Opened 16 years ago
Last modified 13 years ago
#1196 new defect
Valgrind reports InvalidRead in coeff_get() (bitstream.h:140)
| Reported by: | Owned by: | reimar | |
|---|---|---|---|
| Priority: | normal | Component: | ad |
| Version: | HEAD | Severity: | normal |
| Keywords: | Cc: | catchconv-bugreports@… | |
| Blocked By: | Blocking: | ||
| Reproduced by developer: | no | Analyzed by developer: | no |
Description
In the archive which can be downloaded from the URL
http://www.cs.berkeley.edu/~thiennga/2683904868.tar.gz, there is
an MPEG-2 file (219-charmaineraymond.mpg) where Valgrind reports an invalid read of 4 byte at an invalid memory location.
I confirmed that this bug is reproducible in the latest subversion of MPlayer,
r27291-4.1.2.
My System Information:
OS: Linux Debian x32
kernel: Linux debian 2.6.18-6-486 #1 Fri Jun 6 21:47:01 UTC 2008 i686 GNU/Linux
libc version: libc-2.3.6.so
gcc version 4.1.2 20061115
ld version 2.17
My Hardware Information:
32-bit Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz
Multimedia audio controller: Ensoniq ES1371 [AudioPCI-97] (rev 02)
To reproduce:
wget http://www.cs.berkeley.edu/~thiennga/2683904868.tar.gz
tar xzvf 2683904868.tar.gz
valgrind mplayer 219-charmaineraymond.mpg
The following is the output from Valgrind:
==3234== Memcheck, a memory error detector.
==3234== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==3234== Using LibVEX rev 1854, a library for dynamic binary translation.
==3234== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==3234== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==3234== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==3234== For more details, rerun with: -v
==3234==
MPlayer dev-SVN-r27291-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2
Playing 2683904868/219-charmaineraymond.mpg.
TS file format detected.
==3234== Source and destination overlap in memcpy(0xBEFFE1DC, 0xBEFFE1DC, 184)
==3234== Stack hash: 2681948775
==3234== at 0x401FA92: memcpy (mc_replace_strmem.c:402)
==3234== by 0x815FC02: ts_parse (demux_ts.c:3074)
==3234== by 0x8160C66: demux_open_ts (demux_ts.c:664)
==3234== by 0x811E23A: demux_open_stream (demuxer.c:864)
==3234== by 0x811E501: demux_open (demuxer.c:991)
==3234== by 0x80779AE: main (mplayer.c:3238)
VIDEO MPEG2(pid=851) AUDIO A52(pid=853) NO SUBS (yet)! PROGRAM N. 0
==3234==
==3234== Conditional jump or move depends on uninitialised value(s)
==3234== Stack hash: 1692117418
==3234== at 0x815AA10: ts_add_stream (demux_ts.c:296)
==3234== by 0x81612C1: demux_open_ts (demux_ts.c:1026)
==3234== by 0x811E23A: demux_open_stream (demuxer.c:864)
==3234== by 0x811E501: demux_open (demuxer.c:991)
==3234== by 0x80779AE: main (mplayer.c:3238)
==3234==
==3234== Conditional jump or move depends on uninitialised value(s)
==3234== Stack hash: 1705236545
==3234== at 0x815AA17: ts_add_stream (demux_ts.c:296)
==3234== by 0x81612C1: demux_open_ts (demux_ts.c:1026)
==3234== by 0x811E23A: demux_open_stream (demuxer.c:864)
==3234== by 0x811E501: demux_open (demuxer.c:991)
==3234== by 0x80779AE: main (mplayer.c:3238)
==3234==
==3234== Conditional jump or move depends on uninitialised value(s)
==3234== Stack hash: 1722103994
==3234== at 0x815AA20: ts_add_stream (demux_ts.c:296)
==3234== by 0x81612C1: demux_open_ts (demux_ts.c:1026)
==3234== by 0x811E23A: demux_open_stream (demuxer.c:864)
==3234== by 0x811E501: demux_open (demuxer.c:991)
==3234== by 0x80779AE: main (mplayer.c:3238)
==3234==
