Opened 11 years ago

Last modified 9 years ago

#1206 new defect

Error in Video Decoding: Uninitialised Value

Reported by: sckhan@… Owned by: reimar
Priority: normal Component: vd
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

The following report is for the SUPERB-TRUST 2008, the cyber security project.

#Error found at test case .mp4 file for mplayer version (dev-SVN-r27305-4.1.2)
valgrind report the Invalid Read.

#The test case is "numerator.mp4" can be found at the URL

*http://www.eecs.berkeley.edu/~sckhan/numerator.mp4

#Reproducible with the following command

*valgrind mplayer

Can also be run as:

*valgrind --log-file=log26 mplayer numerator.mp4

#OS: Debian Etch Linux

#Valgrind output:

==12972== Memcheck, a memory error detector.
==12972== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==12972== Using LibVEX rev 1854, a library for dynamic binary translation.
==12972== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==12972== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==12972== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==12972== For more details, rerun with: -v
==12972==
==12972== My PID = 12972, parent PID = 3044. Prog and args are:
==12972== mplayer
==12972== numerator.mp4
==12972==
==12972== Conditional jump or move depends on uninitialised value(s)
==12972== Stack hash: 1090911266
==12972== at 0x8455B7F: decode_seq_parameter_set (golomb.h:60)
==12972== by 0x8457407: decode_nal_units (h264.c:7615)
==12972== by 0x84587BC: decode_frame (h264.c:7745)
==12972== by 0x82ECCEF: avcodec_decode_video (utils.c:897)
==12972== by 0x8199049: decode (vd_ffmpeg.c:781)
==12972== by 0x80DB6CA: decode_video (dec_video.c:369)
==12972== by 0x80786B6: main (mplayer.c:1761)
==12972==
==12972== Conditional jump or move depends on uninitialised value(s)
==12972== Stack hash: 3093939245
==12972== at 0x8455BB2: decode_seq_parameter_set (golomb.h:60)
==12972== by 0x8457407: decode_nal_units (h264.c:7615)
==12972== by 0x84587BC: decode_frame (h264.c:7745)
==12972== by 0x82ECCEF: avcodec_decode_video (utils.c:897)
==12972== by 0x8199049: decode (vd_ffmpeg.c:781)
==12972== by 0x80DB6CA: decode_video (dec_video.c:369)
==12972== by 0x80786B6: main (mplayer.c:1761)
==12972==
==12972== Conditional jump or move depends on uninitialised value(s)
==12972== Stack hash: 2418701129
==12972== at 0x8455BEE: decode_seq_parameter_set (golomb.h:60)
==12972== by 0x8457407: decode_nal_units (h264.c:7615)
==12972== by 0x84587BC: decode_frame (h264.c:7745)
==12972== by 0x82ECCEF: avcodec_decode_video (utils.c:897)
==12972== by 0x8199049: decode (vd_ffmpeg.c:781)
==12972== by 0x80DB6CA: decode_video (dec_video.c:369)
==12972== by 0x80786B6: main (mplayer.c:1761)
==12972==
==12972== Use of uninitialised value of size 4
==12972== Stack hash: 1806502896
==12972== at 0x843BE3C: decode_residual (bitstream.h:856)
==12972== by 0x84514A9: decode_mb_cavlc (h264.c:4937)
==12972== by 0x84550BF: decode_slice (h264.c:6866)
==12972== by 0x845551B: execute_decode_slices (h264.c:7455)
==12972== by 0x8457C31: decode_nal_units (h264.c:7641)
==12972== by 0x8458834: decode_frame (h264.c:7772)
==12972== by 0x82ECCEF: avcodec_decode_video (utils.c:897)
==12972== by 0x8199049: decode (vd_ffmpeg.c:781)
==12972== by 0x80DB6CA: decode_video (dec_video.c:369)
==12972== by 0x80786B6: main (mplayer.c:1761)
==12972==
==12972== Use of uninitialised value of size 4
==12972== Stack hash: 1466949081
==12972== at 0x843BF51: decode_residual (bitstream.h:856)
==12972== by 0x84514A9: decode_mb_cavlc (h264.c:4937)
==12972== by 0x84550BF: decode_slice (h264.c:6866)
==12972== by 0x845551B: execute_decode_slices (h264.c:7455)
==12972== by 0x8457C31: decode_nal_units (h264.c:7641)
==12972== by 0x8458834: decode_frame (h264.c:7772)
==12972== by 0x82ECCEF: avcodec_decode_video (utils.c:897)
==12972== by 0x8199049: decode (vd_ffmpeg.c:781)
==12972== by 0x80DB6CA: decode_video (dec_video.c:369)
==12972== by 0x80786B6: main (mplayer.c:1761)
==12972==
==12972== ERROR SUMMARY: 6 errors from 5 contexts (suppressed: 19 from 1)
==12972== malloc/free: in use at exit: 73,692 bytes in 47 blocks.
==12972== malloc/free: 6,435 allocs, 6,388 frees, 40,717,793 bytes allocated.
==12972== For counts of detected errors, rerun with: -v
==12972== searching for pointers to 47 not-freed blocks.
==12972== checked 2,940,280 bytes.
==12972==
==12972== LEAK SUMMARY:
==12972== definitely lost: 30 bytes in 3 blocks.
==12972== possibly lost: 0 bytes in 0 blocks.
==12972== still reachable: 73,662 bytes in 44 blocks.
==12972== suppressed: 0 bytes in 0 blocks.
==12972== Rerun with --leak-check=full to see details of leaked memory.

*This report to inform the error found in Mplayer using the test case:
4-mp3audioproblem.mp4 with Stack hash: 1466949081 and back-trace
at: decode_residual (bitstream.h:856)& decode_mb_cavlc (h264.c:4937).

#The bug is found in making comparison of the fuzzing tools and is a part of
the metafuzz project.

*URL at: metafuzz.com

Change History (1)

comment:1 Changed 9 years ago by compn

  • Owner changed from r_togni@… to reimar
Note: See TracTickets for help on using tickets.