Syscall param write and invalid read followed by crash

[zlai88@…]

The fuzzed file t1_ma.mp3 (in the archive at the URL above) caused Mplayer to crash by signal 11 in module: decode_audio. Valgrind reports syscall param write within /lib/ld-2.3.6.so, malloc (vg_replace_malloc.c:207), and invalid read in do_layer3 (layer3.c:1157).

This bug is reproducible on Linux Debian Etch, with the latest Subversion head
mplayer (r27266). The machine used is VMWare Player.

Reproduce as follows:
wget ​http://www.eecs.berkeley.edu/~zhl210/25212-0-826147072-result256.tgz
tar xzf 25212-0-826147072-result256.tgz
Valgrind mplayer t1_ma.mp3

---

Here is the output by Valgrind:

==17994== Memcheck, a memory error detector.
==17994== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==17994== Using LibVEX rev 1854, a library for dynamic binary translation.
==17994== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==17994== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==17994== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==17994== For more details, rerun with: -v
==17994==
==17994== My PID = 17994, parent PID = 16991. Prog and args are:
==17994== /home/user/mplayer/mplayer
==17994== t1_ma.mp3
==17994==
==17994== Syscall param write(buf) points to uninitialised byte(s)
==17994== Stack hash: 2550802113
==17994== at 0x4000792: (within /lib/ld-2.3.6.so)
==17994== Address 0x430ff26 is 678 bytes inside a block of size 65,536 alloc'd
==17994== Stack hash: 2167151763
==17994== at 0x401D898: malloc (vg_replace_malloc.c:207)
==17994== by 0x401D9DC: realloc (vg_replace_malloc.c:429)
==17994== by 0x80DAA3E: decode_audio (dec_audio.c:401)
==17994== by 0x80784E9: main (mplayer.c:2044)
==17994==
==17994== Invalid read of size 4
==17994== Stack hash: 880614204
==17994== at 0x81E7273: do_layer3 (layer3.c:1157)
==17994== by 0x816909D: demux_open_y4m (demux_y4m.c:192)
==17994== Address 0xbf00000c is not stack'd, malloc'd or (recently) free'd
==17994==
==17994== ERROR SUMMARY: 4 errors from 2 contexts (suppressed: 21 from 1)
==17994== malloc/free: in use at exit: 232,413 bytes in 2,205 blocks.
==17994== malloc/free: 20,064 allocs, 17,859 frees, 6,342,142 bytes allocated.
==17994== For counts of detected errors, rerun with: -v
==17994== searching for pointers to 2,205 not-freed blocks.
==17994== checked 3,068,276 bytes.
==17994==
==17994== LEAK SUMMARY:
==17994== definitely lost: 0 bytes in 0 blocks.
==17994== possibly lost: 0 bytes in 0 blocks.
==17994== still reachable: 232,413 bytes in 2,205 blocks.
==17994== suppressed: 0 bytes in 0 blocks.

---

Here is the backtrace by gdb:

#0 0x081e7275 in do_layer3 (fr=0x871c7c0, single=-1) at mp3lib/layer3.c:1157
#1 0x0816909e in demux_open_y4m (demuxer=0x0) at libmpdemux/demux_y4m.c:192

Dump of assembler code from 0x81e7255 to 0x81e7295:
0x081e7255 <do_layer3+2309>: or $0x8b000003,%eax
0x081e725a <do_layer3+2314>: popf
0x081e725b <do_layer3+2315>: fcomp %st(0)
0x081e725d <do_layer3+2317>: (bad)
0x081e725e <do_layer3+2318>: decl 0x89d989c6(%ecx)
0x081e7264 <do_layer3+2324>: fidivl (%ecx)
0x081e7266 <do_layer3+2326>: rorb $0x0,0x27bc8df6(%ecx)
0x081e726d <do_layer3+2333>: add %al,(%eax)
0x081e726f <do_layer3+2335>: add %al,0x2d904ea(%ebx)
0x081e7275 <do_layer3+2341>: flds (%ecx)
0x081e7277 <do_layer3+2343>: flds 0x8726380(,%eax,4)
0x081e727e <do_layer3+2350>: fmul %st(2),%st
0x081e7280 <do_layer3+2352>: flds 0x8726360(,%eax,4)
0x081e7287 <do_layer3+2359>: fmul %st(2),%st
0x081e7289 <do_layer3+2361>: fsubrp %st,%st(1)
0x081e728b <do_layer3+2363>: fstps (%edx)
0x081e728d <do_layer3+2365>: fmuls 0x8726380(,%eax,4)
0x081e7294 <do_layer3+2372>: fxch %st(1)
End of assembler dump.

