Opened 11 years ago

Closed 11 years ago

#1166 closed defect (duplicate)

Mplayer crashes from segmentation fault

Reported by: quach@… Owned by: r_togni@…
Priority: very important Component: demuxer
Version: HEAD Severity: critical
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

* Overview: Found a test case .mp4 file for mplayer where mplayer crashes on segmentation fault and valgrind 3.3.1 reports invalid writes of size 4

The test case is "1-Glenquagmire.mp4" available at the URL
http://www.cs.berkeley.edu/~quach/1-Glenquagmire.mp4

* mplayer version

dev-SVN-r27254-4.1.2

* To reproduce:

1) Play 1-Glenquagmire.mp4 using mplayer under Valgrind 3.3.1

* My OS:

Debian Etch Linux, Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz

uname -a:

Linux debian 2.6.18-6-486 #1 Fri Jun 6 21:47:01 UTC 2008 i686 GNU/Linux

gdb backtrace
#0 mov_build_index (trak=0x89a8458, timescale=90000)

at libmpdemux/demux_mov.c:174

#1 0x0813aa57 in lschunks (demuxer=0x89a7158, level=0, endpos=8700025,

trak=0x0) at libmpdemux/demux_mov.c:1312

#2 0x0813c316 in mov_read_header (demuxer=0x89a7158)

at libmpdemux/demux_mov.c:1931

#3 0x0811e32f in demux_open_stream (stream=0x89a67c0,

file_format=<value optimized out>, force=0, audio_id=-1, video_id=-1,
dvdsub_id=-2, filename=0x899d470 "1-Glenquagmire.mp4")
at libmpdemux/demuxer.c:864

#4 0x0811e602 in demux_open (vs=0x89a67c0, file_format=0, audio_id=-1,

video_id=-1, dvdsub_id=-2, filename=0x899d470 "1-Glenquagmire.mp4")
at libmpdemux/demuxer.c:991

#5 0x0807799f in main (argc=3, argv=0xbfaf9a54) at mplayer.c:3238

Disassembly at point of crash
Dump of assembler code from 0x8139301 to 0x8139341:
0x08139301 <mov_build_index+193>: add $0xbf,%al
0x08139303 <mov_build_index+195>: mov 0x8(%edx),%esi
0x08139306 <mov_build_index+198>: shl $0x2,%eax
0x08139309 <mov_build_index+201>: mov 0x4(%edx),%ebx
0x0813930c <mov_build_index+204>: mov 0x60(%ecx),%edx
0x0813930f <mov_build_index+207>: mov 0xffffffb8(%ebp),%ecx
0x08139312 <mov_build_index+210>: add %edx,%eax
0x08139314 <mov_build_index+212>: xor %edx,%edx
0x08139316 <mov_build_index+214>: add $0x8,%eax
0x08139319 <mov_build_index+217>: sub %edi,%ecx
0x0813931b <mov_build_index+219>: nop
0x0813931c <mov_build_index+220>: lea 0x0(%esi),%esi
0x08139320 <mov_build_index+224>: inc %edx
0x08139321 <mov_build_index+225>: mov %esi,(%eax)
0x08139323 <mov_build_index+227>: mov %ebx,0xfffffffc(%eax)
0x08139326 <mov_build_index+230>: add $0x14,%eax
0x08139329 <mov_build_index+233>: cmp %edx,%ecx
0x0813932b <mov_build_index+235>: jne 0x8139320 <mov_build_index+224>
0x0813932d <mov_build_index+237>: mov 0xffffffec(%ebp),%esi
0x08139330 <mov_build_index+240>: mov 0x8(%ebp),%ebx
0x08139333 <mov_build_index+243>: subl $0xc,0xffffffd4(%ebp)
0x08139337 <mov_build_index+247>: test %esi,%esi
0x08139339 <mov_build_index+249>: mov 0x5c(%ebx),%edx
0x0813933c <mov_build_index+252>: je 0x813934e <mov_build_index+270>
0x0813933e <mov_build_index+254>: cmp %edx,%edi
0x08139340 <mov_build_index+256>: cmovbe %edi,%edx
End of assembler dump.

Contents of registers at point of crash
eax 0xb7ce4008 -1211219960
ecx 0x800001ed -2147483155
edx 0x455d 17757
ebx 0x105 261
esp 0xbfaf8490 0xbfaf8490
ebp 0xbfaf8538 0xbfaf8538
esi 0x8000010b -2147483381
edi 0x8000010a -2147483382
eip 0x8139321 0x8139321 <mov_build_index+225>
eflags 0x210202 [ IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 1 (raw 0x3fff8000000000000000)
st6 -2147439548 (raw 0xc01dfffea77800000000)
st7 -0.0047217385045569626803030338635380758 (raw 0xbff79ab8d03a89fd4800)
fctrl 0x37f 895
fstat 0x20 32
ftag 0xffff 65535
fiseg 0x73 115
fioff 0xb7e4d326 -1209740506
foseg 0x7b 123
fooff 0xbfaf63c8 -1079024696
fop 0x55c 1372
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
---Type <return> to continue, or q <return> to quit---

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
mm0 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm1 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm2 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm3 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm4 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm5 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},

v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x80}}

mm6 {uint64 = 0xfffea77800000000, v2_int32 = {0x0, 0xfffea778},

v4_int16 = {0x0, 0x0, 0xa778, 0xfffe}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x78,

