Invalid read of size 4 in mov_read_packet followed by crash

[zlai88@…]

The fuzzed file 58-the-mummy3-trailer.mp4 (in the archive at the URL above) caused Mplayer to crash in module demux_open. Valgrind reports invalid read of size 4 in mov_read_packet (mov.c:1769).

This is reproducible on Linux Debian Etch, with the latest Subversion head
mplayer (r27255). The machine used is VMWare Player.

Reproduce as follows:
wget ​http://www.eecs.berkeley.edu/~zhl210/7074-58-1338391578-Leak_DefinitelyLost.tgz
tar xzf 7074-58-1338391578-Leak_DefinitelyLost.tgz
Valgrind mplayer 58-the-mummy3-trailer.mp4

---

Here is the report by Valgrind:

demux_open

==3069== Memcheck, a memory error detector.
==3069== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==3069== Using LibVEX rev 1854, a library for dynamic binary translation.
==3069== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==3069== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==3069== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==3069== For more details, rerun with: -v
==3069==
MPlayer dev-SVN-r27255-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 58-the-mummy3-trailer.mp4.
libavformat file format detected.
==3069== Invalid read of size 4
==3069== Stack hash: 34083339
==3069== at 0x8292D21: mov_read_packet (mov.c:1769)
==3069== by 0x825CD72: av_read_packet (utils.c:514)
==3069== by 0x826268C: av_read_frame_internal (utils.c:864)
==3069== by 0x8263585: av_find_stream_info (utils.c:1970)
==3069== by 0x81A3165: demux_open_lavf (demux_lavf.c:466)
==3069== by 0x811E20F: demux_open_stream (demuxer.c:811)
==3069== by 0x811E601: demux_open (demuxer.c:991)
==3069== by 0x807799E: main (mplayer.c:3238)
==3069== Address 0xc is not stack'd, malloc'd or (recently) free'd

MPlayer interrupted by signal 11 in module: demux_open

• MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
• MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.

==3069==
==3069== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 19 from 1)
==3069== malloc/free: in use at exit: 305,277 bytes in 2,189 blocks.
==3069== malloc/free: 2,259 allocs, 70 frees, 1,384,271 bytes allocated.
==3069== For counts of detected errors, rerun with: -v
==3069== searching for pointers to 2,189 not-freed blocks.
==3069== checked 3,137,092 bytes.
==3069==
==3069== LEAK SUMMARY:
==3069== definitely lost: 396 bytes in 1 blocks.
==3069== possibly lost: 0 bytes in 0 blocks.
==3069== still reachable: 304,881 bytes in 2,188 blocks.
==3069== suppressed: 0 bytes in 0 blocks.
==3069== Rerun with --leak-check=full to see details of leaked memory.

---

Here is the backtrace by gdb:

[Thread debugging using libthread_db enabled]
[New Thread -1209677152 (LWP 3607)]
MPlayer dev-SVN-r27255-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz (Family: 6, Model: 15, Stepping: 13)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2
get_path('codecs.conf') -> '/home/user/.mplayer/codecs.conf'
Reading /home/user/.mplayer/codecs.conf: Can't open '/home/user/.mplayer/codecs.conf': No such file or directory
Reading /usr/local/etc/mplayer/codecs.conf: Can't open '/usr/local/etc/mplayer/codecs.conf': No such file or directory
Using built-in default codecs.conf.
Configuration: --enable-debug=3
CommandLine: '-v' '58-the-mummy3-trailer.mp4'
get_path('font/font.desc') -> '/home/user/.mplayer/font/font.desc'
font: can't open file: /home/user/.mplayer/font/font.desc
font: can't open file: /usr/local/share/mplayer/font/font.desc
Using MMX (with tiny bit MMX2) Optimized OnScreenDisplay
Using nanosleep() timing
get_path('input.conf') -> '/home/user/.mplayer/input.conf'
Can't open input config file /home/user/.mplayer/input.conf: No such file or directory
Can't open input config file /usr/local/etc/mplayer/input.conf: No such file or directory
Falling back on default (hardcoded) input config
get_path('58-the-mummy3-trailer.mp4.conf') -> '/home/user/.mplayer/58-the-mummy3-trailer.mp4.conf'

Playing 58-the-mummy3-trailer.mp4.
get_path('sub/') -> '/home/user/.mplayer/sub/'
[file] File size is 6472527 bytes
STREAM: [file] 58-the-mummy3-trailer.mp4
STREAM: Description: File
STREAM: Author: Albeu
STREAM: Comment: based on the code from ??? (probably Arpi)
LAVF_check: QuickTime/MPEG-4/Motion JPEG 2000 format
libavformat file format detected.
stream_seek: WARNING! Can't seek to 0x62C34F !
stream_seek: WARNING! Can't seek to 0x62C4CB !
stream_seek: WARNING! Can't seek to 0x62C357 !

