Opened 16 years ago

Closed 16 years ago

#1195 closed defect (worksforme)

[Crash] for this .flac, Valgrind reports InvalidRead @ metadata_parse (bitstream.h:687)

Reported by: aslani@… Owned by: r_togni@…
Priority: normal Component: demuxer
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: no Analyzed by developer: no

Description

For this .flc file, Valgrind 3.3.1 reports InvalidRead size 1 in the latest subversion of Mplayer,SVN-r27288-4.1.2, and Mplayer crashes.

System Info:
OS: Debian Etch Linux, Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz

uname -a: Linux debian 2.6.18-4-486 #1 Mon Mar 26 16:39:10 UTC 2007 i686 GNU/Linux

########################
to reproduce:::::

wget http://www.metafuzz.com/testcases/514188-3-1901000944-InvalidRead.tgz
tar xzf 514188-3-1901000944-InvalidRead.tgz
valgrind mplayer 3-snippet3.flac

Valgrind Result :::

Playing 3-snippet3.flac.
Audio file file format detected.
==========================================================================
Opening audio decoder: [ffmpeg] FFmpeg/libavcodec audio decoders
==18574== Invalid read of size 1<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
==18574== Stack hash: 1653449124
==18574== at 0x8409902: metadata_parse (bitstream.h:687)
==18574== by 0x8409B1B: flac_decode_frame (flac.c:635)
==18574== by 0x82ECC4A: avcodec_decode_audio2 (utils.c:928)
==18574== by 0x8198808: decode_audio (ad_ffmpeg.c:161)
==18574== by 0x8198B56: init (ad_ffmpeg.c:109)
==18574== by 0x80DB0D2: init_audio (dec_audio.c:95)
==18574== by 0x80DB4C8: init_best_audio_codec (dec_audio.c:270)
==18574== by 0x8076838: reinit_audio_chain (mplayer.c:1585)
==18574== by 0x80781E1: main (mplayer.c:3583)
==18574== Address 0x4b4b4b4 is not stack'd, malloc'd or (recently) free'd

MPlayer interrupted by signal 11 in module: init_audio_codec

  • MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.

==18574==
==18574== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 19 from 1)
==18574== malloc/free: in use at exit: 489,523 bytes in 2,188 blocks.
==18574== malloc/free: 2,319 allocs, 131 frees, 1,836,165 bytes allocated.
==18574== For counts of detected errors, rerun with: -v
==18574== searching for pointers to 2,188 not-freed blocks.
==18574== checked 3,352,936 bytes.
==18574==
==18574== LEAK SUMMARY:
==18574== definitely lost: 0 bytes in 0 blocks.
==18574== possibly lost: 0 bytes in 0 blocks.


gdb Backtrace

gdb) run -v 3-snippet3.flac

Starting program: /usr/local/bin/mplayer -v 3-snippet3.flac

Failed to read a valid object file image from memory.

[Thread debugging using libthread_db enabled]

[New Thread -1209960224 (LWP 19230)]

MPlayer dev-SVN-r27288-4.1.2 (C) 2000-2008 MPlayer Team

CPU: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz (Family: 6, Model: 15, Stepping: 13)

CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1

Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

get_path('codecs.conf') -> '/home/user/.mplayer/codecs.conf'

Reading /home/user/.mplayer/codecs.conf: Can't open '/home/user/.mplayer/codecs.conf': No such file or directory

Reading /usr/local/etc/mplayer/codecs.conf: Can't open '/usr/local/etc/mplayer/codecs.conf': No such file or directory

Using built-in default codecs.conf.

