/47-chesh.ogg

#Reproducible with the following command

*valgrind mplayer 47-chesh.ogg

Can also be run as:

*valgrind --log-file=log2 mplayer 47-chesh.ogg

#OS: Debian Etch Linux

#Valgrind output:

==25920== Memcheck, a memory error detector.
==25920== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==25920== Using LibVEX rev 1854, a library for dynamic binary translation.
==25920== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==25920== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==25920== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==25920== For more details, rerun with: -v
==25920==
==25920== My PID = 25920, parent PID = 2880. Prog and args are:
==25920== mplayer
==25920== 47-chesh.ogg
==25920==
==25920== Invalid read of size 1
==25920== Stack hash: 2560829294
==25920== at 0x84FDA41: vorbis_parse_setup_hdr_codebooks (bitstream.h:691)
==25920== by 0x84FE677: vorbis_decode_init (vorbis_dec.c:816)
==25920== by 0x82EDFAD: avcodec_open (utils.c:831)
==25920== by 0x826450A: av_find_stream_info (utils.c:1760)
==25920== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==25920== by 0x811E32E: demux_open_stream (demuxer.c:864)
==25920== by 0x811E601: demux_open (demuxer.c:991)
==25920== by 0x807799E: main (mplayer.c:3238)
==25920== Address 0x43354f8 is 0 bytes after a block of size 1,608 alloc'd
==25920== Stack hash: 2071595589
==25920== at 0x401D96E: realloc (vg_replace_malloc.c:429)
==25920== by 0x82A73EF: vorbis_header (oggparsevorbis.c:149)
==25920== by 0x82A5ECF: ogg_packet (oggdec.c:369)
==25920== by 0x82A6031: ogg_read_header (oggdec.c:408)
==25920== by 0x8261B2E: av_open_input_stream (utils.c:398)
==25920== by 0x81A316D: demux_open_lavf (demux_lavf.c:459)
==25920== by 0x811E32E: demux_open_stream (demuxer.c:864)
==25920== by 0x811E601: demux_open (demuxer.c:991)
==25920== by 0x807799E: main (mplayer.c:3238)
==25920==
==25920== Invalid read of size 4
==25920== Stack hash: 3527421571
==25920== at 0x84FDA6A: vorbis_parse_setup_hdr_codebooks (bitstream.h:659)
==25920== by 0x84FE677: vorbis_decode_init (vorbis_dec.c:816)
==25920== by 0x82EDFAD: avcodec_open (utils.c:831)
==25920== by 0x826450A: av_find_stream_info (utils.c:1760)
==25920== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==25920== by 0x811E32E: demux_open_stream (demuxer.c:864)
==25920== by 0x811E601: demux_open (demuxer.c:991)
==25920== by 0x807799E: main (mplayer.c:3238)
==25920== Address 0x4335564 is not stack'd, malloc'd or (recently) free'd
==25920==
==25920== Invalid read of size 4
==25920== Stack hash: 2260638457
==25920== at 0x84FD738: vorbis_parse_setup_hdr_codebooks (bitstream.h:659)
==25920== by 0x84FE677: vorbis_decode_init (vorbis_dec.c:816)
==25920== by 0x82EDFAD: avcodec_open (utils.c:831)
==25920== by 0x826450A: av_find_stream_info (utils.c:1760)
==25920== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==25920== by 0x811E32E: demux_open_stream (demuxer.c:864)
==25920== by 0x811E601: demux_open (demuxer.c:991)
==25920== by 0x807799E: main (mplayer.c:3238)
==25920== Address 0x433579b is 27 bytes inside a block of size 65,307 free'd
==25920== Stack hash: 3194140528
==25920== at 0x401D43C: free (vg_replace_malloc.c:323)
==25920== by 0x82A627C: ogg_read_header (oggdec.c:94)
==25920== by 0x8261B2E: av_open_input_stream (utils.c:398)
==25920== by 0x81A316D: demux_open_lavf (demux_lavf.c:459)
==25920== by 0x811E32E: demux_open_stream (demuxer.c:864)
==25920== by 0x811E601: demux_open (demuxer.c:991)
==25920== by 0x807799E: main (mplayer.c:3238)
==25920==
==25920== Conditional jump or move depends on uninitialised value(s)
==25920== Stack hash: 3708020364
==25920== at 0x84FDA57: vorbis_parse_setup_hdr_codebooks (vorbis_dec.c:285)
==25920== by 0x84FE677: vorbis_decode_init (vorbis_dec.c:816)
==25920== by 0x82EDFAD: avcodec_open (utils.c:831)
==25920== by 0x826450A: av_find_stream_info (utils.c:1760)
==25920== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==25920== by 0x811E32E: demux_open_stream (demuxer.c:864)