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1209677152 (LWP 3607)]
0x08292d21 in mov_read_packet (s=0x89b0460, pkt=0x89b1328) at mov.c:1769
1769 AV_TIME_BASE, msc->time_scale);
(gdb) bt
#0 0x08292d21 in mov_read_packet (s=0x89b0460, pkt=0x89b1328) at mov.c:1769
#1 0x0825cd73 in av_read_packet (s=0x89b0460, pkt=0x89b1328) at utils.c:514
#2 0x0826268d in av_read_frame_internal (s=0x89b0460, pkt=0xbfffe1c0)

at utils.c:864

#3 0x08263586 in av_find_stream_info (ic=0x89b0460) at utils.c:1970
#4 0x081a3166 in demux_open_lavf (demuxer=0x89a67b0)

at libmpdemux/demux_lavf.c:466

#5 0x0811e210 in demux_open_stream (stream=0x89a7138,

file_format=<value optimized out>, force=0, audio_id=-1, video_id=-1,
dvdsub_id=-2, filename=0x899d3f0 "58-the-mummy3-trailer.mp4")
at libmpdemux/demuxer.c:811

#6 0x0811e602 in demux_open (vs=0x89a7138, file_format=0, audio_id=-1,

video_id=-1, dvdsub_id=-2, filename=0x899d3f0 "58-the-mummy3-trailer.mp4")
at libmpdemux/demuxer.c:991

#7 0x0807799f in main (argc=3, argv=0xbffff714) at mplayer.c:3238
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x8292d01 to 0x8292d41:
0x08292d01 <mov_read_packet+145>: add %eax,%edi
0x08292d03 <mov_read_packet+147>: mov 0x4c(%esi),%eax
0x08292d06 <mov_read_packet+150>: mov %eax,0x10(%esp)
0x08292d0a <mov_read_packet+154>: cltd
0x08292d0b <mov_read_packet+155>: mov $0xf4240,%eax
0x08292d10 <mov_read_packet+160>: mov %eax,0x8(%esp)
0x08292d14 <mov_read_packet+164>: xor %eax,%eax
0x08292d16 <mov_read_packet+166>: mov %edx,0x14(%esp)
0x08292d1a <mov_read_packet+170>: mov %eax,0xc(%esp)
0x08292d1e <mov_read_packet+174>: mov 0x50(%esi),%eax
0x08292d21 <mov_read_packet+177>: mov 0xc(%edi),%edx
0x08292d24 <mov_read_packet+180>: mov %eax,%ecx
0x08292d26 <mov_read_packet+182>: sar $0x1f,%ecx
0x08292d29 <mov_read_packet+185>: mov %ecx,0xffffff8c(%ebp)
0x08292d2c <mov_read_packet+188>: mov %eax,0xffffff88(%ebp)
0x08292d2f <mov_read_packet+191>: mov 0xffffff8c(%ebp),%ecx
0x08292d32 <mov_read_packet+194>: mov 0x8(%edi),%eax
0x08292d35 <mov_read_packet+197>: imul %eax,%ecx
0x08292d38 <mov_read_packet+200>: mov 0xffffff88(%ebp),%eax
0x08292d3b <mov_read_packet+203>: imul %edx,%eax
0x08292d3e <mov_read_packet+206>: add %eax,%ecx
0x08292d40 <mov_read_packet+208>: mov 0xffffff88(%ebp),%eax
---Type <return> to continue, or q <return> to quit---
End of assembler dump.
(gdb) info all-registers
eax 0xe10 3600
ecx 0x0 0
edx 0x0 0
ebx 0x89b13d0 144380880
esp 0xbfffda60 0xbfffda60
ebp 0xbfffdb08 0xbfffdb08
esi 0x89b1d20 144383264
edi 0x0 0
eip 0x8292d21 0x8292d21 <mov_read_packet+177>
eflags 0x210246 [ PF ZF IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 1 (raw 0x3fff8000000000000000)
st6 1 (raw 0x3fff8000000000000000)

---

This bug was found as part of the SUPERB-TRUST 2008 project.