Opened 11 years ago

Last modified 8 years ago

#1199 new defect

[Crash] Valgrind reports InvalidRead in read_avi_header() (aviheader.c:268)

Reported by: thiennga408@… Owned by: reimar
Priority: normal Component: demuxer
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

In the tgz archive which can be downloaded from the URL
http://www.metafuzz.com/testcases/761161-26-2124421838-SyscallParam.tgz, there is an avi file (26-cartoonsnip.avi) where Valgrind reports an invalid read of 4 byte at an invalid memory location. This bug causes MPlayer to crash.

I confirmed that this bug is reproducible in the latest subversion of MPlayer,
r27292-4.1.2.

My System Information:
OS: Linux Debian x32
kernel: Linux debian 2.6.18-6-486 #1 Fri Jun 6 21:47:01 UTC 2008 i686 GNU/Linux
libc version: libc-2.3.6.so
gcc version 4.1.2 20061115
ld version 2.17

My Hardware Information:
32-bit Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz
Multimedia audio controller: Ensoniq ES1371 [AudioPCI-97] (rev 02)

To reproduce:
http://www.metafuzz.com/testcases/761161-26-2124421838-SyscallParam.tgz
tar xzvf 761161-26-2124421838-SyscallParam?.tgz
valgrind mplayer 26-cartoonsnip.avi

The following is the output from Valgrind:

==20980== Memcheck, a memory error detector.
==20980== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==20980== Using LibVEX rev 1854, a library for dynamic binary translation.
==20980== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==20980== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==20980== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==20980== For more details, rerun with: -v
==20980==
MPlayer dev-SVN-r27292-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 761161-26-2124421838-SyscallParam?.tgz_FILES/26-cartoonsnip.avi.
AVI file format detected.
[aviheader] Video stream found, -vid 0
==20980== Warning: silly args (-2147483608,1) to calloc()
==20980== Invalid read of size 4
==20980== Stack hash: 2168556225
==20980== at 0x8119B14: read_avi_header (aviheader.c:268)
==20980== by 0x8126AEF: demux_open_hack_avi (demux_avi.c:410)
==20980== by 0x811E11F: demux_open_stream (demuxer.c:811)
==20980== by 0x811E501: demux_open (demuxer.c:991)
==20980== by 0x80779AE: main (mplayer.c:3238)
==20980== Address 0x0 is not stack'd, malloc'd or (recently) free'd

MPlayer interrupted by signal 11 in module: demux_open

  • MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
  • MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.

==20980==
==20980== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 19 from 1)
==20980== malloc/free: in use at exit: 96,132 bytes in 2,179 blocks.
==20980== malloc/free: 2,252 allocs, 73 frees, 1,212,000 bytes allocated.
==20980== For counts of detected errors, rerun with: -v
==20980== searching for pointers to 2,179 not-freed blocks.
==20980== checked 2,964,196 bytes.
==20980==
==20980== LEAK SUMMARY:
==20980== definitely lost: 0 bytes in 0 blocks.
==20980== possibly lost: 0 bytes in 0 blocks.
==20980== still reachable: 96,132 bytes in 2,179 blocks.
==20980== suppressed: 0 bytes in 0 blocks.
==20980== Rerun with --leak-check=full to see details of leaked memory.

The following is the backtrace using gdb:

(gdb) bt
#0 read_avi_header (demuxer=0x89b21f0, index_mode=-1)

at libmpdemux/aviheader.c:268

#1 0x08126af0 in demux_open_hack_avi (demuxer=0x89b21f0)

at libmpdemux/demux_avi.c:410

#2 0x0811e120 in demux_open_stream (stream=0x89b17c8, file_format=0, force=0,

audio_id=-1, video_id=-1, dvdsub_id=-2,
filename=0x89a8470 "761161-26-2124421838-SyscallParam?.tgz_FILES/26-cartoonsnip.avi") at libmpdemux/demuxer.c:811

#3 0x0811e502 in demux_open (vs=0x89b17c8, file_format=0, audio_id=-1,

video_id=-1, dvdsub_id=-2,
filename=0x89a8470 "761161-26-2124421838-SyscallParam?.tgz_FILES/26-cartoonsnip.avi") at libmpdemux/demuxer.c:991

#4 0x080779af in main (argc=3, argv=0xbffff6a4) at mplayer.c:3238
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x8119af4 to 0x8119b34:
0x08119af4 <read_avi_header+14676>: and $0x8,%al
0x08119af6 <read_avi_header+14678>: mov %ecx,0x4(%esp)
0x08119afa <read_avi_header+14682>: movl $0x7,(%esp)
0x08119b01 <read_avi_header+14689>: call 0x807c4d0 <mp_msg>
0x08119b06 <read_avi_header+14694>: jmp 0x8119a92 <read_avi_header+14578>0x08119b08 <read_avi_header+14696>: mov 0xfffffd7c(%ebp),%ecx
0x08119b0e <read_avi_header+14702>: mov 0x144(%ecx),%eax
0x08119b14 <read_avi_header+14708>: mov (%eax),%edx
0x08119b16 <read_avi_header+14710>: cmp %edx,0xfffffd98(%ebp)
0x08119b1c <read_avi_header+14716>: jae 0x8119b2b <read_avi_header+14731>0x08119b1e <read_avi_header+14718>: cmp $0x28,%edx
0x08119b21 <read_avi_header+14721>: jbe 0x8119b2b <read_avi_header+14731>0x08119b23 <read_avi_header+14723>: mov 0xfffffd98(%ebp),%ebx
0x08119b29 <read_avi_header+14729>: mov %ebx,(%eax)
0x08119b2b <read_avi_header+14731>: cmpl $0x1,0x10(%eax)
0x08119b2f <read_avi_header+14735>: jle 0x811a930 <read_avi_header+18320>End of assembler dump.
(gdb) info all-registers
eax 0x0 0
ecx 0x0 0
edx 0x80000028 -2147483608
ebx 0x89b2c80 144387200
esp 0xbfffdf70 0xbfffdf70
ebp 0xbfffe278 0xbfffe278
esi 0x89b17c8 144381896
edi 0x89b21f0 144384496
eip 0x8119b14 0x8119b14 <read_avi_header+14708>
eflags 0x210286 [ PF SF IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 1 (raw 0x3fff8000000000000000)
---Type <return> to continue, or q <return> to quit---
st7 15 (raw 0x4002f000000000000000)
fctrl 0x37f 895
fstat 0x20 32
ftag 0xffff 65535
fiseg 0x73 115
fioff 0xb7e9d326 -1209412826
foseg 0x7b 123
fooff 0xbfffbe78 -1073758600
fop 0x55c 1372
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

---Type <return> to continue, or q <return> to quit---

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
mm0 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm1 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

---Type <return> to continue, or q <return> to quit---
mm2 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm3 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm4 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm5 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm6 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},

v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x80}}

mm7 {uint64 = 0xf000000000000000, v2_int32 = {0x0, 0xf0000000},

v4_int16 = {0x0, 0x0, 0x0, 0xf000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0xf0}}

This bug was found using the zzuf fuzzer.

This bug was found as part of the SUPERB-TRUST 2008 project; see
http://www.truststc.org/superb/

Please let me know if you need more information.

Change History (1)

comment:1 Changed 8 years ago by compn

  • Owner changed from r_togni@… to reimar
Note: See TracTickets for help on using tickets.