Opened 16 years ago

Closed 13 years ago

#1207 closed defect (worksforme)

Error in Video Decoding: Conditional jump or move depends on uninitialised value(s)

Reported by: sckhan@… Owned by: reimar
Priority: normal Component: vd
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: no Analyzed by developer: no

Description

The following report is for the SUPERB-TRUST 2008, the cyber security project.

#Error found at test case .mp4 file for mplayer version (dev-SVN-r27305-4.1.2)
valgrind report the Invalid Read.

#The test case is "innovation.mp4" can be found at the URL

*http://www.eecs.berkeley.edu/~sckhan/innovation.mp4

#Reproducible with the following command

*valgrind mplayer

Can also be run as:

*valgrind --log-file=log28 mplayer innovation.mp4

#OS: Debian Etch Linux

#Valgrind output:

==15631== Memcheck, a memory error detector.
==15631== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==15631== Using LibVEX rev 1854, a library for dynamic binary translation.
==15631== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==15631== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==15631== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==15631== For more details, rerun with: -v
==15631==
==15631== My PID = 15631, parent PID = 2865. Prog and args are:
==15631== mplayer
==15631== innovation.mp4
==15631==
==15631== Conditional jump or move depends on uninitialised value(s)
==15631== Stack hash: 1277775230
==15631== at 0x84534A3: decode_mb_cavlc (golomb.h:145)
==15631== by 0x84550BF: decode_slice (h264.c:6866)
==15631== by 0x845551B: execute_decode_slices (h264.c:7455)
==15631== by 0x8457C31: decode_nal_units (h264.c:7641)
==15631== by 0x8458834: decode_frame (h264.c:7772)
==15631== by 0x82ECCEF: avcodec_decode_video (utils.c:897)
==15631== by 0x8199049: decode (vd_ffmpeg.c:781)
==15631== by 0x80DB6CA: decode_video (dec_video.c:369)
==15631== by 0x80786B6: main (mplayer.c:1761)
==15631==
==15631== Conditional jump or move depends on uninitialised value(s)
==15631== Stack hash: 1358373215
==15631== at 0x84515A4: decode_mb_cavlc (golomb.h:60)
==15631== by 0x84550BF: decode_slice (h264.c:6866)
==15631== by 0x845551B: execute_decode_slices (h264.c:7455)
==15631== by 0x8457C31: decode_nal_units (h264.c:7641)
==15631== by 0x8458834: decode_frame (h264.c:7772)
==15631== by 0x82ECCEF: avcodec_decode_video (utils.c:897)
==15631== by 0x8199049: decode (vd_ffmpeg.c:781)
==15631== by 0x80DB6CA: decode_video (dec_video.c:369)
==15631== by 0x80786B6: main (mplayer.c:1761)
==15631==
==15631== Conditional jump or move depends on uninitialised value(s)
==15631== Stack hash: 1482017514
==15631== at 0x8450B8F: decode_mb_cavlc (golomb.h:60)
==15631== by 0x84550BF: decode_slice (h264.c:6866)
==15631== by 0x845551B: execute_decode_slices (h264.c:7455)
==15631== by 0x8457C31: decode_nal_units (h264.c:7641)
==15631== by 0x8458834: decode_frame (h264.c:7772)
==15631== by 0x82ECCEF: avcodec_decode_video (utils.c:897)
==15631== by 0x8199049: decode (vd_ffmpeg.c:781)
==15631== by 0x80DB6CA: decode_video (dec_video.c:369)
==15631== by 0x80786B6: main (mplayer.c:1761)
==15631==
==15631== Conditional jump or move depends on uninitialised value(s)
==15631== Stack hash: 911728638
==15631== at 0x843C4AF: decode_residual (common.h:126)
==15631== by 0x84529D8: decode_mb_cavlc (h264.c:4947)
==15631== by 0x84550BF: decode_slice (h264.c:6866)
==15631== by 0x845551B: execute_decode_slices (h264.c:7455)
==15631== by 0x8457C31: decode_nal_units (h264.c:7641)
==15631== by 0x8458834: decode_frame (h264.c:7772)
==15631== by 0x82ECCEF: avcodec_decode_video (utils.c:897)
==15631== by 0x8199049: decode (vd_ffmpeg.c:781)
==15631== by 0x80DB6CA: decode_video (dec_video.c:369)
==15631== by 0x80786B6: main (mplayer.c:1761)
==15631==
==15631== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 19 from 1)
==15631== malloc/free: in use at exit: 73,692 bytes in 47 blocks.
==15631== malloc/free: 40,929 allocs, 40,882 frees, 19,431,243 bytes allocated.
==15631== For counts of detected errors, rerun with: -v
==15631== searching for pointers to 47 not-freed blocks.
==15631== checked 2,940,320 bytes.
==15631==
==15631== LEAK SUMMARY:
==15631== definitely lost: 30 bytes in 3 blocks.
==15631== possibly lost: 0 bytes in 0 blocks.
==15631== still reachable: 73,662 bytes in 44 blocks.
==15631== suppressed: 0 bytes in 0 blocks.
==15631== Rerun with --leak-check=full to see details of leaked memory.

*This report to inform the error found in Mplayer using the test case:
innovation.mp4 with Stack hash: 911728638 and back-trace
at: decode_residual (common.h:126).

#The bug is found in making comparison of the fuzzing tools and is a part of
the metafuzz project.

*URL at: metafuzz.com

Change History (2)

comment:1 by compn, 13 years ago

Owner: changed from r_togni@… to reimar

comment:2 by reimar, 13 years ago

Resolution: worksforme
Status: newclosed
Note: See TracTickets for help on using tickets.