Valgrind reports invalid write of size 1 followed by mplayer crashing from segmentation fault at 0x8137976: gen_sh_video (demux_mov.c:1120)

[quach@…]

* Overview: Found a test case .mp4 file for mplayer where mplayer crashes on segmentation fault and valgrind 3.3.1 reports invalid writes of size 1

The test case is "40-Glenquagmire.mp4" available at the URL
​http://www.cs.berkeley.edu/~quach/518643-40-result256.tgz

* mplayer version

dev-SVN-r27254-4.1.2

* To reproduce:

1) Play 40-Glenquagmire.mp4 using mplayer under Valgrind 3.3.1

* My OS:

Debian Etch Linux, Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz

uname -a:

Linux debian 2.6.18-6-486 #1 Fri Jun 6 21:47:01 UTC 2008 i686 GNU/Linux

gdb backtrace
#0 0x08137976 in gen_sh_video (sh=0x89a8580, trak=0x89a8458,

timescale=<value optimized out>) at libmpdemux/demux_mov.c:1120

#1 0x0813b905 in lschunks (demuxer=0x89a7158, level=0, endpos=8700025,

trak=0xf0) at libmpdemux/demux_mov.c:1323

#2 0x0813c316 in mov_read_header (demuxer=0x89a7158)

at libmpdemux/demux_mov.c:1931

#3 0x0811e32f in demux_open_stream (stream=0x89a67c0,

file_format=<value optimized out>, force=0, audio_id=-1, video_id=-1,
dvdsub_id=-2, filename=0x899d470 "40-Glenquagmire.mp4")
at libmpdemux/demuxer.c:864

#4 0x0811e602 in demux_open (vs=0x89a67c0, file_format=0, audio_id=-1,

video_id=-1, dvdsub_id=-2, filename=0x899d470 "40-Glenquagmire.mp4")
at libmpdemux/demuxer.c:991

#5 0x0807799f in main (argc=3, argv=0xbffe8f34) at mplayer.c:3238

Disassembly at point of crash
Dump of assembler code from 0x8137956 to 0x8137996:
0x08137956 <gen_sh_video+742>: mov $0x43,%dh
0x08137958 <gen_sh_video+744>: sbb (%edi),%cl
0x0813795a <gen_sh_video+746>: mov $0x53,%dh
0x0813795c <gen_sh_video+748>: sbb %ecx,%eax
0x0813795e <gen_sh_video+750>: loopne 0x8137968 <gen_sh_video+760>
0x08137960 <gen_sh_video+752>: or %eax,%edx
0x08137962 <gen_sh_video+754>: test %esi,%esi
0x08137964 <gen_sh_video+756>: mov %edx,0xfc(%ecx)
0x0813796a <gen_sh_video+762>: je 0x8137b60 <gen_sh_video+1264>
0x08137970 <gen_sh_video+768>: mov 0xffffff8c(%ebp),%eax
0x08137973 <gen_sh_video+771>: mov 0x40(%eax),%ecx
0x08137976 <gen_sh_video+774>: movzbl 0x4c(%ecx),%eax
0x0813797a <gen_sh_video+778>: movzbl 0x4d(%ecx),%edx
0x0813797e <gen_sh_video+782>: shl $0x8,%eax
0x08137981 <gen_sh_video+785>: or %eax,%edx
0x08137983 <gen_sh_video+787>: cmp %edx,%esi
0x08137985 <gen_sh_video+789>: je 0x81379b5 <gen_sh_video+837>
0x08137987 <gen_sh_video+791>: push %edx
0x08137988 <gen_sh_video+792>: fildl (%esp)
0x0813798b <gen_sh_video+795>: mov 0xffffff90(%ebp),%edx
0x0813798e <gen_sh_video+798>: fsts 0xec(%edx)
0x08137994 <gen_sh_video+804>: movzbl 0x50(%ecx),%eax
End of assembler dump.

