Opened 16 years ago
Last modified 13 years ago
#1206 new defect
Error in Video Decoding: Uninitialised Value
| Reported by: | Owned by: | reimar | |
|---|---|---|---|
| Priority: | normal | Component: | vd |
| Version: | HEAD | Severity: | normal |
| Keywords: | Cc: | catchconv-bugreports@… | |
| Blocked By: | Blocking: | ||
| Reproduced by developer: | no | Analyzed by developer: | no |
Description
The following report is for the SUPERB-TRUST 2008, the cyber security project.
#Error found at test case .mp4 file for mplayer version (dev-SVN-r27305-4.1.2)
valgrind report the Invalid Read.
#The test case is "numerator.mp4" can be found at the URL
*http://www.eecs.berkeley.edu/~sckhan/numerator.mp4
#Reproducible with the following command
*valgrind mplayer
Can also be run as:
*valgrind --log-file=log26 mplayer numerator.mp4
#OS: Debian Etch Linux
#Valgrind output:
==12972== Memcheck, a memory error detector.
==12972== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==12972== Using LibVEX rev 1854, a library for dynamic binary translation.
==12972== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==12972== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==12972== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==12972== For more details, rerun with: -v
==12972==
==12972== My PID = 12972, parent PID = 3044. Prog and args are:
==12972== mplayer
==12972== numerator.mp4
==12972==
==12972== Conditional jump or move depends on uninitialised value(s)
==12972== Stack hash: 1090911266
==12972== at 0x8455B7F: decode_seq_parameter_set (golomb.h:60)
==12972== by 0x8457407: decode_nal_units (h264.c:7615)
==12972== by 0x84587BC: decode_frame (h264.c:7745)
==12972== by 0x82ECCEF: avcodec_decode_video (utils.c:897)
==12972== by 0x8199049: decode (vd_ffmpeg.c:781)
==12972== by 0x80DB6CA: decode_video (dec_video.c:369)
==12972== by 0x80786B6: main (mplayer.c:1761)
==12972==
==12972== Conditional jump or move depends on uninitialised value(s)
==12972== Stack hash: 3093939245
==12972== at 0x8455BB2: decode_seq_parameter_set (golomb.h:60)
==12972== by 0x8457407: decode_nal_units (h264.c:7615)
==12972== by 0x84587BC: decode_frame (h264.c:7745)
==12972== by 0x82ECCEF: avcodec_decode_video (utils.c:897)
==12972== by 0x8199049: decode (vd_ffmpeg.c:781)
==12972== by 0x80DB6CA: decode_video (dec_video.c:369)
==12972== by 0x80786B6: main (mplayer.c:1761)
==12972==
==12972== Conditional jump or move depends on uninitialised value(s)
==12972== Stack hash: 2418701129
==12972== at 0x8455BEE: decode_seq_parameter_set (golomb.h:60)
==12972== by 0x8457407: decode_nal_units (h264.c:7615)
==12972== by 0x84587BC: decode_frame (h264.c:7745)
==12972== by 0x82ECCEF: avcodec_decode_video (utils.c:897)
==12972== by 0x8199049: decode (vd_ffmpeg.c:781)
==12972== by 0x80DB6CA: decode_video (dec_video.c:369)
==12972== by 0x80786B6: main (mplayer.c:1761)
==12972==
==12972== Use of uninitialised value of size 4
==12972== Stack hash: 1806502896
==12972== at 0x843BE3C: decode_residual (bitstream.h:856)
==12972== by 0x84514A9: decode_mb_cavlc (h264.c:4937)
==12972== by 0x84550BF: decode_slice (h264.c:6866)
==12972== by 0x845551B: execute_decode_slices (h264.c:7455)
==12972== by 0x8457C31: decode_nal_units (h264.c:7641)
==12972== by 0x8458834: decode_frame (h264.c:7772)
==12972== by 0x82ECCEF: avcodec_decode_video (utils.c:897)
==12972== by 0x8199049: decode (vd_ffmpeg.c:781)
==12972== by 0x80DB6CA: decode_video (dec_video.c:369)
==12972== by 0x80786B6: main (mplayer.c:1761)
==12972==
==12972== Use of uninitialised value of size 4
==12972== Stack hash: 1466949081
==12972== at 0x843BF51: decode_residual (bitstream.h:856)
==12972== by 0x84514A9: decode_mb_cavlc (h264.c:4937)
==12972== by 0x84550BF: decode_slice (h264.c:6866)
==12972== by 0x845551B: execute_decode_slices (h264.c:7455)
==12972== by 0x8457C31: decode_nal_units (h264.c:7641)
==12972== by 0x8458834: decode_frame (h264.c:7772)
==12972== by 0x82ECCEF: avcodec_decode_video (utils.c:897)
==12972== by 0x8199049: decode (vd_ffmpeg.c:781)
==12972== by 0x80DB6CA: decode_video (dec_video.c:369)
==12972== by 0x80786B6: main (mplayer.c:1761)
==12972==
==12972== ERROR SUMMARY: 6 errors from 5 contexts (suppressed: 19 from 1)
==12972== malloc/free: in use at exit: 73,692 bytes in 47 blocks.
==12972== malloc/free: 6,435 allocs, 6,388 frees, 40,717,793 bytes allocated.
==12972== For counts of detected errors, rerun with: -v
==12972== searching for pointers to 47 not-freed blocks.
==12972== checked 2,940,280 bytes.
==12972==
==12972== LEAK SUMMARY:
==12972== definitely lost: 30 bytes in 3 blocks.
==12972== possibly lost: 0 bytes in 0 blocks.
==12972== still reachable: 73,662 bytes in 44 blocks.
==12972== suppressed: 0 bytes in 0 blocks.
==12972== Rerun with --leak-check=full to see details of leaked memory.
*This report to inform the error found in Mplayer using the test case:
4-mp3audioproblem.mp4 with Stack hash: 1466949081 and back-trace
at: decode_residual (bitstream.h:856)& decode_mb_cavlc (h264.c:4937).
#The bug is found in making comparison of the fuzzing tools and is a part of
the metafuzz project.
*URL at: metafuzz.com