==25920== by 0x811E601: demux_open (demuxer.c:991)
==25920== by 0x807799E: main (mplayer.c:3238)
==25920==
==25920== Conditional jump or move depends on uninitialised value(s)
==25920== Stack hash: 2653635199
==25920== at 0x84FD756: vorbis_parse_setup_hdr_codebooks (vorbis_dec.c:333)
==25920== by 0x84FE677: vorbis_decode_init (vorbis_dec.c:816)
==25920== by 0x82EDFAD: avcodec_open (utils.c:831)
==25920== by 0x826450A: av_find_stream_info (utils.c:1760)
==25920== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==25920== by 0x811E32E: demux_open_stream (demuxer.c:864)
==25920== by 0x811E601: demux_open (demuxer.c:991)
==25920== by 0x807799E: main (mplayer.c:3238)
==25920==
==25920== Conditional jump or move depends on uninitialised value(s)
==25920== Stack hash: 1014247629
==25920== at 0x84FD75C: vorbis_parse_setup_hdr_codebooks (vorbis_dec.c:393)
==25920== by 0x84FE677: vorbis_decode_init (vorbis_dec.c:816)
==25920== by 0x82EDFAD: avcodec_open (utils.c:831)
==25920== by 0x826450A: av_find_stream_info (utils.c:1760)
==25920== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==25920== by 0x811E32E: demux_open_stream (demuxer.c:864)
==25920== by 0x811E601: demux_open (demuxer.c:991)
==25920== by 0x807799E: main (mplayer.c:3238)
==25920==
==25920== Invalid read of size 4
==25920== Stack hash: 2624427606
==25920== at 0x84FDAC9: vorbis_parse_setup_hdr_codebooks (bitstream.h:659)
==25920== by 0x84FE677: vorbis_decode_init (vorbis_dec.c:816)
==25920== by 0x82EDFAD: avcodec_open (utils.c:831)
==25920== by 0x826450A: av_find_stream_info (utils.c:1760)
==25920== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==25920== by 0x811E32E: demux_open_stream (demuxer.c:864)
==25920== by 0x811E601: demux_open (demuxer.c:991)
==25920== by 0x807799E: main (mplayer.c:3238)
==25920== Address 0x4335846 is 710 bytes inside a block of size 1,024 free'd
==25920== Stack hash: 4115591075
==25920== at 0x401D96E: realloc (vg_replace_malloc.c:429)
==25920== by 0x853D760: build_table (bitstream.c:132)
==25920== by 0x853DA76: build_table (bitstream.c:231)
==25920== by 0x853DB40: init_vlc_sparse (bitstream.c:302)
==25920== by 0x84FD856: vorbis_parse_setup_hdr_codebooks (vorbis_dec.c:412)
==25920== by 0x84FE677: vorbis_decode_init (vorbis_dec.c:816)
==25920== by 0x82EDFAD: avcodec_open (utils.c:831)
==25920== by 0x826450A: av_find_stream_info (utils.c:1760)
==25920== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==25920== by 0x811E32E: demux_open_stream (demuxer.c:864)
==25920== by 0x811E601: demux_open (demuxer.c:991)
==25920== by 0x807799E: main (mplayer.c:3238)
==25920==
==25920== Invalid read of size 4
==25920== Stack hash: 361844622
==25920== at 0x84FDAE1: vorbis_parse_setup_hdr_codebooks (bitstream.h:659)
==25920== by 0x84FE677: vorbis_decode_init (vorbis_dec.c:816)
==25920== by 0x82EDFAD: avcodec_open (utils.c:831)
==25920== by 0x826450A: av_find_stream_info (utils.c:1760)
==25920== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==25920== by 0x811E32E: demux_open_stream (demuxer.c:864)
==25920== by 0x811E601: demux_open (demuxer.c:991)
==25920== by 0x807799E: main (mplayer.c:3238)
==25920== Address 0x4335848 is 712 bytes inside a block of size 1,024 free'd
==25920== Stack hash: 4115591075
==25920== at 0x401D96E: realloc (vg_replace_malloc.c:429)
==25920== by 0x853D760: build_table (bitstream.c:132)
==25920== by 0x853DA76: build_table (bitstream.c:231)
==25920== by 0x853DB40: init_vlc_sparse (bitstream.c:302)
==25920== by 0x84FD856: vorbis_parse_setup_hdr_codebooks (vorbis_dec.c:412)
==25920== by 0x84FE677: vorbis_decode_init (vorbis_dec.c:816)
==25920== by 0x82EDFAD: avcodec_open (utils.c:831)
==25920== by 0x826450A: av_find_stream_info (utils.c:1760)
==25920== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==25920== by 0x811E32E: demux_open_stream (demuxer.c:864)
==25920== by 0x811E601: demux_open (demuxer.c:991)
==25920== by 0x807799E: main (mplayer.c:3238)
==25920==
==25920== Invalid read of size 4
