[Crash] Valgrind reports InvalidRead in init() (ad_pcm.c:24)

[thiennga408@…]

In the tgz archive which can be downloaded from the URL
​http://www.metafuzz.com/testcases/139106-65-2611758756-UninitCondition.tgz, there is an avi file (65-dog.avi) where Valgrind reports an invalid read of 4 byte at an invalid memory location. This bug causes MPlayer to crash.

I confirmed that this bug is reproducible in the latest subversion of MPlayer,
r27249-4.1.2.

My System Information:
OS: Linux Debian x32
kernel: Linux debian 2.6.18-6-486 #1 Fri Jun 6 21:47:01 UTC 2008 i686 GNU/Linux
libc version: libc-2.3.6.so
gcc version 4.1.2 20061115
ld version 2.17

My Hardware Information:
32-bit Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz
Multimedia audio controller: Ensoniq ES1371 [AudioPCI-97] (rev 02)

To reproduce:
wget ​http://www.metafuzz.com/testcases/139106-65-2611758756-UninitCondition.tgz
tar xzvf 139106-65-2611758756-UninitCondition.tgz
valgrind mplayer 65-dog.avi

The following is the output from Valgrind:

==16691== Memcheck, a memory error detector.
==16691== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==16691== Using LibVEX rev 1854, a library for dynamic binary translation.
==16691== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==16691== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==16691== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==16691== For more details, rerun with: -v
==16691==
MPlayer dev-SVN-r27249-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 139106-65-2611758756-UninitCondition.tgz_FILES/65-dog.avi.
AVI file format detected.
[aviheader] Video stream found, -vid 0
[aviheader] Audio stream found, -aid 1
AVI: No audio stream found -> no sound.
VIDEO: [IV32] 160x8388728 24bpp 32752.012 fps -17179870.0 kbps (-2097152.0 kbyte/s)
Can't open /dev/fb0: No such file or directory
[fbdev2] Can't open /dev/fb0: No such file or directory
vo_cvidix: No vidix driver name provided, probing available ones (-v option for details)!
[cyberblade] Error occurred during pci scan: Operation not permitted
[mach64] Error occurred during pci scan: Operation not permitted
[mga] Error occurred during pci scan: Operation not permitted
[mga] Error occurred during pci scan: Operation not permitted
[nvidia_vid] Error occurred during pci scan: Operation not permitted
[pm3] Error occurred during pci scan: Operation not permitted
[radeon] Error occurred during pci scan: Operation not permitted
[rage128] Error occurred during pci scan: Operation not permitted
[s3_vid] Error occurred during pci scan: Operation not permitted
[SiS] Error occurred during pci scan: Operation not permitted
[unichrome] Error occurred during pci scan: Operation not permitted
[VO_SUB_VIDIX] Couldn't find working VIDIX driver.
==========================================================================
Opening video decoder: [ffmpeg] FFmpeg's libavcodec codec family
[NULL @ 0x8653cf0]picture size invalid (160x8388728)
Could not open codec.
VDecoder init failed :(
Opening video decoder: [vfwex] Win32/VfWex video codecs
Loading codec DLL: 'ir32_32.dll'
Win32 LoadLibrary failed to load: ir32_32.dll, /usr/local/lib/codecs/ir32_32.dll, /usr/lib/win32/ir32_32.dll, /usr/local/lib/win32/ir32_32.dll
Can't open library ir32_32.dll
ICOpen failed! unknown codec / wrong parameters?
VDecoder init failed :(
Opening video decoder: [xanim] XAnim codecs
VDec: vo config request - 160 x 8388728 (preferred colorspace: Planar YV12)
VDec: using Planar YVU9 as output csp (no 0)
Movie-Aspect is undefined - no prescaling applied.
VO: [null] 160x8388728 => 160x8388728 Planar YVU9
==16691== Conditional jump or move depends on uninitialised value(s)
==16691== Stack hash: 2233111609
==16691== at 0x4010C4E: (within /lib/ld-2.3.6.so)
==16691== by 0x4006704: (within /lib/ld-2.3.6.so)
==16691== by 0x417C46F: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==16691== by 0x400B44E: (within /lib/ld-2.3.6.so)
==16691== by 0x417BEDE: _dl_open (in /lib/tls/i686/cmov/libc-2.3.6.so)
==16691== by 0x4052D8D: (within /lib/tls/i686/cmov/libdl-2.3.6.so)
==16691== by 0x400B44E: (within /lib/ld-2.3.6.so)
==16691== by 0x405342C: (within /lib/tls/i686/cmov/libdl-2.3.6.so)
==16691== by 0x4052D20: dlopen (in /lib/tls/i686/cmov/libdl-2.3.6.so)
==16691== by 0x8238B35: init (vd_xanim.c:206)
==16691== by 0x80DBF14: init_video (dec_video.c:264)
==16691== by 0x80DC148: init_best_video_codec (dec_video.c:315)
