Opened 11 years ago

Last modified 9 years ago

#1191 new defect

MPlayer [Crash] and Valgrind reports Invalid Read in lschunks_intrak (demux_mov.c:1644)

Reported by: nstockma@… Owned by: reimar
Priority: normal Component: demuxer
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

Please know: I noticed a lot of similarity between the stack traces for this bug and that of Bug 1187. Since the stacks are not identical I am reporting this bug, but it may be a duplicate.

Here's a .mov file where Valgrind reports an Invalid Read of size 2 and Mplayer crashes. The mov file (7-27.mov) can be found inside the .tgz archive at the URL
above. The bug is easily reproducible.

I confirmed that this bug is reproducible on Linux OS, Debian x32 with the
following subversion of MPlayer: dev-SVN-r27289-4.1.2

I used a 32-bit Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz.

To reproduce:
wget http://www.metafuzz.com/testcases/276944-7-9074901248-result256.tgz
tar xzfv 276944-7-9074901248-result256.tgz
valgrind mplayer 7-27.mov

Here is the output from Valgrind and Mplayer on my machine:

==14558== Memcheck, a memory error detector.
==14558== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==14558== Using LibVEX rev 1854, a library for dynamic binary translation.
==14558== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==14558== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==14558== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==14558== For more details, rerun with: -v
==14558==
MPlayer dev-SVN-r27289-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 7-27.mov.
libavformat file format detected.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x43f44b0]Could not find codec parameters (Data: 0x0000)
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x43f44b0]Could not find codec parameters (Data: 0x0000)
LAVF_header: av_find_stream_info() failed
Quicktime/MOV file format detected.
* constant samplesize & variable duration not yet supported! *
Contact the author if you have such sample file!
==14558== Warning: silly arg (-2147483564) to malloc()

==14558== Invalid read of size 2 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
==14558== Stack hash: 1671472881
==14558== at 0x81460BF: lschunks_intrak (demux_mov.c:1644)
==14558== by 0x8141EB6: lschunks (demux_mov.c:1286)
==14558== by 0x814253E: lschunks (demux_mov.c:1314)
==14558== by 0x8143E35: mov_read_header (demux_mov.c:1934)
==14558== by 0x8125E5A: demux_open_stream (demuxer.c:864)
==14558== by 0x8126121: demux_open (demuxer.c:991)
==14558== by 0x807925E: main (mplayer.c:3238)
==14558== Address 0x24 is not stack'd, malloc'd or (recently) free'd

MPlayer interrupted by signal 11 in module: demux_open

  • MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
  • MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.

==14558==
==14558== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 27 from 1)
==14558== malloc/free: in use at exit: 98,438 bytes in 2,209 blocks.
==14558== malloc/free: 2,350 allocs, 141 frees, 1,374,289 bytes allocated.
==14558== For counts of detected errors, rerun with: -v
==14558== searching for pointers to 2,209 not-freed blocks.
==14558== checked 3,003,352 bytes.
==14558==
==14558== LEAK SUMMARY:
==14558== definitely lost: 20 bytes in 2 blocks.
==14558== possibly lost: 0 bytes in 0 blocks.
==14558== still reachable: 98,418 bytes in 2,207 blocks.
==14558== suppressed: 0 bytes in 0 blocks.
==14558== Rerun with --leak-check=full to see details of leaked memory.

Here is a backtrace using gdb:

(gdb) run -v 7-27.mov
Starting program: /usr/local/bin/mplayer -v 7-27.mov
Failed to read a valid object file image from memory.
[Thread debugging using libthread_db enabled]
[New Thread -1211119392 (LWP 14727)]
MPlayer dev-SVN-r27289-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz (Family: 6, Model: 15, Stepping: 13)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2
get_path('codecs.conf') -> '/home/user/.mplayer/codecs.conf'
Reading /home/user/.mplayer/codecs.conf: Can't open '/home/user/.mplayer/codecs.conf': No such file or directory
Reading /usr/local/etc/mplayer/codecs.conf: Can't open '/usr/local/etc/mplayer/codecs.conf': No such file or directory
Using built-in default codecs.conf.
Configuration: --enable-debug=3
CommandLine?: '-v' '7-27.mov'
get_path('font/font.desc') -> '/home/user/.mplayer/font/font.desc'
font: can't open file: /home/user/.mplayer/font/font.desc
font: can't open file: /usr/local/share/mplayer/font/font.desc
Using MMX (with tiny bit MMX2) Optimized OnScreenDisplay?
Using nanosleep() timing
get_path('input.conf') -> '/home/user/.mplayer/input.conf'
Can't open input config file /home/user/.mplayer/input.conf: No such file or directory
Can't open input config file /usr/local/etc/mplayer/input.conf: No such file or directory
Falling back on default (hardcoded) input config
get_path('7-27.mov.conf') -> '/home/user/.mplayer/7-27.mov.conf'

Playing 7-27.mov.
get_path('sub/') -> '/home/user/.mplayer/sub/'
[file] File size is 1122311 bytes
STREAM: [file] 7-27.mov
STREAM: Description: File
STREAM: Author: Albeu
STREAM: Comment: based on the code from ??? (probably Arpi)
LAVF_check: QuickTime?/MPEG-4/Motion JPEG 2000 format
libavformat file format detected.
stream_seek: WARNING! Can't seek to 0x112007 !
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x89c5610]Could not find codec parameters (Data: 0x0000)
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x89c5610]Could not find codec parameters (Data: 0x0000)
LAVF_header: av_find_stream_info() failed
Checking for YUV4MPEG2
ASF_check: not ASF guid!
Checking for NuppelVideo?
Checking for REAL
Checking for SMJPEG
Checking for Nullsoft Streaming Video
Checking for MOV
MOV: 'WIDE' chunk found!
MOV: Movie DATA found!
MOV: Movie DATA found!
MOV: Movie header found!
Quicktime/MOV file format detected.
MOV: Movie header (100 bytes): tscale=600 dur=3000


MOV: Track #0:
MOV: unknown chunk: tkjd 86
MOV: unknown chunk: ts 2385244
MOV track #0: 0 chunks, 0 samples
pts=0 scale=0 time= nan
* constant samplesize & variable duration not yet supported! *
Contact the author if you have such sample file!
Unknown track type found (type: 0)


MOV: Track #1:
MOV: Track header!

