Opened 11 years ago

Closed 11 years ago

#1153 closed defect (wontfix)

Invalid write at demux_mov.c:174 followed by crash

Reported by: zlai88@… Owned by: r_togni@…
Priority: normal Component: streaming
Version: HEAD Severity: normal
Keywords: Cc: quach@…, catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

The fussed file 140-the-mummy3-trailer.mp4 (in the archive at the URL above) caused Mplayer to crash by bad usage of CPU/FPU/RAM. Valgrind reports invalid write at mov_build_index (demux_mov.c:174) and at malloc (vg_replace_malloc.c:207).

This is reproducible on Linux Debian Etch, with the latest Subversion head
mplayer (r27249). The machine used is VMWare Player.

Reproduce as follows:
wget http://www.eecs.berkeley.edu/~zhl210/7074-140-3716932317-Leak_DefinitelyLost.tgz
tar xzf 7074-140-3716932317-Leak_DefinitelyLost.tgz
Valgrind mplayer 140-the-mummy3-trailer.mp4

Here is the report by Valgrind:

==23196== Memcheck, a memory error detector.
==23196== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==23196== Using LibVEX rev 1854, a library for dynamic binary translation.
==23196== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==23196== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==23196== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==23196== For more details, rerun with: -v
==23196==
MPlayer dev-SVN-r27249-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 140-the-mummy3-trailer.mp4.
libavformat file format detected.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863daf0]stream 0, missing mandatory atoms, broken header
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863daf0]Could not find codec parameters (Video: mpeg4, 368x208)
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863daf0]Could not find codec parameters (Data: 0x0000)
LAVF_header: av_find_stream_info() failed
Quicktime/MOV file format detected.
==23196== Invalid write of size 4
==23196== Stack hash: 17180893
==23196== at 0x8139351: mov_build_index (demux_mov.c:174)
==23196== by 0x813AA86: lschunks (demux_mov.c:1312)
==23196== by 0x813C345: mov_read_header (demux_mov.c:1931)
==23196== by 0x811E32E: demux_open_stream (demuxer.c:864)
==23196== by 0x811E601: demux_open (demuxer.c:991)
==23196== by 0x807799E: main (mplayer.c:3238)
==23196== Address 0x433b058 is 8 bytes after a block of size 50,440 alloc'd
==23196== Stack hash: 2232650400
==23196== at 0x401D898: malloc (vg_replace_malloc.c:207)
==23196== by 0x401D9DC: realloc (vg_replace_malloc.c:429)
==23196== by 0x813E077: lschunks_intrak (demuxer.h:305)
==23196== by 0x813A3F0: lschunks (demux_mov.c:1283)
==23196== by 0x813C8D2: lschunks_intrak (demux_mov.c:1874)
==23196== by 0x813A3F0: lschunks (demux_mov.c:1283)
==23196== by 0x813C8D2: lschunks_intrak (demux_mov.c:1874)
==23196== by 0x813A3F0: lschunks (demux_mov.c:1283)
==23196== by 0x813C8D2: lschunks_intrak (demux_mov.c:1874)
==23196== by 0x813A3F0: lschunks (demux_mov.c:1283)
==23196== by 0x813AA6E: lschunks (demux_mov.c:1311)
==23196== by 0x813C345: mov_read_header (demux_mov.c:1931)
==23196==
==23196== Invalid write of size 4
==23196== Stack hash: 155868807
==23196== at 0x8139353: mov_build_index (demux_mov.c:175)
==23196== by 0x813AA86: lschunks (demux_mov.c:1312)
==23196== by 0x813C345: mov_read_header (demux_mov.c:1931)
==23196== by 0x811E32E: demux_open_stream (demuxer.c:864)
==23196== by 0x811E601: demux_open (demuxer.c:991)
==23196== by 0x807799E: main (mplayer.c:3238)
==23196== Address 0x433b054 is 4 bytes after a block of size 50,440 alloc'd
==23196== Stack hash: 2232650400
==23196== at 0x401D898: malloc (vg_replace_malloc.c:207)
==23196== by 0x401D9DC: realloc (vg_replace_malloc.c:429)
==23196== by 0x813E077: lschunks_intrak (demuxer.h:305)
==23196== by 0x813A3F0: lschunks (demux_mov.c:1283)
==23196== by 0x813C8D2: lschunks_intrak (demux_mov.c:1874)
==23196== by 0x813A3F0: lschunks (demux_mov.c:1283)
==23196== by 0x813C8D2: lschunks_intrak (demux_mov.c:1874)
==23196== by 0x813A3F0: lschunks (demux_mov.c:1283)
==23196== by 0x813C8D2: lschunks_intrak (demux_mov.c:1874)
==23196== by 0x813A3F0: lschunks (demux_mov.c:1283)
==23196== by 0x813AA6E: lschunks (demux_mov.c:1311)
==23196== by 0x813C345: mov_read_header (demux_mov.c:1931)

MPlayer interrupted by signal 11 in module: demux_open

  • MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
  • MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.

