Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#1152 closed defect (invalid)

Invalid read at bitstream.h:658

Reported by: zlai88@… Owned by: r_togni@…
Priority: normal Component: ad
Version: HEAD Severity: normal
Keywords: Cc: jaypd@…, nicholenae@…, catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

Valgrind reports invalid read of size 4 at bitstream.h:658 when the fuzzed file 1659-m_cut.3.mp4 is fed into valgrind and mplayer. The test file can be found in the archive at the URL above.

This is reproducible on Linux Debian Etch, with the latest Subversion head
mplayer (r27249). The machine used is VMWare Player.

Reproduce as follows:
wget http://www.eecs.berkeley.edu/~zhl210/443098-6-4265251481-UninitCondition.tgz
tar xzf 545634-1659-52280140-InvalidRead?.tgz
Valgrind mplayer 1659-m_cut.3.mp4

Here is the report by Valgrind:

==22438== Memcheck, a memory error detector.
==22438== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==22438== Using LibVEX rev 1854, a library for dynamic binary translation.
==22438== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==22438== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==22438== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==22438== For more details, rerun with: -v
==22438==
MPlayer dev-SVN-r27249-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 1659-m_cut.3.mp4.
libavformat file format detected.
==22438== Invalid read of size 4
==22438== Stack hash: 3778319955
==22438== at 0x847A4AC: mp_decode_frame (bitstream.h:658)
==22438== by 0x847AEAD: decode_frame (mpegaudiodec.c:2401)
==22438== by 0x82ED45A: avcodec_decode_audio2 (utils.c:928)
==22438== by 0x8263F19: av_find_stream_info (utils.c:1776)
==22438== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==22438== by 0x811E32E: demux_open_stream (demuxer.c:864)
==22438== by 0x811E601: demux_open (demuxer.c:991)
==22438== by 0x807799E: main (mplayer.c:3238)
==22438== Address 0x4332b06 is 422 bytes inside a block of size 425 alloc'd
==22438== Stack hash: 1358697221
==22438== at 0x401C882: memalign (vg_replace_malloc.c:460)
==22438== by 0x8548F24: av_malloc (mem.c:61)
==22438== by 0x8260184: av_dup_packet (utils.c:247)
==22438== by 0x82635BC: av_find_stream_info (utils.c:1988)
==22438== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==22438== by 0x811E32E: demux_open_stream (demuxer.c:864)
==22438== by 0x811E601: demux_open (demuxer.c:991)
==22438== by 0x807799E: main (mplayer.c:3238)
==22438==
==22438== Invalid read of size 4
==22438== Stack hash: 2651521171
==22438== at 0x847A7EC: mp_decode_frame (bitstream.h:658)
==22438== by 0x847AEAD: decode_frame (mpegaudiodec.c:2401)
==22438== by 0x82ED45A: avcodec_decode_audio2 (utils.c:928)
==22438== by 0x8263F19: av_find_stream_info (utils.c:1776)
==22438== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==22438== by 0x811E32E: demux_open_stream (demuxer.c:864)
==22438== by 0x811E601: demux_open (demuxer.c:991)
==22438== by 0x807799E: main (mplayer.c:3238)
==22438== Address 0x4332b0c is 3 bytes after a block of size 425 alloc'd
==22438== Stack hash: 1358697221
==22438== at 0x401C882: memalign (vg_replace_malloc.c:460)
==22438== by 0x8548F24: av_malloc (mem.c:61)
==22438== by 0x8260184: av_dup_packet (utils.c:247)
==22438== by 0x82635BC: av_find_stream_info (utils.c:1988)
==22438== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==22438== by 0x811E32E: demux_open_stream (demuxer.c:864)
==22438== by 0x811E601: demux_open (demuxer.c:991)
==22438== by 0x807799E: main (mplayer.c:3238)
[lavf] Audio stream found, -aid 0
==========================================================================
Opening audio decoder: [mp3lib] MPEG layer-2, layer-3
AUDIO: 11025 Hz, 2 ch, s16le, 32.0 kbit/9.07% (ratio: 4000->44100)
Selected audio codec: [mp3] afm: mp3lib (mp3lib MPEG layer-2, layer-3)
==========================================================================
AO: [oss] 11025Hz 2ch s16le (2 bytes per sample)
Video: no video
Starting playback...
A: 0.1 (00.0) of 20.2 (20.2) ??,?%

Exiting... (End of file)
==22438==
==22438== ERROR SUMMARY: 128 errors from 2 contexts (suppressed: 21 from 1)
==22438== malloc/free: in use at exit: 52,428 bytes in 29 blocks.
==22438== malloc/free: 2,826 allocs, 2,797 frees, 2,130,976 bytes allocated.
==22438== For counts of detected errors, rerun with: -v
==22438== searching for pointers to 29 not-freed blocks.
==22438== checked 2,877,800 bytes.
==22438==
==22438== LEAK SUMMARY:
==22438== definitely lost: 0 bytes in 0 blocks.
==22438== possibly lost: 0 bytes in 0 blocks.
==22438== still reachable: 52,428 bytes in 29 blocks.
==22438== suppressed: 0 bytes in 0 blocks.
==22438== Rerun with --leak-check=full to see details of leaked memory.

This bug was found as part of the SUPERB-TRUST 2008 project.

Change History (5)

comment:1 Changed 11 years ago by reimar

  • Cc nicholenae@… added

* Bug 1190 has been marked as a duplicate of this bug. *

comment:2 Changed 11 years ago by reimar

  • Resolution set to invalid
  • Status changed from new to closed

Bug in libavcodec, reproducible with ffplay -> report to FFmpeg.

comment:3 Changed 11 years ago by reimar

  • Cc jaypd@… added

* Bug 1192 has been marked as a duplicate of this bug. *

comment:4 Changed 11 years ago by zlai88@…

I have redirected the bug to FFmpeg, issue #538: https://roundup.mplayerhq.hu/roundup/ffmpeg/issue538.

Thank you.

comment:5 Changed 11 years ago by zlai88@…

I realized that I put different links in the URL field and the Description field. The correct URL should be:

http://www.eecs.berkeley.edu/~zhl210/545634-1659-52280140-InvalidRead.tgz

Sorry about that!

Note: See TracTickets for help on using tickets.