Opened 11 years ago

Last modified 8 years ago

#1174 new defect

Error in Audio Decoding: Invalid Read and Conditional jump or move depends on uninitialised value(s)

Reported by: sckhan@… Owned by: reimar
Priority: normal Component: ad
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

The following report is for the SUPERB-TRUST 2008, the cyber security project.

#Error found at test case .mp3 file for mplayer version (dev-SVN-r27249-4.1.2)
valgrind report the Invalid Read.

#The test case is "48-memories.mp3" can be found at the URL

*http://www.eecs.berkeley.edu/~sckhan/48-memories.mp3

#Reproducible with the following command

*valgrind mplayer 48-memories.mp3

Can also be run as:

*valgrind --log-file=log10 mplayer 48-memories.mp3

#OS: Debian Etch Linux

#Valgrind output:

==9826== Memcheck, a memory error detector.
==9826== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==9826== Using LibVEX rev 1854, a library for dynamic binary translation.
==9826== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==9826== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==9826== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==9826== For more details, rerun with: -v
==9826==
==9826== My PID = 9826, parent PID = 26719. Prog and args are:
==9826== mplayer
==9826== 48-memories.mp3
==9826==
==9826== Use of uninitialised value of size 4
==9826== Stack hash: 284591249
==9826== at 0x8476DEB: huffman_decode (mpegaudiodec.c:219)
==9826== by 0x847774E: mp_decode_layer3 (mpegaudiodec.c:2249)
==9826== by 0x8479169: mp_decode_frame (mpegaudiodec.c:2305)
==9826== by 0x847B00D: decode_frame (mpegaudiodec.c:2401)
==9826== by 0x82ED47A: avcodec_decode_audio2 (utils.c:928)
==9826== by 0x8263F19: av_find_stream_info (utils.c:1776)
==9826== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==9826== by 0x811E32E: demux_open_stream (demuxer.c:864)
==9826== by 0x811E601: demux_open (demuxer.c:991)
==9826== by 0x807799E: main (mplayer.c:3238)
==9826==
==9826== Use of uninitialised value of size 4
==9826== Stack hash: 2555289140
==9826== at 0x8476DF2: huffman_decode (mpegaudiodec.c:220)
==9826== by 0x847774E: mp_decode_layer3 (mpegaudiodec.c:2249)
==9826== by 0x8479169: mp_decode_frame (mpegaudiodec.c:2305)
==9826== by 0x847B00D: decode_frame (mpegaudiodec.c:2401)
==9826== by 0x82ED47A: avcodec_decode_audio2 (utils.c:928)
==9826== by 0x8263F19: av_find_stream_info (utils.c:1776)
==9826== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==9826== by 0x811E32E: demux_open_stream (demuxer.c:864)
==9826== by 0x811E601: demux_open (demuxer.c:991)
==9826== by 0x807799E: main (mplayer.c:3238)
==9826==
==9826== Conditional jump or move depends on uninitialised value(s)
==9826== Stack hash: 3126103039
==9826== at 0x8476E01: huffman_decode (mpegaudiodec.c:223)
==9826== by 0x847774E: mp_decode_layer3 (mpegaudiodec.c:2249)
==9826== by 0x8479169: mp_decode_frame (mpegaudiodec.c:2305)
==9826== by 0x847B00D: decode_frame (mpegaudiodec.c:2401)
==9826== by 0x82ED47A: avcodec_decode_audio2 (utils.c:928)
==9826== by 0x8263F19: av_find_stream_info (utils.c:1776)
==9826== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==9826== by 0x811E32E: demux_open_stream (demuxer.c:864)
==9826== by 0x811E601: demux_open (demuxer.c:991)
==9826== by 0x807799E: main (mplayer.c:3238)
==9826==
==9826== Use of uninitialised value of size 4
==9826== Stack hash: 1154675151
==9826== at 0x8476D91: huffman_decode (mpegaudiodec.c:219)
==9826== by 0x847774E: mp_decode_layer3 (mpegaudiodec.c:2249)
==9826== by 0x8479169: mp_decode_frame (mpegaudiodec.c:2305)
==9826== by 0x847B00D: decode_frame (mpegaudiodec.c:2401)
==9826== by 0x82ED47A: avcodec_decode_audio2 (utils.c:928)
==9826== by 0x8263F19: av_find_stream_info (utils.c:1776)
==9826== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==9826== by 0x811E32E: demux_open_stream (demuxer.c:864)
==9826== by 0x811E601: demux_open (demuxer.c:991)