==23196==
==23196== ERROR SUMMARY: 256812 errors from 2 contexts (suppressed: 21 from 1)
==23196== malloc/free: in use at exit: 221,128 bytes in 2,189 blocks.
==23196== malloc/free: 2,334 allocs, 145 frees, 1,506,442 bytes allocated.
==23196== For counts of detected errors, rerun with: -v
==23196== searching for pointers to 2,189 not-freed blocks.
==23196== checked 2,980,684 bytes.
==23196==
==23196== LEAK SUMMARY:
==23196== definitely lost: 31,192 bytes in 4 blocks.
==23196== possibly lost: 0 bytes in 0 blocks.
==23196== still reachable: 189,936 bytes in 2,185 blocks.
==23196== suppressed: 0 bytes in 0 blocks.
==23196== Rerun with --leak-check=full to see details of leaked memory.

Here is the backtrace using gdb:

[Thread debugging using libthread_db enabled]
[New Thread -1209677152 (LWP 23583)]
MPlayer dev-SVN-r27249-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz (Family: 6, Model: 15, Stepping: 13)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2
get_path('codecs.conf') -> '/home/user/.mplayer/codecs.conf'
Reading /home/user/.mplayer/codecs.conf: Can't open '/home/user/.mplayer/codecs.conf': No such file or directory
Reading /usr/local/etc/mplayer/codecs.conf: Can't open '/usr/local/etc/mplayer/codecs.conf': No such file or directory
Using built-in default codecs.conf.
Configuration: --enable-debug=3
CommandLine?: '-v' '140-the-mummy3-trailer.mp4'
get_path('font/font.desc') -> '/home/user/.mplayer/font/font.desc'
font: can't open file: /home/user/.mplayer/font/font.desc
font: can't open file: /usr/local/share/mplayer/font/font.desc
Using MMX (with tiny bit MMX2) Optimized OnScreenDisplay?
Using nanosleep() timing
get_path('input.conf') -> '/home/user/.mplayer/input.conf'
Can't open input config file /home/user/.mplayer/input.conf: No such file or directory
Can't open input config file /usr/local/etc/mplayer/input.conf: No such file or directory
Falling back on default (hardcoded) input config
get_path('140-the-mummy3-trailer.mp4.conf') -> '/home/user/.mplayer/140-the-mummy3-trailer.mp4.conf'

Playing 140-the-mummy3-trailer.mp4.
get_path('sub/') -> '/home/user/.mplayer/sub/'
[file] File size is 6472527 bytes
STREAM: [file] 140-the-mummy3-trailer.mp4
STREAM: Description: File
STREAM: Author: Albeu
STREAM: Comment: based on the code from ??? (probably Arpi)
LAVF_check: QuickTime?/MPEG-4/Motion JPEG 2000 format
libavformat file format detected.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863daf0]stream 0, missing mandatory atoms, broken header
stream_seek: WARNING! Can't seek to 0x62C35B !
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863daf0]Could not find codec parameters (Video: mpeg4, 368x208)
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863daf0]Could not find codec parameters (Data: 0x0000)
LAVF_header: av_find_stream_info() failed
Checking for YUV4MPEG2
ASF_check: not ASF guid!
Checking for NuppelVideo?
Checking for REAL
Checking for SMJPEG
Checking for Nullsoft Streaming Video
Checking for MOV
ISO: File Type Major Brand: ISO Base Media
ISO: File Type Minor Version: 512
ISO: File Type Compatible Brand #0: mp41
MOV: Movie DATA found!
MOV: Movie header found!
Quicktime/MOV file format detected.
MOV: Movie header (100 bytes): tscale=90000 dur=9079200


MOV: Track #0:
MOV: Track header!
tkhd len=84 ver=0 flags=0x0 id=1 dur=9079200 lay=0 vol=0
MOV: Media stream!
MOV: unknown chunk: mdHd 24
MOV: unknown chunk: helr 37
MOV: Media info!
MOV: unknown chunk: vmid 12
MOV: unknown chunk: �inf 28
MOV: Sample info!
MOV: Description list! (cnt:1)
MOV: desc #0: mp4v (136 bytes)
MOV: unknown chunk: �tts 16
MOV: Syncing samples (keyframes) table! (229 entries) (ver:0,flags:0)
MOV: Sample->Chunk mapping table! (1 blocks) (ver:0,flags:0)
MOV: Sample size table! (entries=2522 ss=0) (ver:0,flags:0)
MOV: Chunk offset table! (2522 chunks)
MOV track #0: 2522 chunks, 2522 samples
pts=0 scale=0 time= nan