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1211119392 (LWP 14727)]
0x081460bf in lschunks_intrak (demuxer=0x89bc328, level=1, id=1953196132,

pos=1121330, len=2147483732, trak=0x89bd670) at libmpdemux/demux_mov.c:1644

1644 char2short(trak->tkdata, 36)); volume
(gdb) bt
#0 0x081460bf in lschunks_intrak (demuxer=0x89bc328, level=1, id=1953196132,

pos=1121330, len=2147483732, trak=0x89bd670) at libmpdemux/demux_mov.c:1644

#1 0x08141eb7 in lschunks (demuxer=0x89bc328, level=1, endpos=1122303,

trak=0x89bd670) at libmpdemux/demux_mov.c:1286

#2 0x0814253f in lschunks (demuxer=0x89bc328, level=0, endpos=1122311,

trak=0x0) at libmpdemux/demux_mov.c:1314

#3 0x08143e36 in mov_read_header (demuxer=0x89bc328)

at libmpdemux/demux_mov.c:1934

#4 0x08125e5b in demux_open_stream (stream=0x89bb980,

file_format=<value optimized out>, force=0, audio_id=-1, video_id=-1,
dvdsub_id=-2, filename=0x89b25c0 "7-27.mov") at libmpdemux/demuxer.c:864

#5 0x08126122 in demux_open (vs=0x89bb980, file_format=0, audio_id=-1,

video_id=-1, dvdsub_id=-2, filename=0x89b25c0 "7-27.mov")
at libmpdemux/demuxer.c:991

#6 0x0807925f in main (argc=3, argv=0xbf9a68d4) at mplayer.c:3238
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x814609f to 0x81460df:
0x0814609f <lschunks_intrak+7983>: add %eax,%ebx
0x081460a1 <lschunks_intrak+7985>: mov (%ebx),%eax
0x081460a3 <lschunks_intrak+7987>: mov 0x4(%ebx),%esi
0x081460a6 <lschunks_intrak+7990>: imul %esi,%eax
0x081460a9 <lschunks_intrak+7993>: add %eax,0xffffff14(%ebp)
0x081460af <lschunks_intrak+7999>: cmp %edi,0x6c(%ecx)
0x081460b2 <lschunks_intrak+8002>: jg 0x814605c <lschunks_intrak+7916>
0x081460b4 <lschunks_intrak+8004>: jmp 0x8144274 <lschunks_intrak+260>
0x081460b9 <lschunks_intrak+8009>: mov 0xfffffeec(%ebp),%edx
0x081460bf <lschunks_intrak+8015>: movzwl 0x24(%edx),%eax
0x081460c3 <lschunks_intrak+8019>: jmp 0x8144cfc <lschunks_intrak+2956>
0x081460c8 <lschunks_intrak+8024>: nop
0x081460c9 <lschunks_intrak+8025>: lea 0x0(%esi),%esi
0x081460d0 <mov_check_file+0>: push %ebp
0x081460d1 <mov_check_file+1>: mov %esp,%ebp
0x081460d3 <mov_check_file+3>: push %edi
0x081460d4 <mov_check_file+4>: push %esi
0x081460d5 <mov_check_file+5>: push %ebx
0x081460d6 <mov_check_file+6>: sub $0x12c,%esp
0x081460dc <mov_check_file+12>: movl $0x8d4,(%esp)
End of assembler dump.
(gdb) info all-registers
eax 0x80000054 -2147483564
ecx 0x20b98 134040
edx 0x0 0
ebx 0x80000054 -2147483564
esp 0xbf9a50e0 0xbf9a50e0
ebp 0xbf9a5238 0xbf9a5238
esi 0x89bb980 144423296
edi 0x80000054 -2147483564
eip 0x81460bf 0x81460bf <lschunks_intrak+8015>
eflags 0x10282 [ SF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 1 (raw 0x3fff8000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 -nan(0xc000000000000000) (raw 0xffffc000000000000000)
fctrl 0x37f 895
fstat 0x21 33
ftag 0xffff 65535
fiseg 0x73 115
fioff 0xb7d45e60 -1210818976
foseg 0x7b 123
fooff 0xbf9a3228 -1080413656
fop 0x51c 1308
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
mm0 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm1 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm2 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm3 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm4 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm5 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},

v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x80}}

mm6 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm7 {uint64 = 0xc000000000000000, v2_int32 = {0x0, 0xc0000000},

v4_int16 = {0x0, 0x0, 0x0, 0xc000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0xc0}}

This bug was found using the Zzuf fuzzer. It was found as part of the
SUPERB-TRUST 2008 project ( see http://www.truststc.org/superb/ ) and the
metafuzz project ( see http://metafuzz.com/, stack hash 9074901248 ).

Please let me know if I can provide more information.

Change History (1)

comment:1 Changed 9 years ago by compn

  • Owner changed from r_togni@… to reimar
Note: See TracTickets for help on using tickets.