Opened 11 years ago

Last modified 8 years ago

#1200 new defect

Valgrind reports Invalid Write in ff_emulated_edge_mc (dsputil.c:501) as well as many invalid reads and memory leaks

Reported by: nstockma@… Owned by: reimar
Priority: normal Component: vd
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

Here is a .mqv file that causes some invalid writes (as well as invalid reads, uninitialized conditions, and memory leaks) in Mplayer. The .mqv file (57-nosound_lavf_works.mqv) can be found inside the .tgz archive at the URL above. The bug iseasily reproducible. Note that it does not cause MPlayer to crash.

Also, it looked as though it might originate in the ffmpeg code, however I ran the following command to test it on ffmpeg and valgrind showed no errors:
valgrind ./ffmpeg_g -i ../Desktop/57-nosound_lavf_works.mqv works.wmv

I confirmed that this bug is reproducible on Linux OS, Debian x32 with the
following subversion of MPlayer: dev-SVN-r27291-4.1.2

I used a 32-bit Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz.

To reproduce:
wget http://www.metafuzz.com/testcases/178672-57-2634611563-InvalidWrite.tgz
tar xzfv 178672-57-2634611563-InvalidWrite?.tgz
valgrind mplayer 57-nosound_lavf_works.mqv

Here is the output from valgrind and mplayer on my machine:

