Opened 11 years ago

Last modified 8 years ago

#1171 new defect

Mplayer Crashed: Error in Audio Decoding: Invalid Read and Syscall param write(buf) points to uninitialised byte(s)

Reported by: sckhan@… Owned by: reimar
Priority: if idle Component: ad
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

The following report is for the SUPERB-TRUST 2008, the cyber security project.

#Error found at test case .mp3 file for mplayer version (dev-SVN-r27249-4.1.2)
valgrind report the Invalid Read.

#The test case is "8-onverges13.mp3" can be found at the URL

*http://www.eecs.berkeley.edu/~sckhan/8-onverges13.mp3

#Reproducible with the following command

*valgrind mplayer 8-onverges13.mp3

Can also be run as:

*valgrind --log-file=log5 mplayer 8-onverges13.mp3

#OS: Debian Etch Linux

#Valgrind output:

==7332== Memcheck, a memory error detector.
==7332== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==7332== Using LibVEX rev 1854, a library for dynamic binary translation.
==7332== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==7332== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==7332== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==7332== For more details, rerun with: -v
==7332==
==7332== My PID = 7332, parent PID = 26719. Prog and args are:
==7332== mplayer
==7332== 8-onverges13.mp3
==7332==
==7332== Syscall param write(buf) points to uninitialised byte(s)
==7332== Stack hash: 2550802113
==7332== at 0x4000792: (within /lib/ld-2.3.6.so)
==7332== Address 0x430fafc is 2,172 bytes inside a block of size 65,536 alloc'd
==7332== Stack hash: 2167162419
==7332== at 0x401D898: malloc (vg_replace_malloc.c:207)
==7332== by 0x401D9DC: realloc (vg_replace_malloc.c:429)
==7332== by 0x80DAB5E: decode_audio (dec_audio.c:401)
==7332== by 0x80784E9: main (mplayer.c:2044)
==7332==
==7332== Invalid read of size 4
==7332== Stack hash: 208377022
==7332== at 0x81E317B: dct36 (dct36.c:169)
==7332== by 0x81E76DD: do_layer3 (layer3.c:1212)
==7332== by 0x81E8DC5: MP3_DecodeFrame (sr1.c:539)
==7332== by 0x80DAA74: decode_audio (dec_audio.c:383)
==7332== by 0x80784E9: main (mplayer.c:2044)
==7332== Address 0x3189337c is not stack'd, malloc'd or (recently) free'd
==7332==
==7332== ERROR SUMMARY: 3 errors from 2 contexts (suppressed: 19 from 1)
==7332== malloc/free: in use at exit: 231,926 bytes in 2,203 blocks.
==7332== malloc/free: 23,157 allocs, 20,954 frees, 7,259,917 bytes allocated.
==7332== For counts of detected errors, rerun with: -v
==7332== searching for pointers to 2,203 not-freed blocks.
==7332== checked 3,067,872 bytes.
==7332==
==7332== LEAK SUMMARY:
==7332== definitely lost: 0 bytes in 0 blocks.
==7332== possibly lost: 0 bytes in 0 blocks.
==7332== still reachable: 231,926 bytes in 2,203 blocks.
==7332== suppressed: 0 bytes in 0 blocks.
==7332== Rerun with --leak-check=full to see details of leaked memory.

#The above valgrind output is saved as a log file(log8) and can be found at
URL:

*http://www.eecs.berkeley.edu/~sckhan/log8

#This report is for confirming the error using new test case: 8-onverges13.mp3 where the same error was found in the previous test case: t10.mp3 and can reproduce from: <wget http://www.cs.berkeley.edu/~nalvarez/t10.mp3> where the error is for the invalid read and use of uninitialised values with Stack hash: 208377022 and error: dct36 (dct36.c:169). With both test cases the mplayer crashes.
There is a new error/bug was found where Stack hash: 2167162419 and error: malloc (vg_replace_malloc.c:207) with new test case: 8-onverges13.mp3.

#The bug is found in making comparison of the fuzzing tools and is a part of
the metafuzz project.

*URL at: metafuzz.com

Change History (3)

comment:1 Changed 11 years ago by reimar

  • Priority changed from normal to if idle

in mp3lib, read -> low priority

comment:2 Changed 11 years ago by sckhan@…

  • Summary changed from Error in Audio Decoding: Invalid Read and Syscall param write(buf) points to uninitialised byte(s) to Mplayer Crashed: Error in Audio Decoding: Invalid Read and Syscall param write(buf) points to uninitialised byte(s)

*Summary has been edited*
*Back-trace can be seen in the file (crash2)*
File link is at URL:
<http://www.eecs.berkeley.edu/~sckhan/crash2>

comment:3 Changed 8 years ago by compn

  • Owner changed from r_togni@… to reimar
Note: See TracTickets for help on using tickets.