[Crash] for .mp4 , valgrind reports InvalidWrite, Mplayer crashes.

[aslani@…]

For this .mp4 file, Valgrind 3.3.1 reports an InvalidWrite in the latest subversion of Mplayer,SVN-r27288-4.1.2, and the Mplayer crashed.

This might be similar to bug #1187.

System Info:
OS: Debian Etch Linux, Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz

uname -a: Linux debian 2.6.18-4-486 #1 Mon Mar 26 16:39:10 UTC 2007 i686 GNU/Linux

############################################
to reproduce:::::::::::::::

wget ​http://www.metafuzz.com/testcases/965225-41-2023262462-Leak_DefinitelyLost.tgz
tar xzf 965225-41-2023262462-Leak_DefinitelyLost.tgz
valgrind mplayer 41-geass.mp4

Valgrind Result ::::::::::::::::::::

==21370== Invalid write of size 4 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
==21370== Stack hash: 2235149101
==21370== at 0x813E515: lschunks_intrak (demux_mov.c:1756)
==21370== by 0x813A346: lschunks (demux_mov.c:1286)
==21370== by 0x813C7F2: lschunks_intrak (demux_mov.c:1867)
==21370== by 0x813A346: lschunks (demux_mov.c:1286)
==21370== by 0x813C7F2: lschunks_intrak (demux_mov.c:1867)
==21370== by 0x813A346: lschunks (demux_mov.c:1286)
==21370== by 0x813C7F2: lschunks_intrak (demux_mov.c:1867)
==21370== by 0x813A346: lschunks (demux_mov.c:1286)
==21370== by 0x813A9CE: lschunks (demux_mov.c:1314)
==21370== by 0x813C2C5: mov_read_header (demux_mov.c:1934)
==21370== by 0x811E2EA: demux_open_stream (demuxer.c:864)
==21370== by 0x811E5B1: demux_open (demuxer.c:991)
==21370== Address 0x0 is not stack'd, malloc'd or (recently) free'd

MPlayer interrupted by signal 11 in module: demux_open

• MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
• MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.

==21370==
==21370== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 19 from 1)
==21370== malloc/free: in use at exit: 99,044 bytes in 2,184 blocks.
==21370== malloc/free: 2,323 allocs, 138 frees, 1,257,053 bytes allocated.
==21370== For counts of detected errors, rerun with: -v
==21370== searching for pointers to 2,184 not-freed blocks.
==21370== checked 2,966,272 bytes.
==21370==
==21370== LEAK SUMMARY:
==21370== definitely lost: 854 bytes in 3 blocks.
==21370== possibly lost: 0 bytes in 0 blocks.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

gdb Backtrace

Starting program: /usr/local/bin/mplayer -v 41-geass.mp4

Failed to read a valid object file image from memory.

[Thread debugging using libthread_db enabled]

[New Thread -1209861920 (LWP 21965)]

MPlayer dev-SVN-r27288-4.1.2 (C) 2000-2008 MPlayer Team

CPU: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz (Family: 6, Model: 15, Stepping: 13)

CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1

Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

get_path('codecs.conf') -> '/home/user/.mplayer/codecs.conf'

Reading /home/user/.mplayer/codecs.conf: Can't open '/home/user/.mplayer/codecs.conf': No such file or directory

Reading /usr/local/etc/mplayer/codecs.conf: Can't open '/usr/local/etc/mplayer/codecs.conf': No such file or directory

Using built-in default codecs.conf.

Configuration: --enable-debug=3

CommandLine: '-v' '41-geass.mp4'

get_path('font/font.desc') -> '/home/user/.mplayer/font/font.desc'

font: can't open file: /home/user/.mplayer/font/font.desc

font: can't open file: /usr/local/share/mplayer/font/font.desc

Using MMX (with tiny bit MMX2) Optimized OnScreenDisplay

Using nanosleep() timing

get_path('input.conf') -> '/home/user/.mplayer/input.conf'

Can't open input config file /home/user/.mplayer/input.conf: No such file or directory

Can't open input config file /usr/local/etc/mplayer/input.conf: No such file or directory

Falling back on default (hardcoded) input config

get_path('41-geass.mp4.conf') -> '/home/user/.mplayer/41-geass.mp4.conf'

Playing 41-geass.mp4.

get_path('sub/') -> '/home/user/.mplayer/sub/'

[file] File size is 553430 bytes

STREAM: [file] 41-geass.mp4

STREAM: Description: File

STREAM: Author: Albeu

STREAM: Comment: based on the code from ??? (probably Arpi)

LAVF_check: QuickTime/MPEG-4/Motion JPEG 2000 format

libavformat file format detected.

stream_seek: WARNING! Can't seek to 0x871D6 !