==29487== Memcheck, a memory error detector.
==29487== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==29487== Using LibVEX rev 1854, a library for dynamic binary translation.
==29487== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==29487== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==29487== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==29487== For more details, rerun with: -v
==29487==
MPlayer dev-SVN-r27291-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 57-nosound_lavf_works.mqv.
libavformat file format detected.
Marker bit missing before time_increment
[mpeg4 @ 0x4416b20]hmm, seems the headers are not complete, trying to guess time_increment_bits
[mpeg4 @ 0x4416b20]my guess is 2 bits ;)
[mpeg4 @ 0x4416b20]hmm, seems the headers are not complete, trying to guess time_increment_bits
[mpeg4 @ 0x4416b20]my guess is 3 bits ;)
[mpeg4 @ 0x4416b20]hmm, seems the headers are not complete, trying to guess time_increment_bits
[mpeg4 @ 0x4416b20]my guess is 1 bits ;)
[mpeg4 @ 0x4416b20]hmm, seems the headers are not complete, trying to guess time_increment_bits
[mpeg4 @ 0x4416b20]my guess is 5 bits ;)
[mpeg4 @ 0x4416b20]hmm, seems the headers are not complete, trying to guess time_increment_bits
[mpeg4 @ 0x4416b20]my guess is 2 bits ;)
[lavf] Video stream found, -vid 0
VIDEO: [FMP4] 160x112 0bpp 25.000 fps 0.0 kbps ( 0.0 kbyte/s)
==========================================================================
Opening video decoder: [ffmpeg] FFmpeg's libavcodec codec family
Selected video codec: [ffodivx] vfm: ffmpeg (FFmpeg MPEG-4)
==========================================================================
Audio: no sound
Starting playback...
VDec: vo config request - 160 x 112 (preferred colorspace: Planar YV12)
VDec: using Planar YV12 as output csp (no 0)
Movie-Aspect is 1.43:1 - prescaling to correct movie aspect.
VO: [x11] 160x112 => 160x112 Planar YV12
==29487== Invalid read of size 4
==29487== Stack hash: 2608987646
==29487== at 0x4010E00: (within /lib/ld-2.3.6.so)
==29487== by 0x4004B78: (within /lib/ld-2.3.6.so)
==29487== by 0x4006792: (within /lib/ld-2.3.6.so)
==29487== by 0x427646F: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==29487== by 0x400B44E: (within /lib/ld-2.3.6.so)
==29487== by 0x4275EDE: _dl_open (in /lib/tls/i686/cmov/libc-2.3.6.so)
==29487== by 0x414DD8D: (within /lib/tls/i686/cmov/libdl-2.3.6.so)
==29487== by 0x400B44E: (within /lib/ld-2.3.6.so)
==29487== by 0x414E42C: (within /lib/tls/i686/cmov/libdl-2.3.6.so)
==29487== by 0x414DD20: dlopen (in /lib/tls/i686/cmov/libdl-2.3.6.so)
==29487== by 0x4049448: (within /usr/lib/libX11.so.6.2.0)
==29487== by 0x4049756: _XNoticeCreateBitmap (in /usr/lib/libX11.so.6.2.0)
==29487== Address 0x4492920 is 24 bytes inside a block of size 25 alloc'd
==29487== Stack hash: 701839604