Configuration: --enable-debug=3

CommandLine: '-v' '3-snippet3.flac'

get_path('font/font.desc') -> '/home/user/.mplayer/font/font.desc'

font: can't open file: /home/user/.mplayer/font/font.desc

font: can't open file: /usr/local/share/mplayer/font/font.desc

Using MMX (with tiny bit MMX2) Optimized OnScreenDisplay

Using nanosleep() timing

get_path('input.conf') -> '/home/user/.mplayer/input.conf'

Can't open input config file /home/user/.mplayer/input.conf: No such file or directory

Can't open input config file /usr/local/etc/mplayer/input.conf: No such file or directory

Falling back on default (hardcoded) input config

get_path('3-snippet3.flac.conf') -> '/home/user/.mplayer/3-snippet3.flac.conf'

Playing 3-snippet3.flac.

get_path('sub/') -> '/home/user/.mplayer/sub/'

[file] File size is 199844 bytes

STREAM: [file] 3-snippet3.flac

STREAM: Description: File

STREAM: Author: Albeu

STREAM: Comment: based on the code from ??? (probably Arpi)

LAVF_check: raw FLAC

Checking for YUV4MPEG2

ASF_check: not ASF guid!

Checking for NuppelVideo

Checking for REAL

Checking for SMJPEG

Searching demuxer type for filename 3-snippet3.flac ext: .flac

Trying demuxer 17 based on filename extension

==> Found audio stream: 0

demux_audio: seeking from 0x1A to start pos 0x0

demux_audio: audio data 0x0 - 0x30CA4

Audio file file format detected.

==========================================================================

Opening audio decoder: [ffmpeg] FFmpeg/libavcodec audio decoders

dec_audio: Allocating 192000 + 65536 = 257536 bytes for output buffer.

FFmpeg's libavcodec audio codec

INFO: libavcodec init OK!

Program received signal SIGSEGV, Segmentation fault.

[Switching to Thread -1209960224 (LWP 19230)]

0x08409902 in metadata_parse (s=0x89b2010) at bitstream.h:687

687 result<<= (index&0x07);

(gdb) bt

#0 0x08409902 in metadata_parse (s=0x89b2010) at bitstream.h:687

#1 0x08409b1c in flac_decode_frame (avctx=0x89b1c80, data=0xb7cb0020,

data_size=0xbfe8ebc0, buf=0x89c20f8 "fLaC", buf_size=65536) at flac.c:635

#2 0x082ecc4b in avcodec_decode_audio2 (avctx=0x89b1c80, samples=0xb7cb0020,

frame_size_ptr=0xbfe8ebc0,

buf=0x89b20e8 "õßúÖ\nE\035\v\202\210¯×Ç\215Hs_z\231\224$\204cd\"§\202\204ûéSZµÇ\207Ø%\177\210S\212׊\217\bNo¬UÝ\025+ÖûwBg«\236|Fß'ñ\f{B|m\027ïíf¿\237*I`;Ö\226®Ôâ)\f€¥q\232öÊ\207\b\r\226ÇllH|\217\003U\230'V<Þ°Ï,é\030R¡\025Æ4\033\031\233e|Í\021«<\225ÆŒ
Âè\205œ¿ôùIÃÎç¡]gq=¡e.÷Ç6ß³wú­6\223hŠ\036pGá\205Î7/\n€±\212\030»\211Ñ\017!\017Z8G²Ò\006\212ä\004\005»Ë\224*ñ"..., buf_size=65535)

at utils.c:928

#3 0x08198809 in decode_audio (sh_audio=0x89b1b80, buf=0xb7cb0020 "",

minlen=1, maxlen=257536) at libmpcodecs/ad_ffmpeg.c:161

#4 0x08198b57 in init (sh_audio=0x89b1b80) at libmpcodecs/ad_ffmpeg.c:109

#5 0x080db0d3 in init_audio (sh_audio=0x89b1b80, codecname=0x0, afm=0x0,

status=1, selected=0xbfe8eca8) at libmpcodecs/dec_audio.c:95

#6 0x080db4c9 in init_best_audio_codec (sh_audio=0x89b1b80,

audio_codec_list=0xbfe8eca0, audio_fm_list=0x0)

at libmpcodecs/dec_audio.c:270

#7 0x08076839 in reinit_audio_chain () at mplayer.c:1585

#8 0x080781e2 in main (argc=3, argv=0xbfe8ff64) at mplayer.c:3583

(gdb) disass $pc-32 $pc+32

Dump of assembler code from 0x84098e2 to 0x8409922:

