Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#1168 closed defect (fixed)

Valgrind reports invalid write of size 1 followed by mplayer crashing from segmentation fault

Reported by: quach@… Owned by: r_togni@…
Priority: very important Component: demuxer
Version: HEAD Severity: critical
Keywords: Cc: catchconv-bugreports@…, sckhan@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

* Overview: Found a test case .mp4 file for mplayer where mplayer crashes on segmentation fault and valgrind 3.3.1 reports invalid writes of size 1

The test case is "35-Glenquagmire.mp4" available at the URL
http://www.cs.berkeley.edu/~quach/35-Glenquagmire.mp4

* mplayer version

dev-SVN-r27254-4.1.2

* To reproduce:

1) Play 35-Glenquagmire.mp4 using mplayer under Valgrind 3.3.1

* My OS:

Debian Etch Linux, Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz

uname -a:

Linux debian 2.6.18-6-486 #1 Fri Jun 6 21:47:01 UTC 2008 i686 GNU/Linux

gdb backtrace
#0 0xb7e416b7 in memset () from /lib/tls/i686/cmov/libc.so.6
#1 0x00000000 in ?? ()

Disassembly at point of crash
Dump of assembler code from 0xb7e41697 to 0xb7e416d7:
0xb7e41697 <memset+23>: adc %edi,0x4(%ebx)
0xb7e4169a <memset+26>: stos %al,%es:(%edi)
0xb7e4169b <memset+27>: dec %ecx
0xb7e4169c <memset+28>: je 0xb7e416bd <memset+61>
0xb7e4169e <memset+30>: stos %al,%es:(%edi)
0xb7e4169f <memset+31>: dec %ecx
0xb7e416a0 <memset+32>: je 0xb7e416bd <memset+61>
0xb7e416a2 <memset+34>: xor $0x3,%edx
0xb7e416a5 <memset+37>: je 0xb7e416a9 <memset+41>
0xb7e416a7 <memset+39>: stos %al,%es:(%edi)
0xb7e416a8 <memset+40>: dec %ecx
0xb7e416a9 <memset+41>: mov %ecx,%edx
0xb7e416ab <memset+43>: shr $0x2,%ecx
0xb7e416ae <memset+46>: and $0x3,%edx
0xb7e416b1 <memset+49>: imul $0x1010101,%eax,%eax
0xb7e416b7 <memset+55>: rep stos %eax,%es:(%edi)
0xb7e416b9 <memset+57>: mov %edx,%ecx
0xb7e416bb <memset+59>: rep stos %al,%es:(%edi)
0xb7e416bd <memset+61>: mov 0x8(%esp),%eax
0xb7e416c1 <memset+65>: pop %edi
0xb7e416c2 <memset+66>: ret
0xb7e416c3 <memset+67>: nop
0xb7e416c4 <memset+68>: nop
0xb7e416c5 <memset+69>: nop
0xb7e416c6 <memset+70>: nop
0xb7e416c7 <memset+71>: nop
0xb7e416c8 <memset+72>: nop
0xb7e416c9 <memset+73>: nop
0xb7e416ca <memset+74>: nop
0xb7e416cb <memset+75>: nop
0xb7e416cc <memset+76>: nop
0xb7e416cd <memset+77>: nop
0xb7e416ce <memset+78>: nop
0xb7e416cf <memset+79>: nop
0xb7e416d0 <mempcpy_chk+0>: mov 0xc(%esp),%eax
0xb7e416d4 <
mempcpy_chk+4>: cmp %eax,0x10(%esp)
End of assembler dump.