==3234== Conditional jump or move depends on uninitialised value(s)
==3234== Stack hash: 1735223121
==3234== at 0x815AA27: ts_add_stream (demux_ts.c:296)
==3234== by 0x81612C1: demux_open_ts (demux_ts.c:1026)
==3234== by 0x811E23A: demux_open_stream (demuxer.c:864)
==3234== by 0x811E501: demux_open (demuxer.c:991)
==3234== by 0x80779AE: main (mplayer.c:3238)
==3234==
==3234== Conditional jump or move depends on uninitialised value(s)
==3234== Stack hash: 1752090570
==3234== at 0x815AA30: ts_add_stream (demux_ts.c:296)
==3234== by 0x81612C1: demux_open_ts (demux_ts.c:1026)
==3234== by 0x811E23A: demux_open_stream (demuxer.c:864)
==3234== by 0x811E501: demux_open (demuxer.c:991)
==3234== by 0x80779AE: main (mplayer.c:3238)
==3234==
==3234== Conditional jump or move depends on uninitialised value(s)
==3234== Stack hash: 1926691461
==3234== at 0x815AA88: ts_add_stream (demux_ts.c:319)
==3234== by 0x8161380: demux_open_ts (demux_ts.c:1039)
==3234== by 0x811E23A: demux_open_stream (demuxer.c:864)
==3234== by 0x811E501: demux_open (demuxer.c:991)
==3234== by 0x80779AE: main (mplayer.c:3238)
==3234==
==3234== Conditional jump or move depends on uninitialised value(s)
==3234== Stack hash: 1941684749
==3234== at 0x815AA90: ts_add_stream (demux_ts.c:319)
==3234== by 0x8161380: demux_open_ts (demux_ts.c:1039)
==3234== by 0x811E23A: demux_open_stream (demuxer.c:864)
==3234== by 0x811E501: demux_open (demuxer.c:991)
==3234== by 0x80779AE: main (mplayer.c:3238)
==3234==
==3234== Conditional jump or move depends on uninitialised value(s)
==3234== Stack hash: 1956678037
==3234== at 0x815AA98: ts_add_stream (demux_ts.c:319)
==3234== by 0x8161380: demux_open_ts (demux_ts.c:1039)
==3234== by 0x811E23A: demux_open_stream (demuxer.c:864)
==3234== by 0x811E501: demux_open (demuxer.c:991)
==3234== by 0x80779AE: main (mplayer.c:3238)
==3234==
==3234== Conditional jump or move depends on uninitialised value(s)
==3234== Stack hash: 1971671325
==3234== at 0x815AAA0: ts_add_stream (demux_ts.c:319)
==3234== by 0x8161380: demux_open_ts (demux_ts.c:1039)
==3234== by 0x811E23A: demux_open_stream (demuxer.c:864)
==3234== by 0x811E501: demux_open (demuxer.c:991)
==3234== by 0x80779AE: main (mplayer.c:3238)
==3234==
==3234== Conditional jump or move depends on uninitialised value(s)
==3234== Stack hash: 1986664613
==3234== at 0x815AAA8: ts_add_stream (demux_ts.c:319)
==3234== by 0x8161380: demux_open_ts (demux_ts.c:1039)
==3234== by 0x811E23A: demux_open_stream (demuxer.c:864)
==3234== by 0x811E501: demux_open (demuxer.c:991)
==3234== by 0x80779AE: main (mplayer.c:3238)
==3234==
==3234== Conditional jump or move depends on uninitialised value(s)
==3234== Stack hash: 96363107
==3234== at 0x815AA10: ts_add_stream (demux_ts.c:296)
==3234== by 0x81607CF: ts_parse (demux_ts.c:2812)
==3234== by 0x8160903: demux_ts_fill_buffer (demux_ts.c:3224)
==3234== by 0x811E974: ds_fill_buffer (demuxer.c:498)
==3234== by 0x811F234: demux_pattern_3 (demuxer.c:554)
==3234== by 0x816C4B0: sync_video_packet (parse_es.c:27)
==3234== by 0x816DC27: video_read_properties (video.c:265)
==3234== by 0x8077CA2: main (mplayer.c:3388)
==3234==
==3234== Conditional jump or move depends on uninitialised value(s)
==3234== Stack hash: 3194539454
==3234== at 0x815AA17: ts_add_stream (demux_ts.c:296)
==3234== by 0x81607CF: ts_parse (demux_ts.c:2812)
==3234== by 0x8160903: demux_ts_fill_buffer (demux_ts.c:3224)
==3234== by 0x811E974: ds_fill_buffer (demuxer.c:498)