[mov,mp4,m4a,3gp,3g2,mj2 @ 0x89ba440]error reading header: -1

LAVF_header: av_open_input_stream() failed

Checking for YUV4MPEG2

ASF_check: not ASF guid!

Checking for NuppelVideo

Checking for REAL

Checking for SMJPEG

Checking for Nullsoft Streaming Video

Checking for MOV

ISO: File Type Major Brand: ISO Base Media

ISO: File Type Minor Version: 512

ISO: File Type Compatible Brand #0: mp41

MOV: Movie DATA found!

MOV: Movie header found!

stream_seek: WARNING! Can't seek to 0x2871D6 !

Quicktime/MOV file format detected.

MOV: unknown chunk: m~hd 100

---

MOV: Track #0:

MOV: Track header!

tkhd len=84 ver=0 flags=0x0 id=1 dur=1544 lay=0 vol=0

MOV: Media stream!

MOV: Media header!

MOV: Handler header: /vide () VideoHandler

MOV: unknown handler class: 0x0 ()

MOV: Media info!

MOV: Video header!

MOV: unknown chunk: dinf 28

MOV: Sample info!

MOV: Description list! (cnt:1)

MOV: desc #0: mp4v (152 bytes)

MOV: Sample duration table! (268435457 blocks)

Program received signal SIGSEGV, Segmentation fault.

[Switching to Thread -1209861920 (LWP 21965)]

lschunks_intrak (demuxer=0x89b1158, level=4, id=1937011827, pos=553006,

len=16, trak=0x89b23f0) at libmpdemux/demux_mov.c:1756

1756 trak->durmap[i].num = stream_read_dword(demuxer->stream);

(gdb) bt

#0 lschunks_intrak (demuxer=0x89b1158, level=4, id=1937011827, pos=553006,

len=16, trak=0x89b23f0) at libmpdemux/demux_mov.c:1756

#1 0x0813a347 in lschunks (demuxer=0x89b1158, level=4, endpos=553414,

trak=0x89b23f0) at libmpdemux/demux_mov.c:1286

#2 0x0813c7f3 in lschunks_intrak (demuxer=0x89b1158, level=3, id=1937007212,

pos=552814, len=553414, trak=0x89b23f0) at libmpdemux/demux_mov.c:1867

#3 0x0813a347 in lschunks (demuxer=0x89b1158, level=3, endpos=553414,

trak=0x89b23f0) at libmpdemux/demux_mov.c:1286

#4 0x0813c7f3 in lschunks_intrak (demuxer=0x89b1158, level=2, id=1835626086,

pos=552750, len=553414, trak=0x89b23f0) at libmpdemux/demux_mov.c:1867

#5 0x0813a347 in lschunks (demuxer=0x89b1158, level=2, endpos=553414,

trak=0x89b23f0) at libmpdemux/demux_mov.c:1286

#6 0x0813c7f3 in lschunks_intrak (demuxer=0x89b1158, level=1, id=1835297121,

pos=552665, len=553414, trak=0x89b23f0) at libmpdemux/demux_mov.c:1867

#7 0x0813a347 in lschunks (demuxer=0x89b1158, level=1, endpos=553414,

trak=0x89b23f0) at libmpdemux/demux_mov.c:1286

#8 0x0813a9cf in lschunks (demuxer=0x89b1158, level=0, endpos=2650582,

trak=0x0) at libmpdemux/demux_mov.c:1314

#9 0x0813c2c6 in mov_read_header (demuxer=0x89b1158)

at libmpdemux/demux_mov.c:1934

#10 0x0811e2eb in demux_open_stream (stream=0x89b07c0,

file_format=<value optimized out>, force=0, audio_id=-1, video_id=-1,

dvdsub_id=-2, filename=0x89a7470 "41-geass.mp4")