0xa7, 0xfe, 0xff}}

mm7 {uint64 = 0x9ab8d03a89fd4800, v2_int32 = {0x89fd4800,

0x9ab8d03a}, v4_int16 = {0x4800, 0x89fd, 0xd03a, 0x9ab8}, v8_int8 = {0x0,
0x48, 0xfd, 0x89, 0x3a, 0xd0, 0xb8, 0x9a}}

Valgrind output, from command
==17305== Memcheck, a memory error detector.
==17305== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==17305== Using LibVEX rev 1854, a library for dynamic binary translation.
==17305== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==17305== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==17305== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==17305== For more details, rerun with: -v
==17305==
MPlayer dev-SVN-r27254-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 1-Glenquagmire.mp4.
libavformat file format detected.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863dc50]Could not find codec parameters (Audio: 0xe130726d, 44100 Hz, stereo)
LAVF_header: av_find_stream_info() failed
Quicktime/MOV file format detected.
==17305== Invalid write of size 4
==17305== Stack hash: 891247181
==17305== at 0x8139321: mov_build_index (demux_mov.c:174)
==17305== by 0x813AA56: lschunks (demux_mov.c:1312)
==17305== by 0x813C315: mov_read_header (demux_mov.c:1931)
==17305== by 0x811E32E: demux_open_stream (demuxer.c:864)
==17305== by 0x811E601: demux_open (demuxer.c:991)
==17305== by 0x807799E: main (mplayer.c:3238)
==17305== Address 0x43731d8 is 8 bytes after a block of size 198,040 alloc'd
==17305== Stack hash: 1977850112
==17305== at 0x401D898: malloc (vg_replace_malloc.c:207)
==17305== by 0x401D9DC: realloc (vg_replace_malloc.c:429)
==17305== by 0x813E047: lschunks_intrak (demuxer.h:305)
==17305== by 0x813A3C0: lschunks (demux_mov.c:1283)
==17305== by 0x813C8A2: lschunks_intrak (demux_mov.c:1874)
==17305== by 0x813A3C0: lschunks (demux_mov.c:1283)
==17305== by 0x813C8A2: lschunks_intrak (demux_mov.c:1874)
==17305== by 0x813A3C0: lschunks (demux_mov.c:1283)
==17305== by 0x813C8A2: lschunks_intrak (demux_mov.c:1874)
==17305== by 0x813A3C0: lschunks (demux_mov.c:1283)
==17305== by 0x813AA3E: lschunks (demux_mov.c:1311)
==17305== by 0x813C315: mov_read_header (demux_mov.c:1931)
==17305==
==17305== Invalid write of size 4
==17305== Stack hash: 1029935095
==17305== at 0x8139323: mov_build_index (demux_mov.c:175)
==17305== by 0x813AA56: lschunks (demux_mov.c:1312)
==17305== by 0x813C315: mov_read_header (demux_mov.c:1931)
==17305== by 0x811E32E: demux_open_stream (demuxer.c:864)
==17305== by 0x811E601: demux_open (demuxer.c:991)
==17305== by 0x807799E: main (mplayer.c:3238)
==17305== Address 0x43731d4 is 4 bytes after a block of size 198,040 alloc'd
==17305== Stack hash: 1977850112
==17305== at 0x401D898: malloc (vg_replace_malloc.c:207)
==17305== by 0x401D9DC: realloc (vg_replace_malloc.c:429)
==17305== by 0x813E047: lschunks_intrak (demuxer.h:305)
==17305== by 0x813A3C0: lschunks (demux_mov.c:1283)
==17305== by 0x813C8A2: lschunks_intrak (demux_mov.c:1874)
==17305== by 0x813A3C0: lschunks (demux_mov.c:1283)
==17305== by 0x813C8A2: lschunks_intrak (demux_mov.c:1874)
==17305== by 0x813A3C0: lschunks (demux_mov.c:1283)
==17305== by 0x813C8A2: lschunks_intrak (demux_mov.c:1874)
==17305== by 0x813A3C0: lschunks (demux_mov.c:1283)
==17305== by 0x813AA3E: lschunks (demux_mov.c:1311)
==17305== by 0x813C315: mov_read_header (demux_mov.c:1931)

MPlayer interrupted by signal 11 in module: demux_open

  • MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
  • MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.

==17305==
==17305== ERROR SUMMARY: 234244 errors from 2 contexts (suppressed: 19 from 1)
==17305== malloc/free: in use at exit: 456,143 bytes in 2,185 blocks.
==17305== malloc/free: 2,328 allocs, 143 frees, 1,732,909 bytes allocated.
==17305== For counts of detected errors, rerun with: -v
==17305== searching for pointers to 2,185 not-freed blocks.
==17305== checked 3,127,616 bytes.
==17305==
==17305== LEAK SUMMARY:
==17305== definitely lost: 0 bytes in 0 blocks.
==17305== possibly lost: 0 bytes in 0 blocks.
==17305== still reachable: 456,143 bytes in 2,185 blocks.
==17305== suppressed: 0 bytes in 0 blocks.
==17305== Rerun with --leak-check=full to see details of leaked memory.


This bug was found as part of the SUPERB-TRUST 2008 project
This bug was found as part of the metafuzz project; see http://metafuzz.com/

Change History (2)

comment:1 Changed 11 years ago by quach@…

  • Cc catchconv-bugreports@… added

comment:2 Changed 11 years ago by reimar

  • Resolution set to duplicate
  • Status changed from new to closed

* This bug has been marked as a duplicate of bug 1153 *

Note: See TracTickets for help on using tickets.