Opened 11 years ago

Closed 9 years ago

#1280 closed defect (fixed)

For this .mpg file, valgrind reports Overlap, Leak_DefinitelyLost, SyscallParam, Leak_PossiblyLost, InvalidRead, UninitCondition.

Reported by: xuecongli@… Owned by: reimar
Priority: normal Component: demuxer
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

This bug was found as part of the metafuzz project, see http://www.metafuzz.com

For this .mpg file, valgrind reports Overlap, Leak_DefinitelyLost, SyscallParam?, Leak_PossiblyLost, InvalidRead?, UninitCondition?.

System Info:
MPlayer dev-SVN-r27614-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel Pentium 4/Celeron 4 Northwood; Pentium 4 EE/Xeon Prestonia,Gallatin (Family: 15, Model: 2, Stepping: 7)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 3DNow 3DNowEx SSE SSE2
Playing 2608-charmaineraymond.mpg.
##############################################################
to reproduce:
wget http://www.metafuzz.com/testcases/422552-2608-1493372757-UninitCondition.tgz
tar xzf 422552-2608-1493372757-UninitCondition?.tgz
valgrind mplayer 2608-charmaineraymond.mpg
::::::::::::::::::::Valgrind result:::::::::::::::::::::::::::::
==18756== Memcheck, a memory error detector.
==18756== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==18756== Using LibVEX rev 1715, a library for dynamic binary translation.
==18756== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks? LLP.
==18756== Using valgrind-3.2.2, a dynamic binary instrumentation framework.
==18756== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==18756== For more details, rerun with: -v
==18756==
==18756== My PID = 18756, parent PID = 18755. Prog and args are:
==18756== mplayer
==18756== 2608-charmaineraymond.mpg
==18756==
==18756== Syscall param ioctl(TCSET{S,SW,SF}) points to uninitialised byte(s)
==18756== Stack hash: 2542116815
==18756== at 0x4000792: (within /lib/ld-2.3.6.so)
==18756== Address 0xBEC60868 is on thread 1's stack
==18756==
==18756== Source and destination overlap in memcpy(0xBEC606E7, 0xBEC606E7, 173)
==18756== Stack hash: 2085754019
==18756== at 0x401EFF6: memcpy (mc_replace_strmem.c:116)
==18756== by 0x815F9D1: ts_parse (demux_ts.c:3074)
==18756== by 0x815FE38: demux_open_ts (demux_ts.c:664)
==18756== by 0x811DE9C: demux_open_stream (demuxer.c:871)
==18756== by 0x811E154: demux_open (demuxer.c:998)
==18756== by 0x8079B7C: main (mplayer.c:3237)
==18756==
==18756== Conditional jump or move depends on uninitialised value(s)
==18756== Stack hash: 3867733782
==18756== at 0x8159D11: ts_add_stream (demux_ts.c:319)
==18756== by 0x816050D: demux_open_ts (demux_ts.c:1039)
==18756== by 0x811DE9C: demux_open_stream (demuxer.c:871)
==18756== by 0x811E154: demux_open (demuxer.c:998)
==18756== by 0x8079B7C: main (mplayer.c:3237)
==18756==
==18756== Conditional jump or move depends on uninitialised value(s)
==18756== Stack hash: 3882727070
==18756== at 0x8159D19: ts_add_stream (demux_ts.c:319)
==18756== by 0x816050D: demux_open_ts (demux_ts.c:1039)
==18756== by 0x811DE9C: demux_open_stream (demuxer.c:871)
==18756== by 0x811E154: demux_open (demuxer.c:998)
==18756== by 0x8079B7C: main (mplayer.c:3237)
==18756==
==18756== Conditional jump or move depends on uninitialised value(s)
==18756== Stack hash: 3897720358
==18756== at 0x8159D21: ts_add_stream (demux_ts.c:319)
==18756== by 0x816050D: demux_open_ts (demux_ts.c:1039)
==18756== by 0x811DE9C: demux_open_stream (demuxer.c:871)
==18756== by 0x811E154: demux_open (demuxer.c:998)
