Demuxer: Invalid Write

[sckhan@…]

The following report is for the SUPERB-TRUST 2008, the cyber security project.

#Error found at test case .mp4 file for mplayer version (dev-SVN-r27270-4.1.2)
valgrind report the Invalid Read.

#The test case is "4-mp3audioproblem.mp4" can be found at the URL

*​http://www.eecs.berkeley.edu/~sckhan/4-mp3audioproblem.mp4

#Reproducible with the following command

*valgrind mplayer

Can also be run as:

*valgrind --log-file=log25 mplayer 4-mp3audioproblem.mp4

#OS: Debian Etch Linux

#Valgrind output:

==11265== Memcheck, a memory error detector.
==11265== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==11265== Using LibVEX rev 1854, a library for dynamic binary translation.
==11265== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==11265== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==11265== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==11265== For more details, rerun with: -v
==11265==
==11265== My PID = 11265, parent PID = 3044. Prog and args are:
==11265== mplayer
==11265== 4-mp3audioproblem.mp4
==11265==
==11265== Invalid write of size 4
==11265== Stack hash: 4106567837
==11265== at 0x813DE59: lschunks_intrak (demux_mov.c:1800)
==11265== by 0x813A290: lschunks (demux_mov.c:1286)
==11265== by 0x813C762: lschunks_intrak (demux_mov.c:1867)
==11265== by 0x813A290: lschunks (demux_mov.c:1286)
==11265== by 0x813C762: lschunks_intrak (demux_mov.c:1867)
==11265== by 0x813A290: lschunks (demux_mov.c:1286)
==11265== by 0x813C762: lschunks_intrak (demux_mov.c:1867)
==11265== by 0x813A290: lschunks (demux_mov.c:1286)
==11265== by 0x813A90E: lschunks (demux_mov.c:1314)
==11265== by 0x813C1E5: mov_read_header (demux_mov.c:1934)
==11265== by 0x811E23E: demux_open_stream (demuxer.c:864)
==11265== by 0x811E511: demux_open (demuxer.c:991)
==11265== Address 0x4 is not stack'd, malloc'd or (recently) free'd
==11265==
==11265== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 19 from 1)
==11265== malloc/free: in use at exit: 310,105 bytes in 2,188 blocks.
==11265== malloc/free: 2,326 allocs, 138 frees, 1,468,375 bytes allocated.
==11265== For counts of detected errors, rerun with: -v
==11265== searching for pointers to 2,188 not-freed blocks.
==11265== checked 3,175,992 bytes.
==11265==
==11265== LEAK SUMMARY:
==11265== definitely lost: 2,244 bytes in 5 blocks.
==11265== possibly lost: 0 bytes in 0 blocks.
==11265== still reachable: 307,861 bytes in 2,183 blocks.
==11265== suppressed: 0 bytes in 0 blocks.
==11265== Rerun with --leak-check=full to see details of leaked memory.

*This report to inform the error found in Mplayer where it crashes in running
test case: 4-mp3audioproblem.mp4 with Stack hash: 4106567837 and back-trace
at: lschunks_intrak (demux_mov.c:1800).

*Mplayer Crashed Info*

MPlayer interrupted by signal 11 in module: demux_open

• MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
• MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.

The debugged info of crash can be seen at URL:
<​http://www.eecs.berkeley.edu/~sckhan/crash5>

#The bug is found in making comparison of the fuzzing tools and is a part of
the metafuzz project.

*URL at: metafuzz.com

[sckhan@…]

*Mplayer Version*
The mplayer version mentioned in the report was incorrect. It is supposed to be:

---------------------------------------

| mplayer version (dev-SVN-r27305-4.1.2) |

---------------------------------------

[compn]

demux_mov is no longer default mov demuxer.

closing demux_mov bugs...

file works with demuxer lavf (now default)
sample url is 404 , can be found at
​http://samples.mplayerhq.hu/mov/mp4/mp3audioproblem.mp4