Opened 16 years ago
Closed 16 years ago
#1195 closed defect (worksforme)
[Crash] for this .flac, Valgrind reports InvalidRead @ metadata_parse (bitstream.h:687)
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | normal | Component: | demuxer |
Version: | HEAD | Severity: | normal |
Keywords: | Cc: | catchconv-bugreports@… | |
Blocked By: | Blocking: | ||
Reproduced by developer: | no | Analyzed by developer: | no |
Description
For this .flc file, Valgrind 3.3.1 reports InvalidRead size 1 in the latest subversion of Mplayer,SVN-r27288-4.1.2, and Mplayer crashes.
System Info:
OS: Debian Etch Linux, Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz
uname -a: Linux debian 2.6.18-4-486 #1 Mon Mar 26 16:39:10 UTC 2007 i686 GNU/Linux
########################
to reproduce:::::
wget http://www.metafuzz.com/testcases/514188-3-1901000944-InvalidRead.tgz
tar xzf 514188-3-1901000944-InvalidRead.tgz
valgrind mplayer 3-snippet3.flac
Valgrind Result :::
Playing 3-snippet3.flac.
Audio file file format detected.
==========================================================================
Opening audio decoder: [ffmpeg] FFmpeg/libavcodec audio decoders
==18574== Invalid read of size 1<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
==18574== Stack hash: 1653449124
==18574== at 0x8409902: metadata_parse (bitstream.h:687)
==18574== by 0x8409B1B: flac_decode_frame (flac.c:635)
==18574== by 0x82ECC4A: avcodec_decode_audio2 (utils.c:928)
==18574== by 0x8198808: decode_audio (ad_ffmpeg.c:161)
==18574== by 0x8198B56: init (ad_ffmpeg.c:109)
==18574== by 0x80DB0D2: init_audio (dec_audio.c:95)
==18574== by 0x80DB4C8: init_best_audio_codec (dec_audio.c:270)
==18574== by 0x8076838: reinit_audio_chain (mplayer.c:1585)
==18574== by 0x80781E1: main (mplayer.c:3583)
==18574== Address 0x4b4b4b4 is not stack'd, malloc'd or (recently) free'd
MPlayer interrupted by signal 11 in module: init_audio_codec
- MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
==18574==
==18574== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 19 from 1)
==18574== malloc/free: in use at exit: 489,523 bytes in 2,188 blocks.
==18574== malloc/free: 2,319 allocs, 131 frees, 1,836,165 bytes allocated.
==18574== For counts of detected errors, rerun with: -v
==18574== searching for pointers to 2,188 not-freed blocks.
==18574== checked 3,352,936 bytes.
==18574==
==18574== LEAK SUMMARY:
==18574== definitely lost: 0 bytes in 0 blocks.
==18574== possibly lost: 0 bytes in 0 blocks.
gdb Backtrace
gdb) run -v 3-snippet3.flac
Starting program: /usr/local/bin/mplayer -v 3-snippet3.flac
Failed to read a valid object file image from memory.
[Thread debugging using libthread_db enabled]
[New Thread -1209960224 (LWP 19230)]
MPlayer dev-SVN-r27288-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz (Family: 6, Model: 15, Stepping: 13)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2
get_path('codecs.conf') -> '/home/user/.mplayer/codecs.conf'
Reading /home/user/.mplayer/codecs.conf: Can't open '/home/user/.mplayer/codecs.conf': No such file or directory
Reading /usr/local/etc/mplayer/codecs.conf: Can't open '/usr/local/etc/mplayer/codecs.conf': No such file or directory
Using built-in default codecs.conf.
Configuration: --enable-debug=3
CommandLine: '-v' '3-snippet3.flac'
get_path('font/font.desc') -> '/home/user/.mplayer/font/font.desc'
font: can't open file: /home/user/.mplayer/font/font.desc
font: can't open file: /usr/local/share/mplayer/font/font.desc
Using MMX (with tiny bit MMX2) Optimized OnScreenDisplay
Using nanosleep() timing
get_path('input.conf') -> '/home/user/.mplayer/input.conf'
Can't open input config file /home/user/.mplayer/input.conf: No such file or directory
Can't open input config file /usr/local/etc/mplayer/input.conf: No such file or directory
Falling back on default (hardcoded) input config
get_path('3-snippet3.flac.conf') -> '/home/user/.mplayer/3-snippet3.flac.conf'
Playing 3-snippet3.flac.
get_path('sub/') -> '/home/user/.mplayer/sub/'
[file] File size is 199844 bytes
STREAM: [file] 3-snippet3.flac
STREAM: Description: File
STREAM: Author: Albeu
STREAM: Comment: based on the code from ??? (probably Arpi)
LAVF_check: raw FLAC
Checking for YUV4MPEG2
ASF_check: not ASF guid!
Checking for NuppelVideo
Checking for REAL
Checking for SMJPEG
Searching demuxer type for filename 3-snippet3.flac ext: .flac
Trying demuxer 17 based on filename extension
==> Found audio stream: 0
demux_audio: seeking from 0x1A to start pos 0x0
demux_audio: audio data 0x0 - 0x30CA4
Audio file file format detected.
==========================================================================
Opening audio decoder: [ffmpeg] FFmpeg/libavcodec audio decoders
dec_audio: Allocating 192000 + 65536 = 257536 bytes for output buffer.
FFmpeg's libavcodec audio codec
INFO: libavcodec init OK!
