InvalidRead

[nicholenae@…]

I worked in the lab as part of the SUPERB-TRUST 2008 for the security project
and found these bugs in the file 112-27.mov . The errors Invalid Read in mp_decode_frame (bitstream.h:651) .This bugs is reproduced You can download the file with the following links and can run the
command below:

www.metafuzz.com
wget ​http://www.metafuzz.com/testcases/224086-63-2206507841-InvalidRead.tgz
tar xzfv 224086-63-2206507841-InvalidRead.tgz
valgrind mplayer 112-27.mov

I have this version:

MPlayer dev-SVN-r27289-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz (Family: 6, Model: 15, Stepping: 13)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 112-27.mov.
libavformat file format detected.
==21133== Invalid read of size 4
==21133== Stack hash: 1514216397
==21133== at 0x84795A5: mp_decode_frame (bitstream.h:651)
==21133== by 0x847AFDD: decode_frame (mpegaudiodec.c:2405)
==21133== by 0x82ECC4A: avcodec_decode_audio2 (utils.c:928)
==21133== by 0x8263BC7: av_find_stream_info (utils.c:1828)
==21133== by 0x81A30E5: demux_open_lavf (demux_lavf.c:466)
==21133== by 0x811E2EA: demux_open_stream (demuxer.c:864)
==21133== by 0x811E5B1: demux_open (demuxer.c:991)
==21133== by 0x8077A5E: main (mplayer.c:3238)
==21133== Address 0x4381925 is 37 bytes inside a block of size 40 alloc'd
==21133== Stack hash: 3625767601
==21133== at 0x401C882: memalign (vg_replace_malloc.c:460)
==21133== by 0x8548EF4: av_malloc (mem.c:61)
==21133== by 0x82600A4: av_dup_packet (utils.c:247)
==21133== by 0x8263421: av_find_stream_info (utils.c:2023)
==21133== by 0x81A30E5: demux_open_lavf (demux_lavf.c:466)
==21133== by 0x811E2EA: demux_open_stream (demuxer.c:864)
==21133== by 0x811E5B1: demux_open (demuxer.c:991)
==21133== by 0x8077A5E: main (mplayer.c:3238)
==21133==
==21133== Invalid read of size 4
==21133== Stack hash: 97422919
==21133== at 0x8479787: mp_decode_frame (bitstream.h:651)
==21133== by 0x847AFDD: decode_frame (mpegaudiodec.c:2405)
==21133== by 0x82ECC4A: avcodec_decode_audio2 (utils.c:928)
==21133== by 0x8263BC7: av_find_stream_info (utils.c:1828)
==21133== by 0x81A30E5: demux_open_lavf (demux_lavf.c:466)
==21133== by 0x811E2EA: demux_open_stream (demuxer.c:864)
==21133== by 0x811E5B1: demux_open (demuxer.c:991)
==21133== by 0x8077A5E: main (mplayer.c:3238)
==21133== Address 0x4381942 is not stack'd, malloc'd or (recently) free'd
[lavf] Audio stream found, -aid 0
==========================================================================
Opening audio decoder: [mp3lib] MPEG layer-2, layer-3
AUDIO: 44100 Hz, 2 ch, s16le, 32.0 kbit/2.27% (ratio: 4000->176400)
Selected audio codec: [mp3] afm: mp3lib (mp3lib MPEG layer-2, layer-3)
==========================================================================
AO: [oss] 44100Hz 2ch s16le (2 bytes per sample)
Video: no video
Starting playback...
A: 0.2 (00.1) of 93.5 (01:33.5) ??,?%

Exiting... (End of file)
==21133==
==21133== ERROR SUMMARY: 123 errors from 2 contexts (suppressed: 19 from 1)
==21133== malloc/free: in use at exit: 52,438 bytes in 30 blocks.
==21133== malloc/free: 3,920 allocs, 3,890 frees, 2,954,998 bytes allocated.
==21133== For counts of detected errors, rerun with: -v
==21133== searching for pointers to 30 not-freed blocks.
==21133== checked 2,914,248 bytes.
==21133==
==21133== LEAK SUMMARY:
==21133== definitely lost: 10 bytes in 1 blocks.
==21133== possibly lost: 0 bytes in 0 blocks.
==21133== still reachable: 52,428 bytes in 29 blocks.
==21133== suppressed: 0 bytes in 0 blocks.
==21133== Rerun with --leak-check=full to see details of leaked memory.

[nicholenae@…]

Hello, I suspect this report might have something to do with #1152, can you help me to check it? Also please note that this situation appears on playing both .mp4 and .mov files. Thanks very much

[reimar]

Same line numbers (except for a slight shift down due to unrelated code changes), same bug.

* This bug has been marked as a duplicate of bug 1152 *