0x084098e2 <metadata_parse+162>: add %al,(%eax)

0x084098e4 <metadata_parse+164>: lea 0x0(%esi),%esi

0x084098ea <metadata_parse+170>: lea 0x0(%edi),%edi

0x084098f0 <metadata_parse+176>: mov 0xffffffec(%ebp),%edx

0x084098f3 <metadata_parse+179>: mov 0x8(%edx),%ebx

0x084098f6 <metadata_parse+182>: mov (%edx),%esi

0x084098f8 <metadata_parse+184>: mov %ebx,%eax

0x084098fa <metadata_parse+186>: mov %ebx,%ecx

0x084098fc <metadata_parse+188>: sar $0x3,%eax

0x084098ff <metadata_parse+191>: and $0x7,%ecx

0x08409902 <metadata_parse+194>: movzbl (%esi,%eax,1),%eax

0x08409906 <metadata_parse+198>: shl %cl,%al

0x08409908 <metadata_parse+200>: shr $0x7,%al

0x0840990b <metadata_parse+203>: lea 0x1(%ebx),%ecx

0x0840990e <metadata_parse+206>: mov %al,0xfffffff3(%ebp)

0x08409911 <metadata_parse+209>: mov %ecx,%eax

0x08409913 <metadata_parse+211>: mov %ecx,0x8(%edx)

0x08409916 <metadata_parse+214>: sar $0x3,%eax

0x08409919 <metadata_parse+217>: and $0x7,%ecx

0x0840991c <metadata_parse+220>: mov (%esi,%eax,1),%edi

0x0840991f <metadata_parse+223>: bswap %edi

0x08409921 <metadata_parse+225>: shl %cl,%edi

---Type <return> to continue, or q <return> to quit---

End of assembler dump.

(gdb)

(gdb) info all-registers

eax 0x80048c 8389772

ecx 0x0 0

edx 0x89b202c 144384044

ebx 0x4002460 67118176

esp 0xbfe8ea40 0xbfe8ea40

ebp 0xbfe8ea88 0xbfe8ea88

esi 0x89c20f8 144449784

edi 0x4 4

eip 0x8409902 0x8409902 <metadata_parse+194>

eflags 0x10246 [ PF ZF IF RF ]

cs 0x73 115

ss 0x7b 123

ds 0x7b 123

es 0x7b 123

fs 0x0 0

gs 0x33 51

st0 0 (raw 0x00000000000000000000)

st1 0 (raw 0x00000000000000000000)

st2 0 (raw 0x00000000000000000000)

st3 0 (raw 0x00000000000000000000)

st4 0 (raw 0x00000000000000000000)

st5 1 (raw 0x3fff8000000000000000)

st6 0.54824946668339813449222219787770882 (raw 0x3ffe8c5a13b974631---Type <return> to continue, or q <return> to quit---

000)

st7 0.54824946668339813449222219787770882 (raw 0x3ffe8c5a13b974631000)

fctrl 0x37f 895

fstat 0x20 32

ftag 0xffff 65535

fiseg 0x73 115

fioff 0x81987cd 135890893

foseg 0x7b 123

fooff 0x89b1c2c 144383020

fop 0x59f 1439

xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

---Type <return> to continue, or q <return> to quit---

xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0

_

This bug was found using the zzuf fuzzer, as part of the SUPERB-TRUST 2008 / metafuzz project;

See : http://metafuzz.com/ http://www.truststc.org/superb/

Change History (2)

comment:1 by aslani@…, 16 years ago

I suspect this report might have something to do with #1161. If it is a duplicated one, this test case might also help to debug and test.
thank you

comment:2 by reimar, 16 years ago

Resolution: worksforme
Status: newclosed

Valgrind reports no problems for me. Are you sure your libavcodec copy used by MPlayer is up-to-date, too?

Note: See TracTickets for help on using tickets.