==29487== at 0x401D898: malloc (vg_replace_malloc.c:207)
==29487== by 0x4004839: (within /lib/ld-2.3.6.so)
==29487== by 0x40068D3: (within /lib/ld-2.3.6.so)
==29487== by 0x427646F: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==29487== by 0x400B44E: (within /lib/ld-2.3.6.so)
==29487== by 0x4275EDE: _dl_open (in /lib/tls/i686/cmov/libc-2.3.6.so)
==29487== by 0x414DD8D: (within /lib/tls/i686/cmov/libdl-2.3.6.so)
==29487== by 0x400B44E: (within /lib/ld-2.3.6.so)
==29487== by 0x414E42C: (within /lib/tls/i686/cmov/libdl-2.3.6.so)
==29487== by 0x414DD20: dlopen (in /lib/tls/i686/cmov/libdl-2.3.6.so)
==29487== by 0x4049448: (within /usr/lib/libX11.so.6.2.0)
==29487== by 0x4049756: _XNoticeCreateBitmap (in /usr/lib/libX11.so.6.2.0)
==29487==
==29487== Invalid read of size 4
==29487== Stack hash: 801049415
==29487== at 0x4010E00: (within /lib/ld-2.3.6.so)
==29487== by 0x4004B78: (within /lib/ld-2.3.6.so)
==29487== by 0x4006792: (within /lib/ld-2.3.6.so)
==29487== by 0x400A1F6: (within /lib/ld-2.3.6.so)
==29487== by 0x400B44E: (within /lib/ld-2.3.6.so)
==29487== by 0x400A3CA: (within /lib/ld-2.3.6.so)
==29487== by 0x42764D4: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==29487== by 0x400B44E: (within /lib/ld-2.3.6.so)
==29487== by 0x4275EDE: _dl_open (in /lib/tls/i686/cmov/libc-2.3.6.so)
==29487== by 0x414DD8D: (within /lib/tls/i686/cmov/libdl-2.3.6.so)
==29487== by 0x400B44E: (within /lib/ld-2.3.6.so)
==29487== by 0x414E42C: (within /lib/tls/i686/cmov/libdl-2.3.6.so)
==29487== Address 0x4492c50 is 24 bytes inside a block of size 25 alloc'd
==29487== Stack hash: 3188868669
==29487== at 0x401D898: malloc (vg_replace_malloc.c:207)
==29487== by 0x4004839: (within /lib/ld-2.3.6.so)
==29487== by 0x40068D3: (within /lib/ld-2.3.6.so)
==29487== by 0x400A1F6: (within /lib/ld-2.3.6.so)
==29487== by 0x400B44E: (within /lib/ld-2.3.6.so)
==29487== by 0x400A3CA: (within /lib/ld-2.3.6.so)
==29487== by 0x42764D4: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==29487== by 0x400B44E: (within /lib/ld-2.3.6.so)
==29487== by 0x4275EDE: _dl_open (in /lib/tls/i686/cmov/libc-2.3.6.so)
==29487== by 0x414DD8D: (within /lib/tls/i686/cmov/libdl-2.3.6.so)
==29487== by 0x400B44E: (within /lib/ld-2.3.6.so)
==29487== by 0x414E42C: (within /lib/tls/i686/cmov/libdl-2.3.6.so)
==29487==
==29487== Conditional jump or move depends on uninitialised value(s)
==29487== Stack hash: 2746048421
==29487== at 0x4008ED5: (within /lib/ld-2.3.6.so)
==29487== by 0x42768C4: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==29487== by 0x400B44E: (within /lib/ld-2.3.6.so)
==29487== by 0x4275EDE: _dl_open (in /lib/tls/i686/cmov/libc-2.3.6.so)
==29487== by 0x414DD8D: (within /lib/tls/i686/cmov/libdl-2.3.6.so)
==29487== by 0x400B44E: (within /lib/ld-2.3.6.so)
==29487== by 0x414E42C: (within /lib/tls/i686/cmov/libdl-2.3.6.so)