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1209677152 (LWP 23583)]
mov_build_index (trak=0x89a8498, timescale=90000) at libmpdemux/demux_mov.c:174
174 trak->chunks[j].desc=trak->chunkmap[i].sdid;
(gdb) bt
#0 mov_build_index (trak=0x89a8498, timescale=90000)

at libmpdemux/demux_mov.c:174

#1 0x0813aa87 in lschunks (demuxer=0x89a67b0, level=0, endpos=6472527,

trak=0x0) at libmpdemux/demux_mov.c:1312

#2 0x0813c346 in mov_read_header (demuxer=0x89a67b0)

at libmpdemux/demux_mov.c:1931

#3 0x0811e32f in demux_open_stream (stream=0x89a7138,

file_format=<value optimized out>, force=0, audio_id=-1, video_id=-1,
dvdsub_id=-2, filename=0x899d3f0 "140-the-mummy3-trailer.mp4")
at libmpdemux/demuxer.c:864

#4 0x0811e602 in demux_open (vs=0x89a7138, file_format=0, audio_id=-1,

video_id=-1, dvdsub_id=-2, filename=0x899d3f0 "140-the-mummy3-trailer.mp4")
at libmpdemux/demuxer.c:991

#5 0x0807799f in main (argc=3, argv=0xbffff724) at mplayer.c:3238
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x8139331 to 0x8139371:
0x08139331 <mov_build_index+193>: add $0xbf,%al
0x08139333 <mov_build_index+195>: mov 0x8(%edx),%esi
0x08139336 <mov_build_index+198>: shl $0x2,%eax
0x08139339 <mov_build_index+201>: mov 0x4(%edx),%ebx
0x0813933c <mov_build_index+204>: mov 0x60(%ecx),%edx
0x0813933f <mov_build_index+207>: mov 0xffffffb8(%ebp),%ecx
0x08139342 <mov_build_index+210>: add %edx,%eax
0x08139344 <mov_build_index+212>: xor %edx,%edx
0x08139346 <mov_build_index+214>: add $0x8,%eax
0x08139349 <mov_build_index+217>: sub %edi,%ecx
0x0813934b <mov_build_index+219>: nop
0x0813934c <mov_build_index+220>: lea 0x0(%esi),%esi
0x08139350 <mov_build_index+224>: inc %edx
0x08139351 <mov_build_index+225>: mov %esi,(%eax)
0x08139353 <mov_build_index+227>: mov %ebx,0xfffffffc(%eax)
0x08139356 <mov_build_index+230>: add $0x14,%eax
0x08139359 <mov_build_index+233>: cmp %edx,%ecx
0x0813935b <mov_build_index+235>: jne 0x8139350 <mov_build_index+224>
0x0813935d <mov_build_index+237>: mov 0xffffffec(%ebp),%esi
0x08139360 <mov_build_index+240>: mov 0x8(%ebp),%ebx
0x08139363 <mov_build_index+243>: subl $0xc,0xffffffd4(%ebp)
0x08139367 <mov_build_index+247>: test %esi,%esi
---Type <return> to continue, or q <return> to quit---
0x08139369 <mov_build_index+249>: mov 0x5c(%ebx),%edx
0x0813936c <mov_build_index+252>: je 0x813937e <mov_build_index+270>
0x0813936e <mov_build_index+254>: cmp %edx,%edi
0x08139370 <mov_build_index+256>: cmovbe %edi,%edx
End of assembler dump.
(gdb) info all-registers
eax 0x89da000 144547840
ecx 0x800009da -2147481126
edx 0x121f 4639
ebx 0x1 1
esp 0xbfffe160 0xbfffe160
ebp 0xbfffe208 0xbfffe208
esi 0x1 1
edi 0x80000000 -2147483648
eip 0x8139351 0x8139351 <mov_build_index+225>
eflags 0x210202 [ IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 1 (raw 0x3fff8000000000000000)
st6 0 (raw 0x00000000000000000000)

This bug was found as part of the SUPERB-TRUST 2008 project.

Change History (2)

comment:1 Changed 11 years ago by reimar

  • Cc quach@… added

* Bug 1166 has been marked as a duplicate of this bug. *

comment:2 Changed 11 years ago by compn

  • Resolution set to wontfix
  • Status changed from new to closed

demux_mov is being depreciated, and is no longer the default mov demuxer
please try with svn and make new report if so.

Note: See TracTickets for help on using tickets.