==16691==
==16691== Conditional jump or move depends on uninitialised value(s)
==16691== Stack hash: 1993291468
==16691== at 0x4010C5D: (within /lib/ld-2.3.6.so)
==16691== by 0x4006704: (within /lib/ld-2.3.6.so)
==16691== by 0x417C46F: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==16691== by 0x400B44E: (within /lib/ld-2.3.6.so)
==16691== by 0x417BEDE: _dl_open (in /lib/tls/i686/cmov/libc-2.3.6.so)
==16691== by 0x4052D8D: (within /lib/tls/i686/cmov/libdl-2.3.6.so)
==16691== by 0x400B44E: (within /lib/ld-2.3.6.so)
==16691== by 0x405342C: (within /lib/tls/i686/cmov/libdl-2.3.6.so)
==16691== by 0x4052D20: dlopen (in /lib/tls/i686/cmov/libdl-2.3.6.so)
==16691== by 0x8238B35: init (vd_xanim.c:206)
==16691== by 0x80DBF14: init_video (dec_video.c:264)
==16691== by 0x80DC148: init_best_video_codec (dec_video.c:315)
==16691==
==16691== Conditional jump or move depends on uninitialised value(s)
==16691== Stack hash: 1753471327
==16691== at 0x4010C6C: (within /lib/ld-2.3.6.so)
==16691== by 0x4006704: (within /lib/ld-2.3.6.so)
==16691== by 0x417C46F: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==16691== by 0x400B44E: (within /lib/ld-2.3.6.so)
==16691== by 0x417BEDE: _dl_open (in /lib/tls/i686/cmov/libc-2.3.6.so)
==16691== by 0x4052D8D: (within /lib/tls/i686/cmov/libdl-2.3.6.so)
==16691== by 0x400B44E: (within /lib/ld-2.3.6.so)
==16691== by 0x405342C: (within /lib/tls/i686/cmov/libdl-2.3.6.so)
==16691== by 0x4052D20: dlopen (in /lib/tls/i686/cmov/libdl-2.3.6.so)
==16691== by 0x8238B35: init (vd_xanim.c:206)
==16691== by 0x80DBF14: init_video (dec_video.c:264)
==16691== by 0x80DC148: init_best_video_codec (dec_video.c:315)
==16691==
==16691== Conditional jump or move depends on uninitialised value(s)
==16691== Stack hash: 1023844623
==16691== at 0x4010DDC: (within /lib/ld-2.3.6.so)
==16691== by 0x4006704: (within /lib/ld-2.3.6.so)
==16691== by 0x417C46F: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==16691== by 0x400B44E: (within /lib/ld-2.3.6.so)
==16691== by 0x417BEDE: _dl_open (in /lib/tls/i686/cmov/libc-2.3.6.so)
==16691== by 0x4052D8D: (within /lib/tls/i686/cmov/libdl-2.3.6.so)
==16691== by 0x400B44E: (within /lib/ld-2.3.6.so)
==16691== by 0x405342C: (within /lib/tls/i686/cmov/libdl-2.3.6.so)
==16691== by 0x4052D20: dlopen (in /lib/tls/i686/cmov/libdl-2.3.6.so)
==16691== by 0x8238B35: init (vd_xanim.c:206)
==16691== by 0x80DBF14: init_video (dec_video.c:264)
==16691== by 0x80DC148: init_best_video_codec (dec_video.c:315)
==16691==
==16691== Conditional jump or move depends on uninitialised value(s)
==16691== Stack hash: 1888142370
==16691== at 0x4010DDC: (within /lib/ld-2.3.6.so)
==16691== by 0x4006DAF: (within /lib/ld-2.3.6.so)
==16691== by 0x417C46F: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==16691== by 0x400B44E: (within /lib/ld-2.3.6.so)
==16691== by 0x417BEDE: _dl_open (in /lib/tls/i686/cmov/libc-2.3.6.so)
==16691== by 0x4052D8D: (within /lib/tls/i686/cmov/libdl-2.3.6.so)
==16691== by 0x400B44E: (within /lib/ld-2.3.6.so)
==16691== by 0x405342C: (within /lib/tls/i686/cmov/libdl-2.3.6.so)
==16691== by 0x4052D20: dlopen (in /lib/tls/i686/cmov/libdl-2.3.6.so)
==16691== by 0x8238B35: init (vd_xanim.c:206)
==16691== by 0x80DBF14: init_video (dec_video.c:264)
==16691== by 0x80DC148: init_best_video_codec (dec_video.c:315)
xacodec: failed to dlopen /usr/local/lib/codecs/vid_iv32.xa while /usr/local/lib/codecs/vid_iv32.xa: cannot open shared object file: No such file or directory
VDecoder init failed :(
Cannot find codec matching selected -vo and video format 0x32335649.
Read DOCS/HTML/en/codecs.html!
==========================================================================
==========================================================================
Opening audio decoder: [pcm] Uncompressed PCM audio decoder
==16691==
==16691== Invalid read of size 4
==16691== Stack hash: 1564492807
==16691== at 0x80DA3FC: init (ad_pcm.c:24)
==16691== by 0x80DB112: init_audio (dec_audio.c:95)
==16691== by 0x80DB508: init_best_audio_codec (dec_audio.c:270)
==16691== by 0x8076778: reinit_audio_chain (mplayer.c:1585)
==16691== by 0x8078121: main (mplayer.c:3583)
==16691== Address 0x8 is not stack'd, malloc'd or (recently) free'd

MPlayer interrupted by signal 11 in module: init_audio_codec

• MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
• MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.

