Opened 11 years ago

Last modified 9 years ago

#1181 new defect

Demuxer: Conditional jump or move depends on uninitialised value(s)

Reported by: sckhan@… Owned by: reimar
Priority: normal Component: demuxer
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

The following report is for the SUPERB-TRUST 2008, the cyber security project.

#Error found at test case .mp4 file for mplayer version (dev-SVN-r27249-4.1.2)
valgrind report the Invalid Read.

#The test case is "1-guy-plays-soccer-pole.mp4" can be found at the URL

*http://www.eecs.berkeley.edu/~sckhan/1-guy-plays-soccer-pole.mp4

#Reproducible with the following command

*valgrind mplayer 1-guy-plays-soccer-pole.mp4
Can also be run as:

*valgrind --log-file=log13 mplayer 1-guy-plays-soccer-pole.mp4

#OS: Debian Etch Linux

#Valgrind output:

==13522== Memcheck, a memory error detector.
==13522== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==13522== Using LibVEX rev 1854, a library for dynamic binary translation.
==13522== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==13522== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==13522== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==13522== For more details, rerun with: -v
==13522==
==13522== My PID = 13522, parent PID = 26719. Prog and args are:
==13522== mplayer
==13522== 1-guy-plays-soccer-pole.mp4
==13522==
==13522== Conditional jump or move depends on uninitialised value(s)
==13522== Stack hash: 1456509752
==13522== at 0x8139B49: demux_mov_fill_buffer (stream.h:261)
==13522== by 0x811EA74: ds_fill_buffer (demuxer.c:498)
==13522== by 0x811F178: ds_get_packet (demuxer.c:602)
==13522== by 0x816D9FD: video_read_frame (video.c:553)
==13522== by 0x8079512: main (mplayer.c:2262)
.....
==13522== Conditional jump or move depends on uninitialised value(s)
==13522== Stack hash: 536874515
==13522== at 0x8074704: saddf (mplayer.c:1163)
==13522== by 0x8074A1A: print_status (mplayer.c:1263)
==13522== by 0x80793ED: main (mplayer.c:2004)
==13522==
==13522== Conditional jump or move depends on uninitialised value(s)
==13522== Stack hash: 2673275241
==13522== at 0x401EAF6: memset (mc_replace_strmem.c:493)
==13522== by 0x8074B3E: print_status (mplayer.c:1280)
==13522== by 0x80793ED: main (mplayer.c:2004)
==13522==
==13522== Use of uninitialised value of size 4
==13522== Stack hash: 2673293038
==13522== at 0x401EB03: memset (mc_replace_strmem.c:493)
==13522== by 0x8074B3E: print_status (mplayer.c:1280)
==13522== by 0x80793ED: main (mplayer.c:2004)
==13522==
==13522== Conditional jump or move depends on uninitialised value(s)
==13522== Stack hash: 2673316311
==13522== at 0x401EB14: memset (mc_replace_strmem.c:493)
==13522== by 0x8074B3E: print_status (mplayer.c:1280)
==13522== by 0x80793ED: main (mplayer.c:2004)
==13522==
==13522== Conditional jump or move depends on uninitialised value(s)
==13522== Stack hash: 2673321787
==13522== at 0x401EB18: memset (mc_replace_strmem.c:493)
==13522== by 0x8074B3E: print_status (mplayer.c:1280)
==13522== by 0x80793ED: main (mplayer.c:2004)
==13522==
==13522== Conditional jump or move depends on uninitialised value(s)
==13522== Stack hash: 2673366964
==13522== at 0x401EB39: memset (mc_replace_strmem.c:493)
==13522== by 0x8074B3E: print_status (mplayer.c:1280)
==13522== by 0x80793ED: main (mplayer.c:2004)
==13522== Warning: set address range perms: large range 268437693 (undefined)
==13522== Warning: set address range perms: large range 268437725 (noaccess)
==13522==
==13522== Conditional jump or move depends on uninitialised value(s)
==13522== Stack hash: 471787474
==13522== at 0x811EA63: ds_fill_buffer (demuxer.c:491)
==13522== by 0x811F178: ds_get_packet (demuxer.c:602)
==13522== by 0x816D9FD: video_read_frame (video.c:553)
==13522== by 0x8079512: main (mplayer.c:2262)
==13522==
==13522== ERROR SUMMARY: 4983945 errors from 206 contexts (suppressed: 19 from 1)
==13522== malloc/free: in use at exit: 32,926 bytes in 14 blocks.
==13522== malloc/free: 6,632 allocs, 6,611 frees, 7,039,884,877 bytes allocated.
==13522== For counts of detected errors, rerun with: -v
==13522== searching for pointers to 14 not-freed blocks.
==13522== checked 2,861,880 bytes.
==13522==
==13522== LEAK SUMMARY:
==13522== definitely lost: 0 bytes in 0 blocks.
==13522== possibly lost: 0 bytes in 0 blocks.
==13522== still reachable: 32,926 bytes in 14 blocks.
==13522== suppressed: 0 bytes in 0 blocks.
==13522== Rerun with --leak-check=full to see details of leaked memory.

###The rest of the output can be seen in a log file.

#The above valgrind output is saved as a log file(log13) and can be found at
URL:

*http://www.eecs.berkeley.edu/~sckhan/log13

*This report to inform the error found in Mplayer where errors are mainly for uninitialised values from running a test case: 1-guy-plays-soccer-pole.mp4. Stack hash: 471787474 and error back trace at: ds_fill_buffer (demuxer.c:491).

#The bug is found in making comparison of the fuzzing tools and is a part of
the metafuzz project.

*URL at: metafuzz.com

Change History (1)

comment:1 Changed 9 years ago by compn

  • Owner changed from r_togni@… to reimar
Note: See TracTickets for help on using tickets.