==18756== by 0x8079B7C: main (mplayer.c:3237)
==18756==
==18756== Conditional jump or move depends on uninitialised value(s)
==18756== Stack hash: 3912713646
==18756== at 0x8159D29: ts_add_stream (demux_ts.c:319)
==18756== by 0x816050D: demux_open_ts (demux_ts.c:1039)
==18756== by 0x811DE9C: demux_open_stream (demuxer.c:871)
==18756== by 0x811E154: demux_open (demuxer.c:998)
==18756== by 0x8079B7C: main (mplayer.c:3237)
==18756==
==18756== Conditional jump or move depends on uninitialised value(s)
==18756== Stack hash: 2859491456
==18756== at 0x8159D11: ts_add_stream (demux_ts.c:319)
==18756== by 0x815F42E: ts_parse (demux_ts.c:2812)
==18756== by 0x815FAD3: demux_ts_fill_buffer (demux_ts.c:3224)
==18756== by 0x811E59C: ds_fill_buffer (demuxer.c:505)
==18756== by 0x811ED47: demux_read_data (demuxer.c:527)
==18756== by 0x81DFF53: mplayer_audio_read (ad_mp3lib.c:28)
==18756== by 0x81E5ADA: MP3_DecodeFrame (sr1.c:58)
==18756== by 0x81DFEE3: init (ad_mp3lib.c:48)
==18756== by 0x80DBFB0: init_audio (dec_audio.c:95)
==18756== by 0x80DC398: init_best_audio_codec (dec_audio.c:270)
==18756== by 0x8078975: reinit_audio_chain (mplayer.c:1585)
==18756== by 0x807A2EE: main (mplayer.c:3582)
==18756==
==18756== Conditional jump or move depends on uninitialised value(s)
==18756== Stack hash: 3590580840
==18756== at 0x8159D19: ts_add_stream (demux_ts.c:319)
==18756== by 0x815F42E: ts_parse (demux_ts.c:2812)
==18756== by 0x815FAD3: demux_ts_fill_buffer (demux_ts.c:3224)
==18756== by 0x811E59C: ds_fill_buffer (demuxer.c:505)
==18756== by 0x811ED47: demux_read_data (demuxer.c:527)
==18756== by 0x81DFF53: mplayer_audio_read (ad_mp3lib.c:28)
==18756== by 0x81E5ADA: MP3_DecodeFrame (sr1.c:58)
==18756== by 0x81DFEE3: init (ad_mp3lib.c:48)
==18756== by 0x80DBFB0: init_audio (dec_audio.c:95)
==18756== by 0x80DC398: init_best_audio_codec (dec_audio.c:270)
==18756== by 0x8078975: reinit_audio_chain (mplayer.c:1585)
==18756== by 0x807A2EE: main (mplayer.c:3582)
==18756==
==18756== Conditional jump or move depends on uninitialised value(s)
==18756== Stack hash: 26702928
==18756== at 0x8159D21: ts_add_stream (demux_ts.c:319)
==18756== by 0x815F42E: ts_parse (demux_ts.c:2812)
==18756== by 0x815FAD3: demux_ts_fill_buffer (demux_ts.c:3224)
==18756== by 0x811E59C: ds_fill_buffer (demuxer.c:505)
==18756== by 0x811ED47: demux_read_data (demuxer.c:527)
==18756== by 0x81DFF53: mplayer_audio_read (ad_mp3lib.c:28)
==18756== by 0x81E5ADA: MP3_DecodeFrame (sr1.c:58)
==18756== by 0x81DFEE3: init (ad_mp3lib.c:48)
==18756== by 0x80DBFB0: init_audio (dec_audio.c:95)
==18756== by 0x80DC398: init_best_audio_codec (dec_audio.c:270)
==18756== by 0x8078975: reinit_audio_chain (mplayer.c:1585)
==18756== by 0x807A2EE: main (mplayer.c:3582)
==18756==
==18756== Conditional jump or move depends on uninitialised value(s)
==18756== Stack hash: 757792312
==18756== at 0x8159D29: ts_add_stream (demux_ts.c:319)
==18756== by 0x815F42E: ts_parse (demux_ts.c:2812)
==18756== by 0x815FAD3: demux_ts_fill_buffer (demux_ts.c:3224)
==18756== by 0x811E59C: ds_fill_buffer (demuxer.c:505)
==18756== by 0x811ED47: demux_read_data (demuxer.c:527)
==18756== by 0x81DFF53: mplayer_audio_read (ad_mp3lib.c:28)
==18756== by 0x81E5ADA: MP3_DecodeFrame (sr1.c:58)
==18756== by 0x81DFEE3: init (ad_mp3lib.c:48)
==18756== by 0x80DBFB0: init_audio (dec_audio.c:95)
==18756== by 0x80DC398: init_best_audio_codec (dec_audio.c:270)
==18756== by 0x8078975: reinit_audio_chain (mplayer.c:1585)