Contents of registers at point of crash
eax 0x0 0
ecx 0x264 612
edx 0x0 0
ebx 0x20000027 536870951
esp 0xbfc6ed88 0xbfc6ed88
ebp 0xbfc6eda8 0xbfc6eda8
esi 0x89a9128 144347432
edi 0x0 0
eip 0xb7e416b7 0xb7e416b7 <memset+55>
eflags 0x210246 [ PF ZF IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 90000 (raw 0x400fafc8000000000000)
st6 44100 (raw 0x400eac44000000000000)
st7 229.92399092970521223833202384412289 (raw 0x4006e5ec8aab68e27000)
fctrl 0x37f 895
fstat 0x20 32
ftag 0xffff 65535
fiseg 0x73 115
fioff 0xb7e15326 -1209969882
foseg 0x7b 123
fooff 0xbfc6cd38 -1077490376
fop 0x55c 1372
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
mm0 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm1 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm2 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm3 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm4 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm5 {uint64 = 0xafc8000000000000, v2_int32 = {0x0, 0xafc80000},

v4_int16 = {0x0, 0x0, 0x0, 0xafc8}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0xc8, 0xaf}}

mm6 {uint64 = 0xac44000000000000, v2_int32 = {0x0, 0xac440000},

v4_int16 = {0x0, 0x0, 0x0, 0xac44}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x44, 0xac}}

mm7 {uint64 = 0xe5ec8aab68e27000, v2_int32 = {0x68e27000,

0xe5ec8aab}, v4_int16 = {0x7000, 0x68e2, 0x8aab, 0xe5ec}, v8_int8 = {0x0,
0x70, 0xe2, 0x68, 0xab, 0x8a, 0xec, 0xe5}}

Valgrind output, from command
==17886== Memcheck, a memory error detector.
==17886== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==17886== Using LibVEX rev 1854, a library for dynamic binary translation.
==17886== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==17886== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==17886== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==17886== For more details, rerun with: -v
==17886==
MPlayer dev-SVN-r27254-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 35-Glenquagmire.mp4.
libavformat file format detected.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863dc50]stream 0, missing mandatory atoms, broken header
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863dc50]Could not find codec parameters (Video: mpeg4, 320x240)
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863dc50]Could not find codec parameters (Audio: 0x0000)
LAVF_header: av_find_stream_info() failed
Quicktime/MOV file format detected.
[mov] Video stream found, -vid 0
Warning! pts=10135552 length=10139648
MOV: durmap and chunkmap sample count differ (9898 vs 9902)
[mov] Audio stream found, -aid 1
==17886== Invalid write of size 1
==17886== Stack hash: 2400202423
==17886== at 0x401EB03: memset (mc_replace_strmem.c:493)
==17886== by 0x8172954: new_memory_stream (stream.c:397)
==17886== by 0x816C79A: mp4_parse_esds (parse_mp4.c:41)
==17886== by 0x8138A96: gen_sh_audio (demux_mov.c:780)
==17886== by 0x813B396: lschunks (demux_mov.c:1317)
==17886== by 0x813C315: mov_read_header (demux_mov.c:1931)
==17886== by 0x811E32E: demux_open_stream (demuxer.c:864)
==17886== by 0x811E601: demux_open (demuxer.c:991)
==17886== by 0x807799E: main (mplayer.c:3238)
==17886== Address 0x0 is not stack'd, malloc'd or (recently) free'd

MPlayer interrupted by signal 11 in module: demux_open

  • MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
  • MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.

==17886==
==17886== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 21 from 1)
==17886== malloc/free: in use at exit: 713,298 bytes in 2,202 blocks.
==17886== malloc/free: 2,351 allocs, 148 frees, 2,263,043 bytes allocated.
==17886== For counts of detected errors, rerun with: -v
==17886== searching for pointers to 2,202 not-freed blocks.
==17886== checked 3,496,464 bytes.
==17886==
==17886== LEAK SUMMARY:
==17886== definitely lost: 48,044 bytes in 4 blocks.
==17886== possibly lost: 0 bytes in 0 blocks.
==17886== still reachable: 665,254 bytes in 2,198 blocks.
==17886== suppressed: 0 bytes in 0 blocks.
==17886== Rerun with --leak-check=full to see details of leaked memory.


This bug was found as part of the SUPERB-TRUST 2008 project
This bug was found as part of the metafuzz project; see http://metafuzz.com/

Change History (3)

comment:1 Changed 12 years ago by quach@…

  • Cc catchconv-bugreports@… added

comment:2 Changed 12 years ago by reimar

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in SVN r27264

comment:3 Changed 12 years ago by reimar

  • Cc sckhan@… added

* Bug 1177 has been marked as a duplicate of this bug. *

Note: See TracTickets for help on using tickets.