Opened 11 years ago

Closed 11 years ago

#1154 closed defect (duplicate)

MPlayer [Crash] and Valgrind reports Invalid Write in reset_pred_state (ic_predict.c:186)

Reported by: nstockma@… Owned by: r_togni@…
Priority: normal Component: ad
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

Here's a .wav file where Valgrind reports an Invalid Write and Mplayer crashes.

The wav file (176-dontgo.wav) can be found inside the .tgz archive at the URL
above. The bug is easily reproducible.

I confirmed that this bug is reproducible on Linux OS, Debian x32 with the
following subversion of MPlayer: dev-SVN-r27249-4.1.2

I used a 32-bit Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz.

To reproduce:
wget http://www.metafuzz.com/testcases/734301-112-3311001071-InvalidWrite.tgz
tar xzfv 734301-112-3311001071-InvalidWrite?.tgz
valgrind mplayer 176-dontgo.wav

Here is the output from Valgrind and Mplayer on my machine:

user@debian:~/Desktop$ valgrind mplayer 176-dontgo.wav
==32343== Memcheck, a memory error detector.
==32343== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==32343== Using LibVEX rev 1854, a library for dynamic binary translation.
==32343== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==32343== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==32343== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==32343== For more details, rerun with: -v
==32343==
MPlayer dev-SVN-r27249-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 176-dontgo.wav.
[demux_audio] Bad wav header length: too short (-3312)!!!
Audio file file format detected.
==========================================================================
Opening audio decoder: [faad] AAC (MPEG2/4 Advanced Audio Coding)
FAAD: 8Bit samplesize not supported by FAAD, assuming 16Bit!
AUDIO: 44100 Hz, 2 ch, s16le, 88.2 kbit/6.25% (ratio: 11025->176400)
Selected audio codec: [faad] afm: faad (FAAD AAC (MPEG-2/MPEG-4 Audio) decoder)
==========================================================================
AO: [oss] 44100Hz 2ch s16le (2 bytes per sample)
Video: no video
Starting playback...
FAAD: error: Maximum number of scalefactor bands exceeded, trying to resync!
FAAD: error: Gain control not yet implemented, trying to resync!
FAAD: error: Maximum number of scalefactor bands exceeded, trying to resync!
FAAD: error: Maximum number of scalefactor bands exceeded, trying to resync!
FAAD: error: Gain control not yet implemented, trying to resync!
FAAD: error: Maximum number of scalefactor bands exceeded, trying to resync!
FAAD: error: Maximum number of scalefactor bands exceeded, trying to resync!
FAAD: error: Pulse coding not allowed in short blocks, trying to resync!
FAAD: error: Maximum number of scalefactor bands exceeded, trying to resync!
FAAD: error: Pulse coding not allowed in short blocks, trying to resync!
FAAD: Failed to decode frame: Pulse coding not allowed in short blocks
FAAD: error: Maximum number of scalefactor bands exceeded, trying to resync!
FAAD: error: Gain control not yet implemented, trying to resync!
FAAD: error: Unexpected fill element with SBR data, trying to resync!
FAAD: error: Gain control not yet implemented, trying to resync!
FAAD: error: Pulse coding not allowed in short blocks, trying to resync!
FAAD: error: Gain control not yet implemented, trying to resync!
FAAD: error: Channel coupling not yet implemented, trying to resync!
FAAD: error: Channel coupling not yet implemented, trying to resync!
FAAD: error: Pulse coding not allowed in short blocks, trying to resync!
FAAD: error: Quantised value out of range, trying to resync!
FAAD: Failed to decode frame: Quantised value out of range
FAAD: error: Maximum number of scalefactor bands exceeded, trying to resync!
FAAD: error: Maximum number of scalefactor bands exceeded, trying to resync!
FAAD: error: Maximum number of scalefactor bands exceeded, trying to resync!
FAAD: error: Maximum number of scalefactor bands exceeded, trying to resync!
FAAD: error: Gain control not yet implemented, trying to resync!
FAAD: error: Maximum number of scalefactor bands exceeded, trying to resync!
================================================================================================================
==32343== Invalid write of size 2
==32343== Stack hash: 3750482535
==32343== at 0x81AFB94: reset_pred_state (ic_predict.c:186)
==32343== by 0x81B0062: ic_prediction (ic_predict.c:239)
==32343== by 0x81C4598: reconstruct_single_channel (specrec.c:879)
==32343== by 0x81CA495: decode_sce_lfe (syntax.c:597)
==32343== by 0x81CAD64: raw_data_block (syntax.c:446)
==32343== by 0x81AB729: aac_frame_decode (decoder.c:872)
==32343== by 0x818B422: decode_audio (ad_faad.c:235)
==32343== by 0x80DAA74: decode_audio (dec_audio.c:383)
==32343== by 0x80784E9: main (mplayer.c:2044)
==32343== Address 0x0 is not stack'd, malloc'd or (recently) free'd