==29487== by 0x414DD20: dlopen (in /lib/tls/i686/cmov/libdl-2.3.6.so)
==29487== by 0x4049448: (within /usr/lib/libX11.so.6.2.0)
==29487== by 0x4049756: _XNoticeCreateBitmap (in /usr/lib/libX11.so.6.2.0)
==29487== by 0x4049B3C: XCreatePixmap (in /usr/lib/libX11.so.6.2.0)
==29487== by 0x40489BF: XCreateBitmapFromData (in /usr/lib/libX11.so.6.2.0)
==29487==
==29487== Conditional jump or move depends on uninitialised value(s)
==29487== Stack hash: 514968026
==29487== at 0x4008B2E: (within /lib/ld-2.3.6.so)
==29487== by 0x42768C4: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==29487== by 0x400B44E: (within /lib/ld-2.3.6.so)
==29487== by 0x4275EDE: _dl_open (in /lib/tls/i686/cmov/libc-2.3.6.so)
==29487== by 0x414DD8D: (within /lib/tls/i686/cmov/libdl-2.3.6.so)
==29487== by 0x400B44E: (within /lib/ld-2.3.6.so)
==29487== by 0x414E42C: (within /lib/tls/i686/cmov/libdl-2.3.6.so)
==29487== by 0x414DD20: dlopen (in /lib/tls/i686/cmov/libdl-2.3.6.so)
==29487== by 0x4049448: (within /usr/lib/libX11.so.6.2.0)
==29487== by 0x4049756: _XNoticeCreateBitmap (in /usr/lib/libX11.so.6.2.0)
==29487== by 0x4049B3C: XCreatePixmap (in /usr/lib/libX11.so.6.2.0)
==29487== by 0x40489BF: XCreateBitmapFromData (in /usr/lib/libX11.so.6.2.0)
==29487==
==29487== Syscall param write(buf) points to uninitialised byte(s)
==29487== Stack hash: 3732084363
==29487== at 0x4000792: (within /lib/ld-2.3.6.so)
==29487== by 0x406A29E: _X11TransWrite (in /usr/lib/libX11.so.6.2.0)
==29487== by 0x406FBD5: (within /usr/lib/libX11.so.6.2.0)
==29487== by 0x4070812: _XReadEvents (in /usr/lib/libX11.so.6.2.0)
==29487== by 0x405A0C9: XNextEvent (in /usr/lib/libX11.so.6.2.0)
==29487== by 0x8090400: vo_x11_create_vo_window (x11_common.c:1321)
==29487== by 0x80913B7: config (vo_x11.c:441)
==29487== by 0x808AB17: config_video_out (video_out.c:320)
==29487== by 0x811A58D: config (vf_vo.c:65)
==29487== by 0x80EE5C7: vf_config_wrapper (vf.c:617)
==29487== by 0x80EC933: mpcodecs_config_vo (vd.c:309)
==29487== by 0x81A09B2: init_vo (vd_ffmpeg.c:543)
==29487== Address 0x44741dc is 284 bytes inside a block of size 16,384 alloc'd
==29487== Stack hash: 3481543562
==29487== at 0x401C9BE: calloc (vg_replace_malloc.c:397)
==29487== by 0x405ACBD: XOpenDisplay (in /usr/lib/libX11.so.6.2.0)
==29487== by 0x808EB7E: vo_init (x11_common.c:441)
==29487== by 0x809160A: preinit (vo_x11.c:746)
==29487== by 0x808AD7D: init_best_video_out (video_out.c:295)
==29487== by 0x8077C7D: reinit_video_chain (mplayer.c:2151)
==29487== by 0x8079855: main (mplayer.c:3537)
[swscaler @ 0x8647a00]using unscaled yuv420p -> rgb32 special converter
[mpeg4 @ 0x865ebf0]I cbpc damaged at 7 0
[mpeg4 @ 0x865ebf0]Error at MB: 7
[mpeg4 @ 0x865ebf0]concealing 70 DC, 70 AC, 70 MV errors
V: 0.0 0/ 0 ??% ??% ??,?% 0 0
MV: 0.0 0/ 0 ??% ??% ??,?% 0 0