==25920== Stack hash: 1016839192
==25920== at 0x84FDB13: vorbis_parse_setup_hdr_codebooks (bitstream.h:659)
==25920== by 0x84FE677: vorbis_decode_init (vorbis_dec.c:816)
==25920== by 0x82EDFAD: avcodec_open (utils.c:831)
==25920== by 0x826450A: av_find_stream_info (utils.c:1760)
==25920== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==25920== by 0x811E32E: demux_open_stream (demuxer.c:864)
==25920== by 0x811E601: demux_open (demuxer.c:991)
==25920== by 0x807799E: main (mplayer.c:3238)
==25920== Address 0x433584a is 714 bytes inside a block of size 1,024 free'd
==25920== Stack hash: 4115591075
==25920== at 0x401D96E: realloc (vg_replace_malloc.c:429)
==25920== by 0x853D760: build_table (bitstream.c:132)
==25920== by 0x853DA76: build_table (bitstream.c:231)
==25920== by 0x853DB40: init_vlc_sparse (bitstream.c:302)
==25920== by 0x84FD856: vorbis_parse_setup_hdr_codebooks (vorbis_dec.c:412)
==25920== by 0x84FE677: vorbis_decode_init (vorbis_dec.c:816)
==25920== by 0x82EDFAD: avcodec_open (utils.c:831)
==25920== by 0x826450A: av_find_stream_info (utils.c:1760)
==25920== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==25920== by 0x811E32E: demux_open_stream (demuxer.c:864)
==25920== by 0x811E601: demux_open (demuxer.c:991)
==25920== by 0x807799E: main (mplayer.c:3238)
==25920==
==25920== Invalid read of size 4
==25920== Stack hash: 3049223504
==25920== at 0x84FDB2B: vorbis_parse_setup_hdr_codebooks (bitstream.h:659)
==25920== by 0x84FE677: vorbis_decode_init (vorbis_dec.c:816)
==25920== by 0x82EDFAD: avcodec_open (utils.c:831)
==25920== by 0x826450A: av_find_stream_info (utils.c:1760)
==25920== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==25920== by 0x811E32E: demux_open_stream (demuxer.c:864)
==25920== by 0x811E601: demux_open (demuxer.c:991)
==25920== by 0x807799E: main (mplayer.c:3238)
==25920== Address 0x433584c is 716 bytes inside a block of size 1,024 free'd
==25920== Stack hash: 4115591075
==25920== at 0x401D96E: realloc (vg_replace_malloc.c:429)
==25920== by 0x853D760: build_table (bitstream.c:132)
==25920== by 0x853DA76: build_table (bitstream.c:231)
==25920== by 0x853DB40: init_vlc_sparse (bitstream.c:302)
==25920== by 0x84FD856: vorbis_parse_setup_hdr_codebooks (vorbis_dec.c:412)
==25920== by 0x84FE677: vorbis_decode_init (vorbis_dec.c:816)
==25920== by 0x82EDFAD: avcodec_open (utils.c:831)
==25920== by 0x826450A: av_find_stream_info (utils.c:1760)
==25920== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==25920== by 0x811E32E: demux_open_stream (demuxer.c:864)
==25920== by 0x811E601: demux_open (demuxer.c:991)
==25920== by 0x807799E: main (mplayer.c:3238)
==25920==
==25920== Invalid read of size 4
==25920== Stack hash: 1622233883
==25920== at 0x84FDB62: vorbis_parse_setup_hdr_codebooks (bitstream.h:658)
==25920== by 0x84FE677: vorbis_decode_init (vorbis_dec.c:816)
==25920== by 0x82EDFAD: avcodec_open (utils.c:831)
==25920== by 0x826450A: av_find_stream_info (utils.c:1760)
==25920== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==25920== by 0x811E32E: demux_open_stream (demuxer.c:864)
==25920== by 0x811E601: demux_open (demuxer.c:991)
==25920== by 0x807799E: main (mplayer.c:3238)
==25920== Address 0x433584e is 718 bytes inside a block of size 1,024 free'd
==25920== Stack hash: 4115591075
==25920== at 0x401D96E: realloc (vg_replace_malloc.c:429)
==25920== by 0x853D760: build_table (bitstream.c:132)
==25920== by 0x853DA76: build_table (bitstream.c:231)
==25920== by 0x853DB40: init_vlc_sparse (bitstream.c:302)
==25920== by 0x84FD856: vorbis_parse_setup_hdr_codebooks (vorbis_dec.c:412)
==25920== by 0x84FE677: vorbis_decode_init (vorbis_dec.c:816)
==25920== by 0x82EDFAD: avcodec_open (utils.c:831)
==25920== by 0x826450A: av_find_stream_info (utils.c:1760)
==25920== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==25920== by 0x811E32E: demux_open_stream (demuxer.c:864)
==25920== by 0x811E601: demux_open (demuxer.c:991)
==25920== by 0x807799E: main (mplayer.c:3238)