==9826== by 0x807799E: main (mplayer.c:3238)
==9826==
==9826== Use of uninitialised value of size 4
==9826== Stack hash: 3425373042
==9826== at 0x8476D98: huffman_decode (mpegaudiodec.c:220)
==9826== by 0x847774E: mp_decode_layer3 (mpegaudiodec.c:2249)
==9826== by 0x8479169: mp_decode_frame (mpegaudiodec.c:2305)
==9826== by 0x847B00D: decode_frame (mpegaudiodec.c:2401)
==9826== by 0x82ED47A: avcodec_decode_audio2 (utils.c:928)
==9826== by 0x8263F19: av_find_stream_info (utils.c:1776)
==9826== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==9826== by 0x811E32E: demux_open_stream (demuxer.c:864)
==9826== by 0x811E601: demux_open (demuxer.c:991)
==9826== by 0x807799E: main (mplayer.c:3238)
==9826==
==9826== Conditional jump or move depends on uninitialised value(s)
==9826== Stack hash: 674375884
==9826== at 0x8476DAA: huffman_decode (mpegaudiodec.c:223)
==9826== by 0x847774E: mp_decode_layer3 (mpegaudiodec.c:2249)
==9826== by 0x8479169: mp_decode_frame (mpegaudiodec.c:2305)
==9826== by 0x847B00D: decode_frame (mpegaudiodec.c:2401)
==9826== by 0x82ED47A: avcodec_decode_audio2 (utils.c:928)
==9826== by 0x8263F19: av_find_stream_info (utils.c:1776)
==9826== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==9826== by 0x811E32E: demux_open_stream (demuxer.c:864)
==9826== by 0x811E601: demux_open (demuxer.c:991)
==9826== by 0x807799E: main (mplayer.c:3238)
==9826==
==9826== Use of uninitialised value of size 4
==9826== Stack hash: 3322300705
==9826== at 0x8476D3B: huffman_decode (mpegaudiodec.c:219)
==9826== by 0x847774E: mp_decode_layer3 (mpegaudiodec.c:2249)
==9826== by 0x8479169: mp_decode_frame (mpegaudiodec.c:2305)
==9826== by 0x847B00D: decode_frame (mpegaudiodec.c:2401)
==9826== by 0x82ED47A: avcodec_decode_audio2 (utils.c:928)
==9826== by 0x8263F19: av_find_stream_info (utils.c:1776)
==9826== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==9826== by 0x811E32E: demux_open_stream (demuxer.c:864)
==9826== by 0x811E601: demux_open (demuxer.c:991)
==9826== by 0x807799E: main (mplayer.c:3238)
==9826==
==9826== Use of uninitialised value of size 4
==9826== Stack hash: 1298031300
==9826== at 0x8476D42: huffman_decode (mpegaudiodec.c:220)
==9826== by 0x847774E: mp_decode_layer3 (mpegaudiodec.c:2249)
==9826== by 0x8479169: mp_decode_frame (mpegaudiodec.c:2305)
==9826== by 0x847B00D: decode_frame (mpegaudiodec.c:2401)
==9826== by 0x82ED47A: avcodec_decode_audio2 (utils.c:928)
==9826== by 0x8263F19: av_find_stream_info (utils.c:1776)
==9826== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==9826== by 0x811E32E: demux_open_stream (demuxer.c:864)
==9826== by 0x811E601: demux_open (demuxer.c:991)
==9826== by 0x807799E: main (mplayer.c:3238)
==9826==
==9826== Conditional jump or move depends on uninitialised value(s)
==9826== Stack hash: 1544459786
==9826== at 0x8476D50: huffman_decode (mpegaudiodec.c:223)
==9826== by 0x847774E: mp_decode_layer3 (mpegaudiodec.c:2249)
==9826== by 0x8479169: mp_decode_frame (mpegaudiodec.c:2305)
==9826== by 0x847B00D: decode_frame (mpegaudiodec.c:2401)
==9826== by 0x82ED47A: avcodec_decode_audio2 (utils.c:928)
==9826== by 0x8263F19: av_find_stream_info (utils.c:1776)
==9826== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==9826== by 0x811E32E: demux_open_stream (demuxer.c:864)
==9826== by 0x811E601: demux_open (demuxer.c:991)
==9826== by 0x807799E: main (mplayer.c:3238)
==9826==
==9826== Use of uninitialised value of size 4
==9826== Stack hash: 563967236
==9826== at 0x8476A82: huffman_decode (mpegaudiodec.c:1537)
==9826== by 0x847774E: mp_decode_layer3 (mpegaudiodec.c:2249)
==9826== by 0x8479169: mp_decode_frame (mpegaudiodec.c:2305)
==9826== by 0x847B00D: decode_frame (mpegaudiodec.c:2401)
==9826== by 0x82ED47A: avcodec_decode_audio2 (utils.c:928)
==9826== by 0x8263F19: av_find_stream_info (utils.c:1776)
==9826== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==9826== by 0x811E32E: demux_open_stream (demuxer.c:864)