M[mpeg4 @ 0x865ebf0]dc marker bit missing

[mpeg4 @ 0x865ebf0]Error at MB: 30
[mpeg4 @ 0x865ebf0]concealing 70 DC, 70 AC, 70 MV errors
V: 0.1 0/ 0 ??% ??% ??,?% 0 0
M[mpeg4 @ 0x865ebf0]Error at MB: 40
[mpeg4 @ 0x865ebf0]concealing 70 DC, 70 AC, 70 MV errors
V: 0.1 0/ 0 ??% ??% ??,?% 0 0

## ommitted lines that repeated with some variation for V: 0.1 to V: 5.7

V: 5.7 0/ 0 154% 1% 0.0% 0 0
MVDec: vo config request - 128 x 112 (preferred colorspace: Planar YV12)
VDec: using Planar YV12 as output csp (no 0)
Movie-Aspect is 1.43:1 - prescaling to correct movie aspect.
VO: [x11] 128x112 => 160x112 Planar YV12
[mpeg4 @ 0x865ebf0]1. marker bit missing in 3. esc
[mpeg4 @ 0x865ebf0]Error at MB: 3
[mpeg4 @ 0x865ebf0]concealing 56 DC, 56 AC, 56 MV errors
==29487==
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
==29487== Invalid write of size 1
==29487== Stack hash: 2736724478
==29487== at 0x82BCFD5: ff_emulated_edge_mc (dsputil.c:501)
==29487== by 0x8354DDB: MPV_motion (mpegvideo_common.h:320)
==29487== by 0x835764A: MPV_decode_mb (mpegvideo.c:1838)
==29487== by 0x84190E4: decode_slice (h263dec.c:243)
==29487== by 0x841A220: ff_h263_decode_frame (h263dec.c:636)
==29487== by 0x82F489F: avcodec_decode_video (utils.c:897)
==29487== by 0x81A0C19: decode (vd_ffmpeg.c:781)
==29487== by 0x80E322A: decode_video (dec_video.c:369)
==29487== by 0x8079EB6: main (mplayer.c:1761)
==29487== Address 0x6848800 is 16 bytes before a block of size 24,576 alloc'd
==29487== Stack hash: 3975202275
==29487== at 0x401C882: memalign (vg_replace_malloc.c:460)
==29487== by 0x85509B4: av_malloc (mem.c:61)
==29487== by 0x8550A36: av_mallocz (mem.c:134)
==29487== by 0x834AD5D: MPV_common_init (mpegvideo.c:291)
==29487== by 0x841A39A: ff_h263_decode_frame (h263dec.c:381)
==29487== by 0x82F489F: avcodec_decode_video (utils.c:897)
==29487== by 0x81A0C19: decode (vd_ffmpeg.c:781)
==29487== by 0x80E322A: decode_video (dec_video.c:369)
==29487== by 0x8079EB6: main (mplayer.c:1761)
==29487==
==29487== Invalid read of size 1
==29487== Stack hash: 4145383085
==29487== at 0x82BD164: ff_emulated_edge_mc (dsputil.c:527)
==29487== by 0x8354DDB: MPV_motion (mpegvideo_common.h:320)
==29487== by 0x835764A: MPV_decode_mb (mpegvideo.c:1838)
==29487== by 0x84190E4: decode_slice (h263dec.c:243)
==29487== by 0x841A220: ff_h263_decode_frame (h263dec.c:636)
==29487== by 0x82F489F: avcodec_decode_video (utils.c:897)
==29487== by 0x81A0C19: decode (vd_ffmpeg.c:781)
==29487== by 0x80E322A: decode_video (dec_video.c:369)
==29487== by 0x8079EB6: main (mplayer.c:1761)
==29487== Address 0x684880f is 1 bytes before a block of size 24,576 alloc'd
==29487== Stack hash: 3975202275
==29487== at 0x401C882: memalign (vg_replace_malloc.c:460)
==29487== by 0x85509B4: av_malloc (mem.c:61)
==29487== by 0x8550A36: av_mallocz (mem.c:134)
==29487== by 0x834AD5D: MPV_common_init (mpegvideo.c:291)
==29487== by 0x841A39A: ff_h263_decode_frame (h263dec.c:381)
==29487== by 0x82F489F: avcodec_decode_video (utils.c:897)
==29487== by 0x81A0C19: decode (vd_ffmpeg.c:781)
==29487== by 0x80E322A: decode_video (dec_video.c:369)
==29487== by 0x8079EB6: main (mplayer.c:1761)
==29487==
==29487== Invalid read of size 8
==29487== Stack hash: 3415258555
==29487== at 0x82F6058: put_no_rnd_pixels8_xy2_mmx (dsputil_mmx_rnd.h:242)
==29487== by 0x82F6574: put_no_rnd_pixels16_xy2_mmx (dsputil_mmx_rnd.h:582)
==29487== by 0x83544B9: MPV_motion (mpegvideo_common.h:354)
==29487== by 0x835764A: MPV_decode_mb (mpegvideo.c:1838)
==29487== by 0x84190E4: decode_slice (h263dec.c:243)
==29487== by 0x841A220: ff_h263_decode_frame (h263dec.c:636)
==29487== by 0x82F489F: avcodec_decode_video (utils.c:897)
==29487== by 0x81A0C19: decode (vd_ffmpeg.c:781)
==29487== by 0x80E322A: decode_video (dec_video.c:369)
==29487== by 0x8079EB6: main (mplayer.c:1761)
==29487== Address 0x6848800 is 16 bytes before a block of size 24,576 alloc'd
==29487== Stack hash: 3975202275
==29487== at 0x401C882: memalign (vg_replace_malloc.c:460)
==29487== by 0x85509B4: av_malloc (mem.c:61)
==29487== by 0x8550A36: av_mallocz (mem.c:134)
==29487== by 0x834AD5D: MPV_common_init (mpegvideo.c:291)
==29487== by 0x841A39A: ff_h263_decode_frame (h263dec.c:381)
==29487== by 0x82F489F: avcodec_decode_video (utils.c:897)
==29487== by 0x81A0C19: decode (vd_ffmpeg.c:781)
==29487== by 0x80E322A: decode_video (dec_video.c:369)
==29487== by 0x8079EB6: main (mplayer.c:1761)
==29487==