==25920==
==25920== Invalid read of size 1
==25920== Stack hash: 4097214816
==25920== at 0x84FDB7B: vorbis_parse_setup_hdr_codebooks (bitstream.h:691)
==25920== by 0x84FE677: vorbis_decode_init (vorbis_dec.c:816)
==25920== by 0x82EDFAD: avcodec_open (utils.c:831)
==25920== by 0x826450A: av_find_stream_info (utils.c:1760)
==25920== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==25920== by 0x811E32E: demux_open_stream (demuxer.c:864)
==25920== by 0x811E601: demux_open (demuxer.c:991)
==25920== by 0x807799E: main (mplayer.c:3238)
==25920== Address 0x433584f is 719 bytes inside a block of size 1,024 free'd
==25920== Stack hash: 4115591075
==25920== at 0x401D96E: realloc (vg_replace_malloc.c:429)
==25920== by 0x853D760: build_table (bitstream.c:132)
==25920== by 0x853DA76: build_table (bitstream.c:231)
==25920== by 0x853DB40: init_vlc_sparse (bitstream.c:302)
==25920== by 0x84FD856: vorbis_parse_setup_hdr_codebooks (vorbis_dec.c:412)
==25920== by 0x84FE677: vorbis_decode_init (vorbis_dec.c:816)
==25920== by 0x82EDFAD: avcodec_open (utils.c:831)
==25920== by 0x826450A: av_find_stream_info (utils.c:1760)
==25920== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==25920== by 0x811E32E: demux_open_stream (demuxer.c:864)
==25920== by 0x811E601: demux_open (demuxer.c:991)
==25920== by 0x807799E: main (mplayer.c:3238)
==25920==
==25920== Invalid read of size 4
==25920== Stack hash: 1866430988
==25920== at 0x84FDBD7: vorbis_parse_setup_hdr_codebooks (bitstream.h:659)
==25920== by 0x84FE677: vorbis_decode_init (vorbis_dec.c:816)
==25920== by 0x82EDFAD: avcodec_open (utils.c:831)
==25920== by 0x826450A: av_find_stream_info (utils.c:1760)
==25920== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==25920== by 0x811E32E: demux_open_stream (demuxer.c:864)
==25920== by 0x811E601: demux_open (demuxer.c:991)
==25920== by 0x807799E: main (mplayer.c:3238)
==25920== Address 0x433584f is 719 bytes inside a block of size 1,024 free'd
==25920== Stack hash: 4115591075
==25920== at 0x401D96E: realloc (vg_replace_malloc.c:429)
==25920== by 0x853D760: build_table (bitstream.c:132)
==25920== by 0x853DA76: build_table (bitstream.c:231)
==25920== by 0x853DB40: init_vlc_sparse (bitstream.c:302)
==25920== by 0x84FD856: vorbis_parse_setup_hdr_codebooks (vorbis_dec.c:412)
==25920== by 0x84FE677: vorbis_decode_init (vorbis_dec.c:816)
==25920== by 0x82EDFAD: avcodec_open (utils.c:831)
==25920== by 0x826450A: av_find_stream_info (utils.c:1760)
==25920== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==25920== by 0x811E32E: demux_open_stream (demuxer.c:864)
==25920== by 0x811E601: demux_open (demuxer.c:991)
==25920== by 0x807799E: main (mplayer.c:3238)
==25920==
==25920== ERROR SUMMARY: 3637853 errors from 13 contexts (suppressed: 19 from 1)==25920== malloc/free: in use at exit: 34,505 bytes in 14 blocks.
==25920== malloc/free: 60,314 allocs, 60,300 frees, 380,445,581 bytes allocated.==25920== For counts of detected errors, rerun with: -v
==25920== searching for pointers to 14 not-freed blocks.
==25920== checked 2,861,720 bytes.
==25920==
==25920== LEAK SUMMARY:
==25920== definitely lost: 1,605 bytes in 3 blocks.
==25920== possibly lost: 0 bytes in 0 blocks.
==25920== still reachable: 32,900 bytes in 11 blocks.
==25920== suppressed: 0 bytes in 0 blocks.
==25920== Rerun with --leak-check=full to see details of leaked memory.

#The above valgrind output is saved as a log file(log2) and can be found at URL:

*​http://www.eecs.berkeley.edu/~sckhan/log2

#One of the bugs my colleague reported is inrelation to: realloc (vg_replace_malloc.c:429), however, in back-tracing the stack, the steps of finding error is different. The main reason for the crash in this report is because of the error in audio decoder.

The bug is found in making comparison of the fuzzing tools and is a part of the metafuzz project.

*URL at: metafuzz.com

[sckhan@…]

Made specification on the Summary field.

[reimar]

This should be the same bug in principle.