MPlayer interrupted by signal 11 in module: decode_audio

  • MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
  • MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.

==32343==
==32343== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 19 from 1)
==32343== malloc/free: in use at exit: 271,591 bytes in 2,211 blocks.
==32343== malloc/free: 2,372 allocs, 161 frees, 1,562,107 bytes allocated.
==32343== For counts of detected errors, rerun with: -v
==32343== searching for pointers to 2,211 not-freed blocks.
==32343== checked 3,127,720 bytes.
==32343==
==32343== LEAK SUMMARY:
==32343== definitely lost: 0 bytes in 0 blocks.
==32343== possibly lost: 0 bytes in 0 blocks.
==32343== still reachable: 271,591 bytes in 2,211 blocks.
==32343== suppressed: 0 bytes in 0 blocks.
==32343== Rerun with --leak-check=full to see details of leaked memory.

The following is a backtrace using gdb:

(gdb) bt
#0 reset_pred_state (state=0x0) at libfaad2/ic_predict.c:186
#1 0x081b0063 in ic_prediction (ics=0xbffc4de8, spec=0xbffc3da0, state=0x0,

frame_len=1024, sf_index=4 '\004') at libfaad2/ic_predict.c:239

#2 0x081c4599 in reconstruct_single_channel (hDecoder=0x89c4f18,

ics=0xbffc4de8, sce=0xbffc4de2, spec_data=0xbffc9f8c)
at libfaad2/specrec.c:879

#3 0x081ca496 in decode_sce_lfe (hDecoder=0x89c4f18, hInfo=0x8714620,

ld=0xbffca810, id_syn_ele=3 '\003') at libfaad2/syntax.c:597

#4 0x081cad65 in raw_data_block (hDecoder=0x89c4f18, hInfo=0x8714620,

ld=0xbffca810, pce=0x89c5589, drc=0x89c5868) at libfaad2/syntax.c:446

#5 0x081ab72a in aac_frame_decode (hDecoder=0x89c4f18, hInfo=0x8714620,

buffer=<value optimized out>, buffer_size=4608, sample_buffer2=0x0,
sample_buffer_size=0) at libfaad2/decoder.c:872

#6 0x0818b423 in decode_audio (sh=0x89a7bf0, buf=0x89a8f00 "", minlen=65536,

maxlen=114688) at libmpcodecs/ad_faad.c:235

#7 0x080daa75 in decode_audio (sh_audio=0x89a7bf0, minlen=65536)

