#1152 closed defect (invalid)
Invalid read at bitstream.h:658
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Component: | ad |
| Version: | HEAD | Severity: | normal |
| Keywords: | Cc: | jaypd@…, nicholenae@…, catchconv-bugreports@… | |
| Blocked By: | Blocking: | ||
| Reproduced by developer: | no | Analyzed by developer: | no |
Description
Valgrind reports invalid read of size 4 at bitstream.h:658 when the fuzzed file 1659-m_cut.3.mp4 is fed into valgrind and mplayer. The test file can be found in the archive at the URL above.
This is reproducible on Linux Debian Etch, with the latest Subversion head
mplayer (r27249). The machine used is VMWare Player.
Reproduce as follows:
wget http://www.eecs.berkeley.edu/~zhl210/443098-6-4265251481-UninitCondition.tgz
tar xzf 545634-1659-52280140-InvalidRead.tgz
Valgrind mplayer 1659-m_cut.3.mp4
Here is the report by Valgrind:
==22438== Memcheck, a memory error detector.
==22438== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==22438== Using LibVEX rev 1854, a library for dynamic binary translation.
==22438== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==22438== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==22438== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==22438== For more details, rerun with: -v
==22438==
MPlayer dev-SVN-r27249-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2
Playing 1659-m_cut.3.mp4.
libavformat file format detected.
==22438== Invalid read of size 4
==22438== Stack hash: 3778319955
==22438== at 0x847A4AC: mp_decode_frame (bitstream.h:658)
==22438== by 0x847AEAD: decode_frame (mpegaudiodec.c:2401)
==22438== by 0x82ED45A: avcodec_decode_audio2 (utils.c:928)
==22438== by 0x8263F19: av_find_stream_info (utils.c:1776)
==22438== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==22438== by 0x811E32E: demux_open_stream (demuxer.c:864)
==22438== by 0x811E601: demux_open (demuxer.c:991)
==22438== by 0x807799E: main (mplayer.c:3238)
==22438== Address 0x4332b06 is 422 bytes inside a block of size 425 alloc'd
==22438== Stack hash: 1358697221
==22438== at 0x401C882: memalign (vg_replace_malloc.c:460)
==22438== by 0x8548F24: av_malloc (mem.c:61)
==22438== by 0x8260184: av_dup_packet (utils.c:247)
==22438== by 0x82635BC: av_find_stream_info (utils.c:1988)
==22438== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==22438== by 0x811E32E: demux_open_stream (demuxer.c:864)
==22438== by 0x811E601: demux_open (demuxer.c:991)
==22438== by 0x807799E: main (mplayer.c:3238)
==22438==
==22438== Invalid read of size 4
==22438== Stack hash: 2651521171
==22438== at 0x847A7EC: mp_decode_frame (bitstream.h:658)
==22438== by 0x847AEAD: decode_frame (mpegaudiodec.c:2401)
==22438== by 0x82ED45A: avcodec_decode_audio2 (utils.c:928)
==22438== by 0x8263F19: av_find_stream_info (utils.c:1776)
==22438== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==22438== by 0x811E32E: demux_open_stream (demuxer.c:864)
==22438== by 0x811E601: demux_open (demuxer.c:991)
==22438== by 0x807799E: main (mplayer.c:3238)
==22438== Address 0x4332b0c is 3 bytes after a block of size 425 alloc'd
==22438== Stack hash: 1358697221
==22438== at 0x401C882: memalign (vg_replace_malloc.c:460)
==22438== by 0x8548F24: av_malloc (mem.c:61)
==22438== by 0x8260184: av_dup_packet (utils.c:247)
==22438== by 0x82635BC: av_find_stream_info (utils.c:1988)
==22438== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==22438== by 0x811E32E: demux_open_stream (demuxer.c:864)
==22438== by 0x811E601: demux_open (demuxer.c:991)
==22438== by 0x807799E: main (mplayer.c:3238)
[lavf] Audio stream found, -aid 0
==========================================================================
Opening audio decoder: [mp3lib] MPEG layer-2, layer-3
AUDIO: 11025 Hz, 2 ch, s16le, 32.0 kbit/9.07% (ratio: 4000->44100)
Selected audio codec: [mp3] afm: mp3lib (mp3lib MPEG layer-2, layer-3)
==========================================================================
AO: [oss] 11025Hz 2ch s16le (2 bytes per sample)
Video: no video
Starting playback...
A: 0.1 (00.0) of 20.2 (20.2) ??,?%
Exiting... (End of file)
==22438==
==22438== ERROR SUMMARY: 128 errors from 2 contexts (suppressed: 21 from 1)
==22438== malloc/free: in use at exit: 52,428 bytes in 29 blocks.
==22438== malloc/free: 2,826 allocs, 2,797 frees, 2,130,976 bytes allocated.
==22438== For counts of detected errors, rerun with: -v
==22438== searching for pointers to 29 not-freed blocks.
==22438== checked 2,877,800 bytes.
==22438==
==22438== LEAK SUMMARY:
==22438== definitely lost: 0 bytes in 0 blocks.
==22438== possibly lost: 0 bytes in 0 blocks.
==22438== still reachable: 52,428 bytes in 29 blocks.
==22438== suppressed: 0 bytes in 0 blocks.
==22438== Rerun with --leak-check=full to see details of leaked memory.
This bug was found as part of the SUPERB-TRUST 2008 project.
Change History (5)
comment:1 by , 16 years ago
| Cc: | added |
|---|
comment:2 by , 16 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
Bug in libavcodec, reproducible with ffplay -> report to FFmpeg.
comment:4 by , 16 years ago
I have redirected the bug to FFmpeg, issue #538: https://roundup.mplayerhq.hu/roundup/ffmpeg/issue538.
Thank you.
comment:5 by , 16 years ago
I realized that I put different links in the URL field and the Description field. The correct URL should be:
http://www.eecs.berkeley.edu/~zhl210/545634-1659-52280140-InvalidRead.tgz
Sorry about that!
* Bug 1190 has been marked as a duplicate of this bug. *