==3234== by 0x811F234: demux_pattern_3 (demuxer.c:554)
==3234== by 0x816C4B0: sync_video_packet (parse_es.c:27)
==3234== by 0x816DC27: video_read_properties (video.c:265)
==3234== by 0x8077CA2: main (mplayer.c:3388)
==3234==
==3234== Conditional jump or move depends on uninitialised value(s)
==3234== Stack hash: 2882941747
==3234== at 0x815AA20: ts_add_stream (demux_ts.c:296)
==3234== by 0x81607CF: ts_parse (demux_ts.c:2812)
==3234== by 0x8160903: demux_ts_fill_buffer (demux_ts.c:3224)
==3234== by 0x811E974: ds_fill_buffer (demuxer.c:498)
==3234== by 0x811F234: demux_pattern_3 (demuxer.c:554)
==3234== by 0x816C4B0: sync_video_packet (parse_es.c:27)
==3234== by 0x816DC27: video_read_properties (video.c:265)
==3234== by 0x8077CA2: main (mplayer.c:3388)
==3234==
==3234== Conditional jump or move depends on uninitialised value(s)
==3234== Stack hash: 1686150798
==3234== at 0x815AA27: ts_add_stream (demux_ts.c:296)
==3234== by 0x81607CF: ts_parse (demux_ts.c:2812)
==3234== by 0x8160903: demux_ts_fill_buffer (demux_ts.c:3224)
==3234== by 0x811E974: ds_fill_buffer (demuxer.c:498)
==3234== by 0x811F234: demux_pattern_3 (demuxer.c:554)
==3234== by 0x816C4B0: sync_video_packet (parse_es.c:27)
==3234== by 0x816DC27: video_read_properties (video.c:265)
==3234== by 0x8077CA2: main (mplayer.c:3388)
==3234==
==3234== Conditional jump or move depends on uninitialised value(s)
==3234== Stack hash: 1374553091
==3234== at 0x815AA30: ts_add_stream (demux_ts.c:296)
==3234== by 0x81607CF: ts_parse (demux_ts.c:2812)
==3234== by 0x8160903: demux_ts_fill_buffer (demux_ts.c:3224)
==3234== by 0x811E974: ds_fill_buffer (demuxer.c:498)
==3234== by 0x811F234: demux_pattern_3 (demuxer.c:554)
==3234== by 0x816C4B0: sync_video_packet (parse_es.c:27)
==3234== by 0x816DC27: video_read_properties (video.c:265)
==3234== by 0x8077CA2: main (mplayer.c:3388)
==3234==
==3234== Conditional jump or move depends on uninitialised value(s)
==3234== Stack hash: 1668350075
==3234== at 0x815AA88: ts_add_stream (demux_ts.c:319)
==3234== by 0x81607CF: ts_parse (demux_ts.c:2812)
==3234== by 0x8160903: demux_ts_fill_buffer (demux_ts.c:3224)
==3234== by 0x811E974: ds_fill_buffer (demuxer.c:498)
==3234== by 0x811F234: demux_pattern_3 (demuxer.c:554)
==3234== by 0x816C4B0: sync_video_packet (parse_es.c:27)
==3234== by 0x816DC27: video_read_properties (video.c:265)
==3234== by 0x8077CA2: main (mplayer.c:3388)
==3234==
==3234== Conditional jump or move depends on uninitialised value(s)
==3234== Stack hash: 914155747
==3234== at 0x815AA90: ts_add_stream (demux_ts.c:319)
==3234== by 0x81607CF: ts_parse (demux_ts.c:2812)
==3234== by 0x8160903: demux_ts_fill_buffer (demux_ts.c:3224)
==3234== by 0x811E974: ds_fill_buffer (demuxer.c:498)
==3234== by 0x811F234: demux_pattern_3 (demuxer.c:554)
==3234== by 0x816C4B0: sync_video_packet (parse_es.c:27)
==3234== by 0x816DC27: video_read_properties (video.c:265)
==3234== by 0x8077CA2: main (mplayer.c:3388)
==3234==
==3234== Conditional jump or move depends on uninitialised value(s)
==3234== Stack hash: 159961419
==3234== at 0x815AA98: ts_add_stream (demux_ts.c:319)
==3234== by 0x81607CF: ts_parse (demux_ts.c:2812)
==3234== by 0x8160903: demux_ts_fill_buffer (demux_ts.c:3224)
==3234== by 0x811E974: ds_fill_buffer (demuxer.c:498)
==3234== by 0x811F234: demux_pattern_3 (demuxer.c:554)
==3234== by 0x816C4B0: sync_video_packet (parse_es.c:27)
==3234== by 0x816DC27: video_read_properties (video.c:265)
==3234== by 0x8077CA2: main (mplayer.c:3388)
==3234==