## ommitted more invalid reads of size 8

==29487==
==29487== Invalid read of size 8
==29487== Stack hash: 2164377064
==29487== at 0x82F84F9: put_pixels8_y2_mmx2 (dsputil_mmx_avg.h:595)
==29487== by 0x83544B9: MPV_motion (mpegvideo_common.h:354)
==29487== by 0x835764A: MPV_decode_mb (mpegvideo.c:1838)
==29487== by 0x84190E4: decode_slice (h263dec.c:243)
==29487== by 0x841A220: ff_h263_decode_frame (h263dec.c:636)
==29487== by 0x82F489F: avcodec_decode_video (utils.c:897)
==29487== by 0x81A0C19: decode (vd_ffmpeg.c:781)
==29487== by 0x80E322A: decode_video (dec_video.c:369)
==29487== by 0x8079EB6: main (mplayer.c:1761)
==29487== Address 0x6848808 is 8 bytes before a block of size 24,576 alloc'd
==29487== Stack hash: 3975202275
==29487== at 0x401C882: memalign (vg_replace_malloc.c:460)
==29487== by 0x85509B4: av_malloc (mem.c:61)
==29487== by 0x8550A36: av_mallocz (mem.c:134)
==29487== by 0x834AD5D: MPV_common_init (mpegvideo.c:291)
==29487== by 0x841A39A: ff_h263_decode_frame (h263dec.c:381)
==29487== by 0x82F489F: avcodec_decode_video (utils.c:897)
==29487== by 0x81A0C19: decode (vd_ffmpeg.c:781)
==29487== by 0x80E322A: decode_video (dec_video.c:369)
==29487== by 0x8079EB6: main (mplayer.c:1761)
[mpeg4 @ 0x865ebf0]ac-tex damaged at 0 4
[mpeg4 @ 0x865ebf0]Error at MB: 36
[mpeg4 @ 0x865ebf0]concealing 56 DC, 56 AC, 56 MV errors
V: 5.8 0/ 0 152% 1% 0.0% 0 0
M==29487==
==29487== Invalid read of size 1
==29487== Stack hash: 1685611312
==29487== at 0x82BD147: ff_emulated_edge_mc (dsputil.c:522)
==29487== by 0x8354DDB: MPV_motion (mpegvideo_common.h:320)
==29487== by 0x835764A: MPV_decode_mb (mpegvideo.c:1838)
==29487== by 0x84190E4: decode_slice (h263dec.c:243)
==29487== by 0x841A220: ff_h263_decode_frame (h263dec.c:636)
==29487== by 0x82F489F: avcodec_decode_video (utils.c:897)
==29487== by 0x81A0C19: decode (vd_ffmpeg.c:781)
==29487== by 0x80E322A: decode_video (dec_video.c:369)
==29487== by 0x8079EB6: main (mplayer.c:1761)
==29487== Address 0x6848801 is 15 bytes before a block of size 24,576 alloc'd
==29487== Stack hash: 3975202275
==29487== at 0x401C882: memalign (vg_replace_malloc.c:460)
==29487== by 0x85509B4: av_malloc (mem.c:61)
==29487== by 0x8550A36: av_mallocz (mem.c:134)
==29487== by 0x834AD5D: MPV_common_init (mpegvideo.c:291)
==29487== by 0x841A39A: ff_h263_decode_frame (h263dec.c:381)
==29487== by 0x82F489F: avcodec_decode_video (utils.c:897)
==29487== by 0x81A0C19: decode (vd_ffmpeg.c:781)
==29487== by 0x80E322A: decode_video (dec_video.c:369)
==29487== by 0x8079EB6: main (mplayer.c:1761)
==29487==
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
==29487== Invalid write of size 1
==29487== Stack hash: 2765401780
==29487== at 0x82BD14B: ff_emulated_edge_mc (dsputil.c:522)
==29487== by 0x8354DDB: MPV_motion (mpegvideo_common.h:320)
==29487== by 0x835764A: MPV_decode_mb (mpegvideo.c:1838)
==29487== by 0x84190E4: decode_slice (h263dec.c:243)
==29487== by 0x841A220: ff_h263_decode_frame (h263dec.c:636)
==29487== by 0x82F489F: avcodec_decode_video (utils.c:897)
==29487== by 0x81A0C19: decode (vd_ffmpeg.c:781)
==29487== by 0x80E322A: decode_video (dec_video.c:369)
==29487== by 0x8079EB6: main (mplayer.c:1761)
==29487== Address 0x6848800 is 16 bytes before a block of size 24,576 alloc'd
==29487== Stack hash: 3975202275
==29487== at 0x401C882: memalign (vg_replace_malloc.c:460)
==29487== by 0x85509B4: av_malloc (mem.c:61)
==29487== by 0x8550A36: av_mallocz (mem.c:134)
==29487== by 0x834AD5D: MPV_common_init (mpegvideo.c:291)
==29487== by 0x841A39A: ff_h263_decode_frame (h263dec.c:381)
==29487== by 0x82F489F: avcodec_decode_video (utils.c:897)
==29487== by 0x81A0C19: decode (vd_ffmpeg.c:781)
==29487== by 0x80E322A: decode_video (dec_video.c:369)
==29487== by 0x8079EB6: main (mplayer.c:1761)
[mpeg4 @ 0x865ebf0]ac-tex damaged at 3 5
[mpeg4 @ 0x865ebf0]Error at MB: 48
[mpeg4 @ 0x865ebf0]marker does not match f_code
[mpeg4 @ 0x865ebf0]concealing 56 DC, 56 AC, 56 MV errors
V: 5.8 0/ 0 152% 1% 0.0% 0 0
M[mpeg4 @ 0x865ebf0]ac-tex damaged at 4 4
[mpeg4 @ 0x865ebf0]Error at MB: 40
[mpeg4 @ 0x865ebf0]concealing 56 DC, 56 AC, 56 MV errors
V: 5.9 0/ 0 151% 1% 0.0% 0 0
M==29487==

