Opened 11 years ago

Last modified 8 years ago

#1185 new defect

Error in Audio Decoding: Mplayer Crashed: Invalid Read

Reported by: sckhan@… Owned by: reimar
Priority: normal Component: ad
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

The following report is for the SUPERB-TRUST 2008, the cyber security project.

#Error found at test case .mp3 file for mplayer version (dev-SVN-r27270-4.1.2)
valgrind report the Invalid Read.

#The test case is "5-memories.mp3" can be found at the URL

*http://www.eecs.berkeley.edu/~sckhan/5-memories.mp3

#Reproducible with the following command

*valgrind mplayer

Can also be run as:

*valgrind --log-file=log18 mplayer 5-memories.mp3

#OS: Debian Etch Linux

#Valgrind output:

==31685== Memcheck, a memory error detector.
==31685== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==31685== Using LibVEX rev 1854, a library for dynamic binary translation.
==31685== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==31685== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==31685== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==31685== For more details, rerun with: -v
==31685==
==31685== My PID = 31685, parent PID = 1823. Prog and args are:
==31685== mplayer
==31685== 5-memories.mp3
==31685==
==31685== Invalid read of size 4
==31685== Stack hash: 4102688190
==31685== at 0x81E30AB: dct36 (dct36.c:169)
==31685== by 0x81E760D: do_layer3 (layer3.c:1212)
==31685== by 0x81E8CF5: MP3_DecodeFrame (sr1.c:539)
==31685== by 0x80DA964: decode_audio (dec_audio.c:383)
==31685== by 0x80784E9: main (mplayer.c:2044)
==31685== Address 0x989337c is not stack'd, malloc'd or (recently) free'd
==31685==
==31685== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 19 from 1)
==31685== malloc/free: in use at exit: 232,099 bytes in 2,190 blocks.
==31685== malloc/free: 4,945 allocs, 2,755 frees, 2,526,552 bytes allocated.
==31685== For counts of detected errors, rerun with: -v
==31685== searching for pointers to 2,190 not-freed blocks.
==31685== checked 3,104,880 bytes.
==31685==
==31685== LEAK SUMMARY:
==31685== definitely lost: 0 bytes in 0 blocks.
==31685== possibly lost: 0 bytes in 0 blocks.
==31685== still reachable: 232,099 bytes in 2,190 blocks.
==31685== suppressed: 0 bytes in 0 blocks.
==31685== Rerun with --leak-check=full to see details of leaked memory.

*This report to inform the error found in Mplayer where it crashes in running
test case: 5-memories.mp3.

*Mplayer Crashed Info*
The debugged info of crash can be seen at URL:
<http://www.eecs.berkeley.edu/~sckhan/crash4>

#The bug is found in making comparison of the fuzzing tools and is a part of
the metafuzz project.

*URL at: metafuzz.com

Change History (1)

comment:1 Changed 8 years ago by compn

  • Owner changed from r_togni@… to reimar
Note: See TracTickets for help on using tickets.