Opened 11 years ago

Closed 11 years ago

#1175 closed defect (duplicate)

Invalid write in memcpy (mc_replace_strmem.c:402) followed by crash

Reported by: zlai88@… Owned by: r_togni@…
Priority: normal Component: demuxer
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

The fuzzed file 12-the-mummy3-trailer.mp4(in the archive at the URL above) caused Mplayer to crash by signal 11 in module: demux_open. Valgrind reports invalid write of size 1 in memcpy (mc_replace_strmem.c:402).

This bug is reproducible on Linux Debian Etch, with the latest Subversion head
mplayer (r27255). The machine used is VMWare Player.

Reproduce as follows:
wget http://www.eecs.berkeley.edu/~zhl210/7074-12-2923368590-UninitCondition.tgz
tar xzf 7074-12-2923368590-UninitCondition?.tgz
Valgrind mplayer 12-the-mummy3-trailer.mp4


Here is the output by Valgrind:

==6028== Memcheck, a memory error detector.
==6028== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==6028== Using LibVEX rev 1854, a library for dynamic binary translation.
==6028== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==6028== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==6028== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==6028== For more details, rerun with: -v
==6028==
MPlayer dev-SVN-r27255-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 12-the-mummy3-trailer.mp4.
libavformat file format detected.
[mpeg4 @ 0x8653e50]hmm, seems the headers are not complete, trying to guess time_increment_bits
[mpeg4 @ 0x8653e50]my guess is 2 bits ;)
[mpeg4 @ 0x8653e50]hmm, seems the headers are not complete, trying to guess time_increment_bits
[mpeg4 @ 0x8653e50]my guess is 4 bits ;)
[mpeg4 @ 0x8653e50]looks like this file was encoded with (divx4/(old)xvid/opendivx) -> forcing low_delay flag
[mpeg4 @ 0x8653e50]picture size invalid (0x0)
[mpeg4 @ 0x8653e50]get_buffer() failed (-1 0 0 (nil))
[mpeg4 @ 0x8653e50]hmm, seems the headers are not complete, trying to guess time_increment_bits
[mpeg4 @ 0x8653e50]my guess is 3 bits ;)
[mpeg4 @ 0x8653e50]header damaged
[mpeg4 @ 0x8653e50]hmm, seems the headers are not complete, trying to guess time_increment_bits
[mpeg4 @ 0x8653e50]my guess is 2 bits ;)
[mpeg4 @ 0x8653e50]header damaged
[mpeg4 @ 0x8653e50]Error, header damaged or not MPEG4 header (qscale=0)
[mpeg4 @ 0x8653e50]header damaged
[mpeg4 @ 0x8653e50]hmm, seems the headers are not complete, trying to guess time_increment_bits
[mpeg4 @ 0x8653e50]my guess is 1 bits ;)
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863dc50]stream 0, offset 0x805785: partial file
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863dc50]Could not find codec parameters (Video: mpeg4, yuv420p)
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863dc50]Could not find codec parameters (Data: 0x0000)
LAVF_header: av_find_stream_info() failed
Quicktime/MOV file format detected.
==6028== Invalid write of size 1
==6028== Stack hash: 1021102500
==6028== at 0x401FB4A: memcpy (mc_replace_strmem.c:402)
==6028== by 0x813CB5F: lschunks_intrak (stream.h:218)
==6028== by 0x813A3C0: lschunks (demux_mov.c:1283)
==6028== by 0x813C8A2: lschunks_intrak (demux_mov.c:1874)
==6028== by 0x813A3C0: lschunks (demux_mov.c:1283)
==6028== by 0x813C8A2: lschunks_intrak (demux_mov.c:1874)
==6028== by 0x813A3C0: lschunks (demux_mov.c:1283)
==6028== by 0x813C8A2: lschunks_intrak (demux_mov.c:1874)
==6028== by 0x813A3C0: lschunks (demux_mov.c:1283)
==6028== by 0x813AA3E: lschunks (demux_mov.c:1311)
==6028== by 0x813C315: mov_read_header (demux_mov.c:1931)
==6028== by 0x811E32E: demux_open_stream (demuxer.c:864)
==6028== Address 0x0 is not stack'd, malloc'd or (recently) free'd

MPlayer interrupted by signal 11 in module: demux_open

  • MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
  • MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.

==6028==
==6028== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 19 from 1)
==6028== malloc/free: in use at exit: 98,069 bytes in 2,180 blocks.
==6028== malloc/free: 2,463 allocs, 282 frees, 2,467,936 bytes allocated.
==6028== For counts of detected errors, rerun with: -v
==6028== searching for pointers to 2,180 not-freed blocks.
==6028== checked 2,929,824 bytes.
==6028==
==6028== LEAK SUMMARY:
==6028== definitely lost: 0 bytes in 0 blocks.
==6028== possibly lost: 0 bytes in 0 blocks.
==6028== still reachable: 98,069 bytes in 2,180 blocks.
==6028== suppressed: 0 bytes in 0 blocks.
==6028== Rerun with --leak-check=full to see details of leaked memory.


I am currently experiencing technical difficulty in obtaining the core dump by Mplayer. I will provide more information on this bug as soon as I can.


This bug was found as part of the SUPERB-TRUST 2008 project.

Change History (2)

comment:1 Changed 11 years ago by zlai88@…

I suspect that this bug might be related to Bug #1113. Both cases report invalid write in mov_read_header (demux_mov.c). This bug is still reproducible in SVN r27266.

Please let me know if you need more information. Thanks.

comment:2 Changed 11 years ago by reimar

  • Resolution set to duplicate
  • Status changed from new to closed

* This bug has been marked as a duplicate of bug 1113 *

Note: See TracTickets for help on using tickets.