## ommitted some more invalid reads of size 8 as well as invalid writes of size 1

==29487== Invalid read of size 1
==29487== Stack hash: 2654284825
==29487== at 0x82BD050: ff_emulated_edge_mc (dsputil.c:508)
==29487== by 0x8354DDB: MPV_motion (mpegvideo_common.h:320)
==29487== by 0x835764A: MPV_decode_mb (mpegvideo.c:1838)
==29487== by 0x84190E4: decode_slice (h263dec.c:243)
==29487== by 0x841A220: ff_h263_decode_frame (h263dec.c:636)
==29487== by 0x82F489F: avcodec_decode_video (utils.c:897)
==29487== by 0x81A0C19: decode (vd_ffmpeg.c:781)
==29487== by 0x80E322A: decode_video (dec_video.c:369)
==29487== by 0x8079EB6: main (mplayer.c:1761)
==29487== Address 0x6848800 is 16 bytes before a block of size 24,576 alloc'd
==29487== Stack hash: 3975202275
==29487== at 0x401C882: memalign (vg_replace_malloc.c:460)
==29487== by 0x85509B4: av_malloc (mem.c:61)
==29487== by 0x8550A36: av_mallocz (mem.c:134)
==29487== by 0x834AD5D: MPV_common_init (mpegvideo.c:291)
==29487== by 0x841A39A: ff_h263_decode_frame (h263dec.c:381)
==29487== by 0x82F489F: avcodec_decode_video (utils.c:897)
==29487== by 0x81A0C19: decode (vd_ffmpeg.c:781)
==29487== by 0x80E322A: decode_video (dec_video.c:369)
==29487== by 0x8079EB6: main (mplayer.c:1761)
==29487==
==29487== Invalid read of size 1
==29487== Stack hash: 3206277347
==29487== at 0x82BD05A: ff_emulated_edge_mc (dsputil.c:507)
==29487== by 0x8354DDB: MPV_motion (mpegvideo_common.h:320)
==29487== by 0x835764A: MPV_decode_mb (mpegvideo.c:1838)
==29487== by 0x84190E4: decode_slice (h263dec.c:243)
==29487== by 0x841A220: ff_h263_decode_frame (h263dec.c:636)
==29487== by 0x82F489F: avcodec_decode_video (utils.c:897)
==29487== by 0x81A0C19: decode (vd_ffmpeg.c:781)
==29487== by 0x80E322A: decode_video (dec_video.c:369)
==29487== by 0x8079EB6: main (mplayer.c:1761)
==29487== Address 0x6848802 is 14 bytes before a block of size 24,576 alloc'd
==29487== Stack hash: 3975202275
==29487== at 0x401C882: memalign (vg_replace_malloc.c:460)
==29487== by 0x85509B4: av_malloc (mem.c:61)
==29487== by 0x8550A36: av_mallocz (mem.c:134)
==29487== by 0x834AD5D: MPV_common_init (mpegvideo.c:291)
==29487== by 0x841A39A: ff_h263_decode_frame (h263dec.c:381)
==29487== by 0x82F489F: avcodec_decode_video (utils.c:897)
==29487== by 0x81A0C19: decode (vd_ffmpeg.c:781)
==29487== by 0x80E322A: decode_video (dec_video.c:369)
==29487== by 0x8079EB6: main (mplayer.c:1761)
[mpeg4 @ 0x865ebf0]1. marker bit missing in 3. esc
[mpeg4 @ 0x865ebf0]Error at MB: 39
[mpeg4 @ 0x865ebf0]concealing 56 DC, 56 AC, 56 MV errors
V: 6.1 0/ 0 147% 1% 0.0% 0 0 M[mpeg4 @ 0x865ebf0]ac-tex damaged at 1 3
[mpeg4 @ 0x865ebf0]Error at MB: 28
[mpeg4 @ 0x865ebf0]concealing 56 DC, 56 AC, 56 MV errors
V: 6.1 0/ 0 147% 1% 0.0% 0 0
MV: 6.2 0/ 0 146% 1% 0.0% 0 0 M[mpeg4 @ 0x865ebf0]ac-tex
damaged at 5 4
[mpeg4 @ 0x865ebf0]Error at MB: 41
[mpeg4 @ 0x865ebf0]concealing 56 DC, 56 AC, 56 MV errors
V: 6.2 0/ 0 145% 1% 0.0% 0 0
MVDec: vo config request - 160 x 112 (preferred colorspace: Planar YV12)
VDec: using Planar YV12 as output csp (no 0)
Movie-Aspect is 1.43:1 - prescaling to correct movie aspect.
VO: [x11] 160x112 => 160x112 Planar YV12
[mpeg4 @ 0x865ebf0]I cbpy damaged at 4 0
[mpeg4 @ 0x865ebf0]Error at MB: 4
[mpeg4 @ 0x865ebf0]concealing 70 DC, 70 AC, 70 MV errors
[mpeg4 @ 0x865ebf0]Error at MB: 23
Marker bit missing before time_increment in video packed header
Marker bit missing before vop_coding_type in video packed header
[mpeg4 @ 0x865ebf0]Error, video packet header damaged (f_code=0)
[mpeg4 @ 0x865ebf0]dc marker bit missing
[mpeg4 @ 0x865ebf0]Error at MB: 41
[mpeg4 @ 0x865ebf0]concealing 70 DC, 70 AC, 70 MV errors
V: 6.3 0/ 0 144% 1% 0.0% 0 0 M[mpeg4 @ 0x865ebf0]Error at MB: 0
[mpeg4 @ 0x865ebf0]concealing 70 DC, 70 AC, 70 MV errors
V: 6.3 0/ 0 143% 1% 0.0% 0 0
M[mpeg4 @ 0x865ebf0]dc marker bit missing
[mpeg4 @ 0x865ebf0]Error at MB: 30
[mpeg4 @ 0x865ebf0]concealing 70 DC, 70 AC, 70 MV errors