==9826== by 0x811E601: demux_open (demuxer.c:991)
==9826== by 0x807799E: main (mplayer.c:3238)
==9826==
==9826== Use of uninitialised value of size 4
==9826== Stack hash: 2082821964
==9826== at 0x8476A2A: huffman_decode (mpegaudiodec.c:1527)
==9826== by 0x847774E: mp_decode_layer3 (mpegaudiodec.c:2249)
==9826== by 0x8479169: mp_decode_frame (mpegaudiodec.c:2305)
==9826== by 0x847B00D: decode_frame (mpegaudiodec.c:2401)
==9826== by 0x82ED47A: avcodec_decode_audio2 (utils.c:928)
==9826== by 0x8263F19: av_find_stream_info (utils.c:1776)
==9826== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==9826== by 0x811E32E: demux_open_stream (demuxer.c:864)
==9826== by 0x811E601: demux_open (demuxer.c:991)
==9826== by 0x807799E: main (mplayer.c:3238)
==9826==
==9826== Use of uninitialised value of size 4
==9826== Stack hash: 131288092
==9826== at 0x8476CBA: huffman_decode (mpegaudiodec.c:1550)
==9826== by 0x847774E: mp_decode_layer3 (mpegaudiodec.c:2249)
==9826== by 0x8479169: mp_decode_frame (mpegaudiodec.c:2305)
==9826== by 0x847B00D: decode_frame (mpegaudiodec.c:2401)
==9826== by 0x82ED47A: avcodec_decode_audio2 (utils.c:928)
==9826== by 0x8263F19: av_find_stream_info (utils.c:1776)
==9826== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==9826== by 0x811E32E: demux_open_stream (demuxer.c:864)
==9826== by 0x811E601: demux_open (demuxer.c:991)
==9826== by 0x807799E: main (mplayer.c:3238)
==9826==
==9826== Use of uninitialised value of size 4
==9826== Stack hash: 1878792207
==9826== at 0x8476ED1: huffman_decode (mpegaudiodec.c:1600)
==9826== by 0x847774E: mp_decode_layer3 (mpegaudiodec.c:2249)
==9826== by 0x8479169: mp_decode_frame (mpegaudiodec.c:2305)
==9826== by 0x847B00D: decode_frame (mpegaudiodec.c:2401)
==9826== by 0x82ED47A: avcodec_decode_audio2 (utils.c:928)
==9826== by 0x8263F19: av_find_stream_info (utils.c:1776)
==9826== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==9826== by 0x811E32E: demux_open_stream (demuxer.c:864)
==9826== by 0x811E601: demux_open (demuxer.c:991)
==9826== by 0x807799E: main (mplayer.c:3238)
==9826==
==9826== Conditional jump or move depends on uninitialised value(s)
==9826== Stack hash: 2089069421
==9826== at 0x84778A1: mp_decode_layer3 (mpegaudiodec.c:1887)
==9826== by 0x8479169: mp_decode_frame (mpegaudiodec.c:2305)
==9826== by 0x847B00D: decode_frame (mpegaudiodec.c:2401)
==9826== by 0x82ED47A: avcodec_decode_audio2 (utils.c:928)
==9826== by 0x8263F19: av_find_stream_info (utils.c:1776)
==9826== by 0x81A318E: demux_open_lavf (demux_lavf.c:466)
==9826== by 0x811E32E: demux_open_stream (demuxer.c:864)
==9826== by 0x811E601: demux_open (demuxer.c:991)
==9826== by 0x807799E: main (mplayer.c:3238)
==9826==
==9826== ERROR SUMMARY: 480 errors from 14 contexts (suppressed: 19 from 1)
==9826== malloc/free: in use at exit: 52,428 bytes in 29 blocks.
==9826== malloc/free: 39,603 allocs, 39,574 frees, 21,597,314 bytes allocated.
==9826== For counts of detected errors, rerun with: -v
==9826== searching for pointers to 29 not-freed blocks.
==9826== checked 2,877,428 bytes.
==9826==
==9826== LEAK SUMMARY:
==9826== definitely lost: 0 bytes in 0 blocks.
==9826== possibly lost: 0 bytes in 0 blocks.
==9826== still reachable: 52,428 bytes in 29 blocks.
==9826== suppressed: 0 bytes in 0 blocks.
==9826== Rerun with --leak-check=full to see details of leaked memory.

#The above valgrind output is saved as a log file(log10) and can be found at
URL:

*http://www.eecs.berkeley.edu/~sckhan/log10

#This report is for the bug found in test case 48-memories.mp3 where Stack hash: 284591249 and error at: huffman_decode (mpegaudiodec.c:219).

#The bug is found in making comparison of the fuzzing tools and is a part of
the metafuzz project.

*URL at: metafuzz.com

Change History (1)

comment:1 Changed 8 years ago by compn

  • Owner changed from r_togni@… to reimar
Note: See TracTickets for help on using tickets.