Contents of registers at point of crash
eax 0x89a8458 144344152
ecx 0x0 0
edx 0xf0 240
ebx 0x89a84e8 144344296
esp 0xbffe7970 0xbffe7970
ebp 0xbffe7a18 0xbffe7a18
esi 0x140 320
edi 0x0 0
eip 0x8137976 0x8137976 <gen_sh_video+774>
eflags 0x210202 [ IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 90000 (raw 0x400fafc8000000000000)
st6 90000 (raw 0x400fafc8000000000000)
st7 1.1111111111111111110870530225397911e-05 (raw 0x3feeba69dbdd3ac13d7c)
fctrl 0x37f 895
fstat 0x220 544
ftag 0xffff 65535
fiseg 0x73 115
fioff 0x813793c 135493948
foseg 0x7b 123
fooff 0x89a8668 144344680
fop 0x199 409
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
mm0 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm1 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm2 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm3 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm4 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm5 {uint64 = 0xafc8000000000000, v2_int32 = {0x0, 0xafc80000},

v4_int16 = {0x0, 0x0, 0x0, 0xafc8}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0xc8, 0xaf}}

mm6 {uint64 = 0xafc8000000000000, v2_int32 = {0x0, 0xafc80000},

v4_int16 = {0x0, 0x0, 0x0, 0xafc8}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0xc8, 0xaf}}

mm7 {uint64 = 0xba69dbdd3ac13d7c, v2_int32 = {0x3ac13d7c,

0xba69dbdd}, v4_int16 = {0x3d7c, 0x3ac1, 0xdbdd, 0xba69}, v8_int8 = {0x7c,
0x3d, 0xc1, 0x3a, 0xdd, 0xdb, 0x69, 0xba}}

Valgrind output, from command
==18367== Memcheck, a memory error detector.
==18367== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==18367== Using LibVEX rev 1854, a library for dynamic binary translation.
==18367== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==18367== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==18367== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==18367== For more details, rerun with: -v
==18367==
MPlayer dev-SVN-r27254-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 40-Glenquagmire.mp4.
libavformat file format detected.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863dc50]Could not find codec parameters (Video: 0x0000)
LAVF_header: av_find_stream_info() failed
Quicktime/MOV file format detected.
* constant samplesize & variable duration not yet supported! *
Contact the author if you have such sample file!
[mov] Video stream found, -vid 0
==18367== Invalid read of size 1
==18367== Stack hash: 3246768852
==18367== at 0x8137976: gen_sh_video (demux_mov.c:1120)
==18367== by 0x813B904: lschunks (demux_mov.c:1323)
==18367== by 0x813C315: mov_read_header (demux_mov.c:1931)
==18367== by 0x811E32E: demux_open_stream (demuxer.c:864)
==18367== by 0x811E601: demux_open (demuxer.c:991)
==18367== by 0x807799E: main (mplayer.c:3238)
==18367== Address 0x4c is not stack'd, malloc'd or (recently) free'd

MPlayer interrupted by signal 11 in module: demux_open

• MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
• MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.

==18367==
==18367== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 19 from 1)
==18367== malloc/free: in use at exit: 98,628 bytes in 2,184 blocks.
==18367== malloc/free: 2,327 allocs, 143 frees, 1,377,261 bytes allocated.
==18367== For counts of detected errors, rerun with: -v
==18367== searching for pointers to 2,184 not-freed blocks.
==18367== checked 2,929,740 bytes.
==18367==
==18367== LEAK SUMMARY:
==18367== definitely lost: 0 bytes in 0 blocks.
==18367== possibly lost: 0 bytes in 0 blocks.
==18367== still reachable: 98,628 bytes in 2,184 blocks.
==18367== suppressed: 0 bytes in 0 blocks.
==18367== Rerun with --leak-check=full to see details of leaked memory.

This bug was found as part of the SUPERB-TRUST 2008 project
This bug was found as part of the metafuzz project; see ​http://metafuzz.com/

[reimar]

Fixed in SVN r27265
And I am certain this is the duplicate, I just can't find the "original" in all those reports...

[reimar]

* Bug 1179 has been marked as a duplicate of this bug. *