## ommitted lines that repeated with some variation from V: 6.3 to V: 12.2

V: 12.2 0/ 0 91% 1% 0.0% 0 0 M[mpeg4 @ 0x865ebf0]ac-tex damaged at 5 6
[mpeg4 @ 0x865ebf0]Error at MB: 71
[mpeg4 @ 0x865ebf0]marker does not match f_code
Marker bit missing before time_increment in video packed header
Marker bit missing before vop_coding_type in video packed header
[mpeg4 @ 0x865ebf0]concealing 54 DC, 54 AC, 54 MV errors
V: 12.2 0/ 0 91% 1% 0.0% 0 0
MV: 12.3 0/ 0 91% 1% 0.0% 0 0 MV: 12.3 0/ 0 91% 1%
0.0% 0 0
M[mpeg4 @ 0x865ebf0]ac-tex damaged at 3
3
[mpeg4 @ 0x865ebf0]Error at MB: 36
[mpeg4 @ 0x865ebf0]concealing 70 DC, 70 AC, 70 MV errors
V: 12.4 0/ 0 91% 1% 0.0% 0 0 MV: 12.4 0/ 0 91% 1% 0.0% 0 0 MMarker bit missing before
time_increment_resolution
Marker bit missing before fixed_vop_rate
[NULL @ 0x865ebf0]Complexity estimation not supported
Marker bit missing before time_increment_resolution

## ommitted lines that repeated

Marker bit missing before fixed_vop_rate
[mpeg4 @ 0x865ebf0]Complexity estimation not supported
[mpeg4 @ 0x865ebf0]header damaged
Error while decoding frame!
V: 12.4 0/ 0 91% 1% 0.0% 0 0

Exiting... (End of file)
==29487==
==29487== ERROR SUMMARY: 1550 errors from 34 contexts (suppressed: 27 from 1)
==29487== malloc/free: in use at exit: 54,378 bytes in 313 blocks.
==29487== malloc/free: 5,484 allocs, 5,171 frees, 22,607,093 bytes allocated.
==29487== For counts of detected errors, rerun with: -v
==29487== searching for pointers to 313 not-freed blocks.
==29487== checked 2,961,744 bytes.
==29487==
==29487== LEAK SUMMARY:
==29487== definitely lost: 132 bytes in 7 blocks.
==29487== possibly lost: 0 bytes in 0 blocks.
==29487== still reachable: 54,246 bytes in 306 blocks.
==29487== suppressed: 0 bytes in 0 blocks.
==29487== Rerun with --leak-check=full to see details of leaked memory.

This bug was found using the Zzuf fuzzer. It was found as part of the
SUPERB-TRUST 2008 project ( see http://www.truststc.org/superb/ ) and the
metafuzz project ( see http://metafuzz.com/, stack hash 2634611563 ).

Let me know if I can provide more information or some of the omitted parts of the stack trace.

Change History (1)

comment:1 Changed 8 years ago by compn

  • Owner changed from r_togni@… to reimar
Note: See TracTickets for help on using tickets.