eax 0x2 2
ecx 0xc0000000 -1073741824
edx 0xbfffffec -1073741844
ebx 0xbffffff8 -1073741832
esp 0xbfffaf50 0xbfffaf50
ebp 0xbfffd768 0xbfffd768
esi 0xffffff25 -219
edi 0x0 0
eip 0x81e7275 0x81e7275 <do_layer3+2341>
eflags 0x210292 [ AF SF IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 272595795793760223232 (raw 0x4042ec706d0000000000)
st1 -nan(0xde44ca34de44ca34) (raw 0xffffde44ca34de44ca34)
st2 -nan(0x21bc35cc21bc35cc) (raw 0xffff21bc35cc21bc35cc)
st3 -nan(0xfffb4c200265aa62) (raw 0xfffffffb4c200265aa62)
st4 -nan(0xd8cffffd4c25) (raw 0xffff0000d8cffffd4c25)
st5 -0 (raw 0x80000000000000000000)
st6 1.9438727293720567883844748367783151e-10 (raw 0x3fded5bb27330f180
st7 -1.039971889189516049230664195435897e-10 (raw 0xbfdde4b13670bf0a0000)
fctrl 0x37f 895
fstat 0x7833 30771
ftag 0x3fff 16383
fiseg 0x73 115
fioff 0x81e7273 136213107
foseg 0x7b 123
fooff 0xbfffffec -1073741844
fop 0x102 258
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
mm0 {uint64 = 0xe4b13670bf0a0000, v2_int32 = {0xbf0a0000,

0xe4b13670}, v4_int16 = {0x0, 0xbf0a, 0x3670, 0xe4b1}, v8_int8 = {0x0,
0x0, 0xa, 0xbf, 0x70, 0x36, 0xb1, 0xe4}}

mm1 {uint64 = 0xec706d0000000000, v2_int32 = {0x0, 0xec706d00},

v4_int16 = {0x0, 0x0, 0x6d00, 0xec70}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x6d, 0x70, 0xec}}

mm2 {uint64 = 0xde44ca34de44ca34, v2_int32 = {0xde44ca34,

0xde44ca34}, v4_int16 = {0xca34, 0xde44, 0xca34, 0xde44}, v8_int8 = {0x34,
0xca, 0x44, 0xde, 0x34, 0xca, 0x44, 0xde}}

mm3 {uint64 = 0x21bc35cc21bc35cc, v2_int32 = {0x21bc35cc,

0x21bc35cc}, v4_int16 = {0x35cc, 0x21bc, 0x35cc, 0x21bc}, v8_int8 = {0xcc,
0x35, 0xbc, 0x21, 0xcc, 0x35, 0xbc, 0x21}}

mm4 {uint64 = 0xfffb4c200265aa62, v2_int32 = {0x265aa62,

0xfffb4c20}, v4_int16 = {0xaa62, 0x265, 0x4c20, 0xfffb}, v8_int8 = {0x62,
0xaa, 0x65, 0x2, 0x20, 0x4c, 0xfb, 0xff}}

mm5 {uint64 = 0xd8cffffd4c25, v2_int32 = {0xfffd4c25, 0xd8cf},

v4_int16 = {0x4c25, 0xfffd, 0xd8cf, 0x0}, v8_int8 = {0x25, 0x4c, 0xfd, 0xff,

0xcf, 0xd8, 0x0, 0x0}}

mm6 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm7 {uint64 = 0xd5bb27330f180000, v2_int32 = {0xf180000,

0xd5bb2733}, v4_int16 = {0x0, 0xf18, 0x2733, 0xd5bb}, v8_int8 = {0x0, 0x0,
0x18, 0xf, 0x33, 0x27, 0xbb, 0xd5}}

---

This bug was found as part of the SUPERB-TRUST 2008 project.

[reimar]

Not reproducible, sample URL updated.