at libmpcodecs/dec_audio.c:383

#8 0x080784ea in main (argc=4, argv=0xbffcbbc4) at mplayer.c:2044
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x81afb74 to 0x81afbb4:
0x081afb74 <quant_pred+4>: inc %ebp
0x081afb75 <quant_pred+5>: or %bl,0xffffffc1(%ebp)
0x081afb78 <quant_pred+8>: clc
0x081afb79 <quant_pred+9>: adc %al,%bl
0x081afb7b <quant_pred+11>: nop
0x081afb7c <quant_pred+12>: lea 0x0(%esi),%esi
0x081afb80 <inv_quant_pred+0>: push %ebp
0x081afb81 <inv_quant_pred+1>: mov %esp,%ebp
0x081afb83 <inv_quant_pred+3>: sub $0x10,%esp
0x081afb86 <inv_quant_pred+6>: flds 0xfffffffc(%ebp)
0x081afb89 <inv_quant_pred+9>: leave
0x081afb8a <inv_quant_pred+10>: ret
0x081afb8b <inv_quant_pred+11>: nop
0x081afb8c <inv_quant_pred+12>: lea 0x0(%esi),%esi
0x081afb90 <reset_pred_state+0>: push %ebp
0x081afb91 <reset_pred_state+1>: mov %esp,%ebp
0x081afb93 <reset_pred_state+3>: pop %ebp
0x081afb94 <reset_pred_state+4>: movw $0x0,(%eax)
0x081afb99 <reset_pred_state+9>: movw $0x0,0x2(%eax)
0x081afb9f <reset_pred_state+15>: movw $0x0,0x4(%eax)
0x081afba5 <reset_pred_state+21>: movw $0x0,0x6(%eax)
0x081afbab <reset_pred_state+27>: movw $0x3f80,0x8(%eax)
0x081afbb1 <reset_pred_state+33>: movw $0x3f80,0xa(%eax)
End of assembler dump.
(gdb) info all-registers
eax 0x0 0
ecx 0xbffc4de2 -1073984030
edx 0x0 0
ebx 0x0 0
esp 0xbffc3c98 0xbffc3c98
ebp 0xbffc3ca8 0xbffc3ca8
esi 0x400 1024
edi 0x0 0
eip 0x81afb94 0x81afb94 <reset_pred_state+4>
eflags 0x210246 [ PF ZF IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 3.8206760937294577033857253330235981e-05 (raw 0x3ff0a040327a40ef1548)
st2 -3.242161620863569237993573324274621e-05 (raw 0xbff087fc7200cfd80000)
st3 -3.5093056605778235592860148095439854e-05 (raw 0xbff09330e1f2b44c6000)
st4 0.00189805845730006694793701171875 (raw 0x3ff5f8c8460000000000)
st5 0 (raw 0x00000000000000000000)
st6 2.98023223876953125e-08 (raw 0x3fe68000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x20 32
ftag 0xffff 65535
fiseg 0x73 115
fioff 0x81c3403 136066051
foseg 0x7b 123
fooff 0x0 0
fop 0x5d8 1496
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
---Type <return> to continue, or q <return> to quit---
mm0 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm1 {uint64 = 0xa040327a40ef1548, v2_int32 = {0x40ef1548,

0xa040327a}, v4_int16 = {0x1548, 0x40ef, 0x327a, 0xa040}, v8_int8 = {0x48,
0x15, 0xef, 0x40, 0x7a, 0x32, 0x40, 0xa0}}

mm2 {uint64 = 0x87fc7200cfd80000, v2_int32 = {0xcfd80000,

0x87fc7200}, v4_int16 = {0x0, 0xcfd8, 0x7200, 0x87fc}, v8_int8 = {0x0,
0x0, 0xd8, 0xcf, 0x0, 0x72, 0xfc, 0x87}}

mm3 {uint64 = 0x9330e1f2b44c6000, v2_int32 = {0xb44c6000,

0x9330e1f2}, v4_int16 = {0x6000, 0xb44c, 0xe1f2, 0x9330}, v8_int8 = {0x0,
0x60, 0x4c, 0xb4, 0xf2, 0xe1, 0x30, 0x93}}

mm4 {uint64 = 0xf8c8460000000000, v2_int32 = {0x0, 0xf8c84600},

v4_int16 = {0x0, 0x0, 0x4600, 0xf8c8}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x46, 0xc8, 0xf8}}

mm5 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm6 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},

v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x80}}

mm7 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

This bug was found using the Catchconv fuzzer. It was found as part of the
SUPERB-TRUST 2008 project ( see http://www.truststc.org/superb/ ) and the
metafuzz project ( see http://metafuzz.com/, stack hash 3311001071).

From what I can tell by comparing the stack and backtrace it is not a duplicate
bug but if it is then I would certainly appreciate any other tips you may have
on how to search and compare it to other bugs in order not to keep reporting
duplicates.
Thank you!

Please let me know if I can provide more information.

Change History (1)

comment:1 Changed 11 years ago by reimar

  • Resolution set to duplicate
  • Status changed from new to closed

* This bug has been marked as a duplicate of bug 1141 *

Note: See TracTickets for help on using tickets.