==3234== Conditional jump or move depends on uninitialised value(s)
==3234== Stack hash: 3700734387
==3234== at 0x815AAA0: ts_add_stream (demux_ts.c:319)
==3234== by 0x81607CF: ts_parse (demux_ts.c:2812)
==3234== by 0x8160903: demux_ts_fill_buffer (demux_ts.c:3224)
==3234== by 0x811E974: ds_fill_buffer (demuxer.c:498)
==3234== by 0x811F234: demux_pattern_3 (demuxer.c:554)
==3234== by 0x816C4B0: sync_video_packet (parse_es.c:27)
==3234== by 0x816DC27: video_read_properties (video.c:265)
==3234== by 0x8077CA2: main (mplayer.c:3388)
==3234==
==3234== Conditional jump or move depends on uninitialised value(s)
==3234== Stack hash: 2946540059
==3234== at 0x815AAA8: ts_add_stream (demux_ts.c:319)
==3234== by 0x81607CF: ts_parse (demux_ts.c:2812)
==3234== by 0x8160903: demux_ts_fill_buffer (demux_ts.c:3224)
==3234== by 0x811E974: ds_fill_buffer (demuxer.c:498)
==3234== by 0x811F234: demux_pattern_3 (demuxer.c:554)
==3234== by 0x816C4B0: sync_video_packet (parse_es.c:27)
==3234== by 0x816DC27: video_read_properties (video.c:265)
==3234== by 0x8077CA2: main (mplayer.c:3388)
MPEG: FATAL: EOF while searching for sequence header.
Video: Cannot read properties.
==========================================================================
Opening audio decoder: [liba52] AC3 decoding with liba52
Using SSE optimized IMDCT transform
a52: CRC check failed!
Using MMX optimized resampler
AUDIO: 48000 Hz, 2 ch, s16le, 384.0 kbit/25.00% (ratio: 48000->192000)
Selected audio codec: [a52] afm: liba52 (AC3-liba52)
==========================================================================
AO: [oss] 48000Hz 2ch s16le (2 bytes per sample)
Video: no video
Starting playback...
==3234==
==3234== Invalid read of size 4
==3234== Stack hash: 3757081228
==3234== at 0x8195CA0: coeff_get (bitstream.h:140)
==3234== by 0x8196EEF: a52_block (parse.c:788)
==3234== by 0x818EA6C: decode_audio (ad_liba52.c:307)
==3234== by 0x80DA984: decode_audio (dec_audio.c:383)
==3234== by 0x80784F9: main (mplayer.c:2044)
==3234== Address 0x437f16e is 3,838 bytes inside a block of size 3,840 alloc'd
==3234== Stack hash: 2166557391
==3234== at 0x401C882: memalign (vg_replace_malloc.c:460)
==3234== by 0x80DAF6C: init_audio (dec_audio.c:77)
==3234== by 0x80DB418: init_best_audio_codec (dec_audio.c:270)
==3234== by 0x8076788: reinit_audio_chain (mplayer.c:1585)
==3234== by 0x8078131: main (mplayer.c:3583)
a52: error at resampling
a52: CRC check failed!
a52: error at resampling
a52: CRC check failed!
a52: error at resampling
a52: error at resamplingf 7.7 (07.7) ??,?%
A:42383.0 (11:46:23.0) of 7.7 (07.7) ??,?%
Exiting... (End of file)
==3234==
==3234== ERROR SUMMARY: 773 errors from 22 contexts (suppressed: 19 from 1)
==3234== malloc/free: in use at exit: 235,914 bytes in 91 blocks.
==3234== malloc/free: 2,485 allocs, 2,394 frees, 1,997,866 bytes allocated.
==3234== For counts of detected errors, rerun with: -v
==3234== searching for pointers to 91 not-freed blocks.
==3234== checked 2,899,232 bytes.
==3234==
==3234== LEAK SUMMARY:
==3234== definitely lost: 203,006 bytes in 79 blocks.
==3234== possibly lost: 0 bytes in 0 blocks.
==3234== still reachable: 32,908 bytes in 12 blocks.
==3234== suppressed: 0 bytes in 0 blocks.
==3234== Rerun with --leak-check=full to see details of leaked memory.
This bug was found using the zzuf fuzzer.
This bug was found as part of the SUPERB-TRUST 2008 project; see
http://www.truststc.org/superb/
Please let me know if you need more information.