==16691==
==16691== ERROR SUMMARY: 6 errors from 6 contexts (suppressed: 19 from 1)
==16691== malloc/free: in use at exit: 178,559 bytes in 2,199 blocks.
==16691== malloc/free: 2,304 allocs, 105 frees, 1,318,029 bytes allocated.
==16691== For counts of detected errors, rerun with: -v
==16691== searching for pointers to 2,199 not-freed blocks.
==16691== checked 3,013,684 bytes.
==16691==
==16691== LEAK SUMMARY:
==16691== definitely lost: 20 bytes in 2 blocks.
==16691== possibly lost: 0 bytes in 0 blocks.
==16691== still reachable: 178,539 bytes in 2,197 blocks.
==16691== suppressed: 0 bytes in 0 blocks.
==16691== Rerun with --leak-check=full to see details of leaked memory.

The following is the backtrace using gdb:

(gdb) bt
#0 init (sh_audio=0x89a7df0) at libmpcodecs/ad_pcm.c:24
#1 0x080db113 in init_audio (sh_audio=0x89a7df0, codecname=0x0, afm=0x0,

status=1, selected=0xbfffe3e8) at libmpcodecs/dec_audio.c:95

#2 0x080db509 in init_best_audio_codec (sh_audio=0x89a7df0,

audio_codec_list=0xbfffe3e0, audio_fm_list=0x0)
at libmpcodecs/dec_audio.c:270

#3 0x08076779 in reinit_audio_chain () at mplayer.c:1585
#4 0x08078122 in main (argc=3, argv=0xbffff6a4) at mplayer.c:3583
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x80da3dc to 0x80da41c:
0x080da3dc <init+124>: inc %ecx
0x080da3dd <init+125>: pop %esp
0x080da3de <init+126>: inc %eax
0x080da3df <init+127>: add %eax,(%eax)
0x080da3e1 <init+129>: add %ch,%bl
0x080da3e3 <init+131>: int $0x90
0x080da3e5 <init+133>: nop
0x080da3e6 <init+134>: nop
0x080da3e7 <init+135>: nop
0x080da3e8 <init+136>: nop
0x080da3e9 <init+137>: nop
0x080da3ea <init+138>: nop
0x080da3eb <init+139>: nop
0x080da3ec <init+140>: nop
0x080da3ed <init+141>: nop
0x080da3ee <init+142>: nop
0x080da3ef <init+143>: nop
0x080da3f0 <init+0>: push %ebp
0x080da3f1 <init+1>: mov %esp,%ebp
0x080da3f3 <init+3>: mov 0x8(%ebp),%ecx
0x080da3f6 <init+6>: mov 0x9c(%ecx),%edx
0x080da3fc <init+12>: mov 0x8(%edx),%eax
---Type <return> to continue, or q <return> to quit---
0x080da3ff <init+15>: mov %eax,0x2c(%ecx)
0x080da402 <init+18>: movzwl 0x2(%edx),%eax
0x080da406 <init+22>: mov %eax,0x24(%ecx)
0x080da409 <init+25>: mov 0x4(%edx),%eax
0x080da40c <init+28>: movl $0x9,0x18(%ecx)
0x080da413 <init+35>: mov %eax,0x1c(%ecx)
0x080da416 <init+38>: movzwl 0xe(%edx),%eax
0x080da41a <init+42>: add $0x7,%eax
End of assembler dump.
(gdb) info all-registers
eax 0x86ed778 141481848
ecx 0x89a7df0 144342512
edx 0x0 0
ebx 0x5 5
esp 0xbfffe348 0xbfffe348
ebp 0xbfffe348 0xbfffe348
esi 0x86ed790 141481872
edi 0x86ed778 141481848
eip 0x80da3fc 0x80da3fc <init+12>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x8f 143
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
---Type <return> to continue, or q <return> to quit---
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x20 32
ftag 0xffff 65535
fiseg 0x73 115
fioff 0x80e50b6 135155894
foseg 0x7b 123
fooff 0x0 0
fop 0x5d8 1496
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

---Type <return> to continue, or q <return> to quit---

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
mm0 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm1 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

---Type <return> to continue, or q <return> to quit---
mm2 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm3 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm4 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm5 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm6 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm7 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

This bug was found using the zzuf fuzzer.

This bug was found as part of the SUPERB-TRUST 2008 project; see
​http://www.truststc.org/superb/

Please let me know if you need more information.

[reimar]

Crashes no more with SVN r32690, however there are still some invalid reads in the indeo3 decoder, but that concerns FFmpeg.

[reimar]

FFmpeg bug: ​http://roundup.ffmpeg.org/issue2418