---Type <return> to continue, or q <return> to quit---

at libmpdemux/demuxer.c:864

#11 0x0811e5b2 in demux_open (vs=0x89b07c0, file_format=0, audio_id=-1,

video_id=-1, dvdsub_id=-2, filename=0x89a7470 "41-geass.mp4")

at libmpdemux/demuxer.c:991

#12 0x08077a5f in main (argc=3, argv=0xbfaf4bd4) at mplayer.c:3238

(gdb) bt[Kdisass $pc-32 $pc+32

Dump of assembler code from 0x813e4f5 to 0x813e535:

0x0813e4f5 <lschunks_intrak+7925>: add %al,0xffffff8b(%edi)

0x0813e4f8 <lschunks_intrak+7928>: xchg %eax,%ebp

0x0813e4f9 <lschunks_intrak+7929>: call 0x9213e4fc

0x0813e4fe <lschunks_intrak+7934>: fimul 0xc6017041(%ebx)

0x0813e504 <lschunks_intrak+7940>: mov 0x1c(%edx),%eax

0x0813e507 <lschunks_intrak+7943>: call 0x8139820 <stream_read_dword>

0x0813e50c <lschunks_intrak+7948>: mov 0x18(%ebp),%ecx

0x0813e50f <lschunks_intrak+7951>: mov 0xfffffee8(%ebp),%edx

0x0813e515 <lschunks_intrak+7957>: mov %eax,(%esi)

0x0813e517 <lschunks_intrak+7959>: mov 0x70(%ecx),%eax

0x0813e51a <lschunks_intrak+7962>: mov %ebx,%esi

0x0813e51c <lschunks_intrak+7964>: add %eax,%esi

0x0813e51e <lschunks_intrak+7966>: mov 0x1c(%edx),%eax

0x0813e521 <lschunks_intrak+7969>: call 0x8139820 <stream_read_dword>

0x0813e526 <lschunks_intrak+7974>: mov 0x18(%ebp),%ecx

0x0813e529 <lschunks_intrak+7977>: mov %eax,0x4(%esi)

0x0813e52c <lschunks_intrak+7980>: mov 0x70(%ecx),%eax

0x0813e52f <lschunks_intrak+7983>: add %eax,%ebx

0x0813e531 <lschunks_intrak+7985>: mov (%ebx),%eax

0x0813e533 <lschunks_intrak+7987>: mov 0x4(%ebx),%esi

End of assembler dump.

(gdb) info all-registers

eax 0x25 37

ecx 0x89b23f0 144385008

edx 0x89b1158 144380248

ebx 0x0 0

esp 0xbfaf2b40 0xbfaf2b40

ebp 0xbfaf2c98 0xbfaf2c98

esi 0x0 0

edi 0x1 1

eip 0x813e515 0x813e515 <lschunks_intrak+7957>

eflags 0x10202 [ IF RF ]

cs 0x73 115

ss 0x7b 123

ds 0x7b 123

es 0x7b 123

fs 0x0 0

gs 0x33 51

st0 0 (raw 0x00000000000000000000)

st1 0 (raw 0x00000000000000000000)

st2 0 (raw 0x00000000000000000000)

st3 0 (raw 0x00000000000000000000)

st4 0 (raw 0x00000000000000000000)

st5 1 (raw 0x3fff8000000000000000)

st6 1 (raw 0x3fff8000000000000000)

---Type <return> to continue, or q <return> to quit---

st7 -9223372036854775808 (raw 0xc03e8000000000000000)

fctrl 0x37f 895

fstat 0x20 32

ftag 0xffff 65535

fiseg 0x73 115

fioff 0x811d136 135385398

foseg 0x7b 123

fooff 0x89b1180 144380288

fop 0x55e 1374

xmm0 {v4_float = {
############################################################################

This bug was found using the zzuf fuzzer, as part of the SUPERB-TRUST 2008 / metafuzz project;

See : ​http://metafuzz.com/ ​http://www.truststc.org/superb/

[reimar]

Fixed in SVN r27304