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1209960224 (LWP 19230)]
0x08409902 in metadata_parse (s=0x89b2010) at bitstream.h:687
687 result<<= (index&0x07);
(gdb) bt
#0 0x08409902 in metadata_parse (s=0x89b2010) at bitstream.h:687
#1 0x08409b1c in flac_decode_frame (avctx=0x89b1c80, data=0xb7cb0020,
data_size=0xbfe8ebc0, buf=0x89c20f8 "fLaC", buf_size=65536) at flac.c:635
#2 0x082ecc4b in avcodec_decode_audio2 (avctx=0x89b1c80, samples=0xb7cb0020,
frame_size_ptr=0xbfe8ebc0,
buf=0x89b20e8 "õßúÖ\nE\035\v\202\210¯×Ç\215Hs_z\231\224$\204cd\"§\202\204ûéSZµÇ\207Ø%\177\210S\212׊\217\bNo¬UÝ\025+ÖûwBg«\236|Fß'ñ\f{B|m\027ïíf¿\237*I`;Ö\226®Ôâ)\f€¥q\232öÊ\207\b\r\226ÇllH|\217\003U\230'V<Þ°Ï,é\030R¡\025Æ4\033\031\233e|Í\021«<\225ÆŒ
Âè\205œ¿ôùIÃÎç¡]gq=¡e.÷Ç6ß³wú6\223hŠ\036pGá\205Î7/\n€±\212\030»\211Ñ\017!\017Z8G²Ò\006\212ä\004\005»Ë\224*ñ"..., buf_size=65535)
at utils.c:928
#3 0x08198809 in decode_audio (sh_audio=0x89b1b80, buf=0xb7cb0020 "",
minlen=1, maxlen=257536) at libmpcodecs/ad_ffmpeg.c:161
#4 0x08198b57 in init (sh_audio=0x89b1b80) at libmpcodecs/ad_ffmpeg.c:109
#5 0x080db0d3 in init_audio (sh_audio=0x89b1b80, codecname=0x0, afm=0x0,
status=1, selected=0xbfe8eca8) at libmpcodecs/dec_audio.c:95
#6 0x080db4c9 in init_best_audio_codec (sh_audio=0x89b1b80,
audio_codec_list=0xbfe8eca0, audio_fm_list=0x0)
at libmpcodecs/dec_audio.c:270
#7 0x08076839 in reinit_audio_chain () at mplayer.c:1585
#8 0x080781e2 in main (argc=3, argv=0xbfe8ff64) at mplayer.c:3583
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x84098e2 to 0x8409922:
0x084098e2 <metadata_parse+162>: add %al,(%eax)
0x084098e4 <metadata_parse+164>: lea 0x0(%esi),%esi
0x084098ea <metadata_parse+170>: lea 0x0(%edi),%edi
0x084098f0 <metadata_parse+176>: mov 0xffffffec(%ebp),%edx
0x084098f3 <metadata_parse+179>: mov 0x8(%edx),%ebx
0x084098f6 <metadata_parse+182>: mov (%edx),%esi
0x084098f8 <metadata_parse+184>: mov %ebx,%eax
0x084098fa <metadata_parse+186>: mov %ebx,%ecx
0x084098fc <metadata_parse+188>: sar $0x3,%eax
0x084098ff <metadata_parse+191>: and $0x7,%ecx
0x08409902 <metadata_parse+194>: movzbl (%esi,%eax,1),%eax
0x08409906 <metadata_parse+198>: shl %cl,%al
0x08409908 <metadata_parse+200>: shr $0x7,%al
0x0840990b <metadata_parse+203>: lea 0x1(%ebx),%ecx
0x0840990e <metadata_parse+206>: mov %al,0xfffffff3(%ebp)
0x08409911 <metadata_parse+209>: mov %ecx,%eax
0x08409913 <metadata_parse+211>: mov %ecx,0x8(%edx)
0x08409916 <metadata_parse+214>: sar $0x3,%eax
0x08409919 <metadata_parse+217>: and $0x7,%ecx
0x0840991c <metadata_parse+220>: mov (%esi,%eax,1),%edi
0x0840991f <metadata_parse+223>: bswap %edi
0x08409921 <metadata_parse+225>: shl %cl,%edi
---Type <return> to continue, or q <return> to quit---
End of assembler dump.
(gdb)
(gdb) info all-registers
eax 0x80048c 8389772
ecx 0x0 0
edx 0x89b202c 144384044
ebx 0x4002460 67118176
esp 0xbfe8ea40 0xbfe8ea40
ebp 0xbfe8ea88 0xbfe8ea88
esi 0x89c20f8 144449784
edi 0x4 4
eip 0x8409902 0x8409902 <metadata_parse+194>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 1 (raw 0x3fff8000000000000000)
st6 0.54824946668339813449222219787770882 (raw 0x3ffe8c5a13b974631---Type <return> to continue, or q <return> to quit---
000)
st7 0.54824946668339813449222219787770882 (raw 0x3ffe8c5a13b974631000)
fctrl 0x37f 895
fstat 0x20 32
ftag 0xffff 65535
fiseg 0x73 115
fioff 0x81987cd 135890893
foseg 0x7b 123
fooff 0x89b1c2c 144383020
fop 0x59f 1439
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
---Type <return> to continue, or q <return> to quit---
xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0
_
This bug was found using the zzuf fuzzer, as part of the SUPERB-TRUST 2008 / metafuzz project;
See : http://metafuzz.com/ http://www.truststc.org/superb/
Change History (2)
comment:1 by , 16 years ago
comment:2 by , 16 years ago
Resolution: | → worksforme |
---|---|
Status: | new → closed |
Valgrind reports no problems for me. Are you sure your libavcodec copy used by MPlayer is up-to-date, too?
I suspect this report might have something to do with #1161. If it is a duplicated one, this test case might also help to debug and test.
thank you