Opened 16 years ago
Last modified 13 years ago
#1199 new defect
[Crash] Valgrind reports InvalidRead in read_avi_header() (aviheader.c:268)
| Reported by: | Owned by: | reimar | |
|---|---|---|---|
| Priority: | normal | Component: | demuxer |
| Version: | HEAD | Severity: | normal |
| Keywords: | Cc: | catchconv-bugreports@… | |
| Blocked By: | Blocking: | ||
| Reproduced by developer: | no | Analyzed by developer: | no |
Description
In the tgz archive which can be downloaded from the URL
http://www.metafuzz.com/testcases/761161-26-2124421838-SyscallParam.tgz, there is an avi file (26-cartoonsnip.avi) where Valgrind reports an invalid read of 4 byte at an invalid memory location. This bug causes MPlayer to crash.
I confirmed that this bug is reproducible in the latest subversion of MPlayer,
r27292-4.1.2.
My System Information:
OS: Linux Debian x32
kernel: Linux debian 2.6.18-6-486 #1 Fri Jun 6 21:47:01 UTC 2008 i686 GNU/Linux
libc version: libc-2.3.6.so
gcc version 4.1.2 20061115
ld version 2.17
My Hardware Information:
32-bit Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz
Multimedia audio controller: Ensoniq ES1371 [AudioPCI-97] (rev 02)
To reproduce:
http://www.metafuzz.com/testcases/761161-26-2124421838-SyscallParam.tgz
tar xzvf 761161-26-2124421838-SyscallParam.tgz
valgrind mplayer 26-cartoonsnip.avi
The following is the output from Valgrind:
==20980== Memcheck, a memory error detector.
==20980== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==20980== Using LibVEX rev 1854, a library for dynamic binary translation.
==20980== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==20980== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==20980== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==20980== For more details, rerun with: -v
==20980==
MPlayer dev-SVN-r27292-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2
Playing 761161-26-2124421838-SyscallParam.tgz_FILES/26-cartoonsnip.avi.
AVI file format detected.
[aviheader] Video stream found, -vid 0
==20980== Warning: silly args (-2147483608,1) to calloc()
==20980== Invalid read of size 4
==20980== Stack hash: 2168556225
==20980== at 0x8119B14: read_avi_header (aviheader.c:268)
==20980== by 0x8126AEF: demux_open_hack_avi (demux_avi.c:410)
==20980== by 0x811E11F: demux_open_stream (demuxer.c:811)
==20980== by 0x811E501: demux_open (demuxer.c:991)
==20980== by 0x80779AE: main (mplayer.c:3238)
==20980== Address 0x0 is not stack'd, malloc'd or (recently) free'd
MPlayer interrupted by signal 11 in module: demux_open
- MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
- MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.
==20980==
==20980== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 19 from 1)
==20980== malloc/free: in use at exit: 96,132 bytes in 2,179 blocks.
==20980== malloc/free: 2,252 allocs, 73 frees, 1,212,000 bytes allocated.
==20980== For counts of detected errors, rerun with: -v
==20980== searching for pointers to 2,179 not-freed blocks.
==20980== checked 2,964,196 bytes.
==20980==
==20980== LEAK SUMMARY:
==20980== definitely lost: 0 bytes in 0 blocks.
==20980== possibly lost: 0 bytes in 0 blocks.
==20980== still reachable: 96,132 bytes in 2,179 blocks.
==20980== suppressed: 0 bytes in 0 blocks.
==20980== Rerun with --leak-check=full to see details of leaked memory.
The following is the backtrace using gdb:
(gdb) bt
#0 read_avi_header (demuxer=0x89b21f0, index_mode=-1)
at libmpdemux/aviheader.c:268
#1 0x08126af0 in demux_open_hack_avi (demuxer=0x89b21f0)
at libmpdemux/demux_avi.c:410
#2 0x0811e120 in demux_open_stream (stream=0x89b17c8, file_format=0, force=0,
audio_id=-1, video_id=-1, dvdsub_id=-2,
filename=0x89a8470 "761161-26-2124421838-SyscallParam.tgz_FILES/26-cartoonsnip.avi") at libmpdemux/demuxer.c:811
#3 0x0811e502 in demux_open (vs=0x89b17c8, file_format=0, audio_id=-1,
video_id=-1, dvdsub_id=-2,
filename=0x89a8470 "761161-26-2124421838-SyscallParam.tgz_FILES/26-cartoonsnip.avi") at libmpdemux/demuxer.c:991
#4 0x080779af in main (argc=3, argv=0xbffff6a4) at mplayer.c:3238
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x8119af4 to 0x8119b34:
0x08119af4 <read_avi_header+14676>: and $0x8,%al
0x08119af6 <read_avi_header+14678>: mov %ecx,0x4(%esp)
0x08119afa <read_avi_header+14682>: movl $0x7,(%esp)
0x08119b01 <read_avi_header+14689>: call 0x807c4d0 <mp_msg>
0x08119b06 <read_avi_header+14694>: jmp 0x8119a92 <read_avi_header+14578>0x08119b08 <read_avi_header+14696>: mov 0xfffffd7c(%ebp),%ecx
0x08119b0e <read_avi_header+14702>: mov 0x144(%ecx),%eax
0x08119b14 <read_avi_header+14708>: mov (%eax),%edx
0x08119b16 <read_avi_header+14710>: cmp %edx,0xfffffd98(%ebp)
0x08119b1c <read_avi_header+14716>: jae 0x8119b2b <read_avi_header+14731>0x08119b1e <read_avi_header+14718>: cmp $0x28,%edx
0x08119b21 <read_avi_header+14721>: jbe 0x8119b2b <read_avi_header+14731>0x08119b23 <read_avi_header+14723>: mov 0xfffffd98(%ebp),%ebx
0x08119b29 <read_avi_header+14729>: mov %ebx,(%eax)
0x08119b2b <read_avi_header+14731>: cmpl $0x1,0x10(%eax)
0x08119b2f <read_avi_header+14735>: jle 0x811a930 <read_avi_header+18320>End of assembler dump.
(gdb) info all-registers
eax 0x0 0
ecx 0x0 0
edx 0x80000028 -2147483608
ebx 0x89b2c80 144387200
esp 0xbfffdf70 0xbfffdf70
ebp 0xbfffe278 0xbfffe278
esi 0x89b17c8 144381896
edi 0x89b21f0 144384496
eip 0x8119b14 0x8119b14 <read_avi_header+14708>
eflags 0x210286 [ PF SF IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 1 (raw 0x3fff8000000000000000)
---Type <return> to continue, or q <return> to quit---
st7 15 (raw 0x4002f000000000000000)
fctrl 0x37f 895
fstat 0x20 32
ftag 0xffff 65535
fiseg 0x73 115
fioff 0xb7e9d326 -1209412826
foseg 0x7b 123
fooff 0xbfffbe78 -1073758600
fop 0x55c 1372
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
---Type <return> to continue, or q <return> to quit---
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
mm0 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm1 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
---Type <return> to continue, or q <return> to quit---
mm2 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm3 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm4 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm5 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm6 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},
v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x80}}
mm7 {uint64 = 0xf000000000000000, v2_int32 = {0x0, 0xf0000000},
v4_int16 = {0x0, 0x0, 0x0, 0xf000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0xf0}}
This bug was found using the zzuf fuzzer.
This bug was found as part of the SUPERB-TRUST 2008 project; see
http://www.truststc.org/superb/
Please let me know if you need more information.
