Opened 11 years ago

Last modified 9 years ago

#1165 new defect

Error in Audio Decoding: Mplayer Crashed: Invalid Read

Reported by: sckhan@… Owned by: reimar
Priority: if idle Component: ad
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

The following report is for the SUPERB-TRUST 2008, the cyber security project.

#Error found at test case .wav file for mplayer version (dev-SVN-r27249-4.1.2)
valgrind report the Invalid Read.

#The test case is "175-dramatic.wav" can be found at the URL

*http://www.eecs.berkeley.edu/~sckhan/175-dramatic.wav

#Reproducible with the following command

*valgrind mplayer 175-dramatic.wav

Can also be run as:

*valgrind --log-file=log9 mplayer 175-dramatic.wav

#OS: Debian Etch Linux

#Valgrind output:

==6643== Memcheck, a memory error detector.
==6643== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==6643== Using LibVEX rev 1854, a library for dynamic binary translation.
==6643== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==6643== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==6643== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==6643== For more details, rerun with: -v
==6643==
==6643== My PID = 6643, parent PID = 26719. Prog and args are:
==6643== mplayer
==6643== 175-dramatic.wav
==6643==
==6643== Invalid read of size 4
==6643== Stack hash: 2606592226
==6643== at 0x81A820B: faad_rewindbits (bits.c:129)
==6643== by 0x81AB22D: NeAACDecInit (decoder.c:250)
==6643== by 0x818B933: init (ad_faad.c:126)
==6643== by 0x80DB112: init_audio (dec_audio.c:95)
==6643== by 0x80DB508: init_best_audio_codec (dec_audio.c:270)
==6643== by 0x8076778: reinit_audio_chain (mplayer.c:1585)
==6643== by 0x8078121: main (mplayer.c:3583)
==6643== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==6643==
==6643== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 19 from 1)
==6643== malloc/free: in use at exit: 217,657 bytes in 2,187 blocks.
==6643== malloc/free: 2,314 allocs, 127 frees, 1,367,643 bytes allocated.
==6643== For counts of detected errors, rerun with: -v
==6643== searching for pointers to 2,187 not-freed blocks.
==6643== checked 3,048,232 bytes.
==6643==
==6643== LEAK SUMMARY:
==6643== definitely lost: 0 bytes in 0 blocks.
==6643== possibly lost: 0 bytes in 0 blocks.
==6643== still reachable: 217,657 bytes in 2,187 blocks.
==6643== suppressed: 0 bytes in 0 blocks.
==6643== Rerun with --leak-check=full to see details of leaked memory.

#The above valgrind output is saved as a log file(log9) and can be found at
URL:

*http://www.eecs.berkeley.edu/~sckhan/log9

#This report is for the error found in the test case 175-dramatic.wav
where the error seems to be in decoding audio at Stack hash: 2606592226 where the error is: faad_rewindbits (bits.c:129).

#The bug is found in making comparison of the fuzzing tools and is a part of
the metafuzz project.

*URL at: metafuzz.com

Change History (6)

comment:1 Changed 11 years ago by reimar

  • Priority changed from normal to if idle

Problem is in libfaad2

comment:2 Changed 11 years ago by sckhan@…

  • Summary changed from Error in Audio Decoding: Invalid Read to Error in Audio Decoding: Mplayer Crashed: Invalid Read

Summary has been edited...*Mplayer Crashed*

comment:3 Changed 11 years ago by sckhan@…

*Back-trace log file (crash1) has been added for the report*
File, crash1 can be found at URL:
<http://www.eecs.berkeley.edu/~sckhan/crash1>

comment:4 Changed 11 years ago by sckhan@…

-----------------------------------------------------------------

|This report has been submitted to Upstream (URL: Sourceforge.com)|

-----------------------------------------------------------------

comment:5 Changed 11 years ago by sckhan@…


|This report has been submitted to Upstream (Sourceforge.net)|

------------------------------------------------------------

URL:
<https://sourceforge.net/tracker/?func=detail&atid=100704&aid=2019777&group_id=704>

comment:6 Changed 9 years ago by compn

  • Owner changed from r_togni@… to reimar
Note: See TracTickets for help on using tickets.