==18756== by 0x807A2EE: main (mplayer.c:3582)
==18756==
==18756== Invalid read of size 4
==18756== Stack hash: 252964889
==18756== at 0x847D079: decode_frame (mpegaudiodec.c:2281)
==18756== by 0x82EC20A: avcodec_decode_audio2 (utils.c:941)
==18756== by 0x81BA528: decode_audio (ad_ffmpeg.c:161)
==18756== by 0x81BA863: init (ad_ffmpeg.c:109)
==18756== by 0x80DBFB0: init_audio (dec_audio.c:95)
==18756== by 0x80DC398: init_best_audio_codec (dec_audio.c:270)
==18756== by 0x8078975: reinit_audio_chain (mplayer.c:1585)
==18756== by 0x807A2EE: main (mplayer.c:3582)
==18756== Address 0x43AC0D7 is 175 bytes inside a block of size 178 alloc'd
==18756== Stack hash: 1248407724
==18756== at 0x401D57B: realloc (vg_replace_malloc.c:306)
==18756== by 0x815B9ED: fill_packet (demuxer.h:259)
==18756== by 0x815F0B9: ts_parse (demux_ts.c:2886)
==18756== by 0x815FAD3: demux_ts_fill_buffer (demux_ts.c:3224)
==18756== by 0x811E59C: ds_fill_buffer (demuxer.c:505)
==18756== by 0x811ED47: demux_read_data (demuxer.c:527)
==18756== by 0x81DFF53: mplayer_audio_read (ad_mp3lib.c:28)
==18756== by 0x81E5D5A: MP3_DecodeFrame (sr1.c:58)
==18756== by 0x81DFEE3: init (ad_mp3lib.c:48)
==18756== by 0x80DBFB0: init_audio (dec_audio.c:95)
==18756== by 0x80DC398: init_best_audio_codec (dec_audio.c:270)
==18756== by 0x8078975: reinit_audio_chain (mplayer.c:1585)
==18756==
==18756== Syscall param ioctl(TCSET{S,SW,SF}) points to uninitialised byte(s)
==18756== Stack hash: 3997929021
==18756== at 0x4000792: (within /lib/ld-2.3.6.so)
==18756== Address 0xBEC60888 is on thread 1's stack
==18756==
==18756== ERROR SUMMARY: 2008 errors from 12 contexts (suppressed: 21 from 1)
==18756== malloc/free: in use at exit: 312,274 bytes in 108 blocks.
==18756== malloc/free: 2,647 allocs, 2,539 frees, 8,295,407 bytes allocated.
==18756== For counts of detected errors, rerun with: -v
==18756== searching for pointers to 108 not-freed blocks.
==18756== checked 3,258,840 bytes.
==18756==
==18756==
==18756== 5,712 bytes in 84 blocks are definitely lost in loss record 4 of 8
==18756== Stack hash: 1157530174
==18756== at 0x401D480: malloc (vg_replace_malloc.c:149)
==18756== by 0x8158BD0: new_pid (demux_ts.c:2098)
==18756== by 0x815D697: ts_parse (demux_ts.c:2693)
==18756== by 0x815FAD3: demux_ts_fill_buffer (demux_ts.c:3224)
==18756== by 0x811E59C: ds_fill_buffer (demuxer.c:505)
==18756== by 0x811ED47: demux_read_data (demuxer.c:527)
==18756== by 0x81DFF53: mplayer_audio_read (ad_mp3lib.c:28)
==18756== by 0x81E5ADA: MP3_DecodeFrame (sr1.c:58)
==18756== by 0x81DFEE3: init (ad_mp3lib.c:48)
==18756== by 0x80DBFB0: init_audio (dec_audio.c:95)
==18756== by 0x80DC398: init_best_audio_codec (dec_audio.c:270)
==18756== by 0x8078975: reinit_audio_chain (mplayer.c:1585)
==18756==
==18756==
==18756== 199,419 (280 direct, 199,139 indirect) bytes in 5 blocks are definitely lost in loss record 6 of 8
==18756== Stack hash: 1088359650
==18756== at 0x401D480: malloc (vg_replace_malloc.c:149)
==18756== by 0x815FA15: ts_parse (demuxer.h:237)
==18756== by 0x815FAD3: demux_ts_fill_buffer (demux_ts.c:3224)
==18756== by 0x811E59C: ds_fill_buffer (demuxer.c:505)
==18756== by 0x811ED47: demux_read_data (demuxer.c:527)
==18756== by 0x81DFF53: mplayer_audio_read (ad_mp3lib.c:28)
==18756== by 0x81E5D5A: MP3_DecodeFrame (sr1.c:58)
==18756== by 0x81DFEE3: init (ad_mp3lib.c:48)
==18756== by 0x80DBFB0: init_audio (dec_audio.c:95)
==18756== by 0x80DC398: init_best_audio_codec (dec_audio.c:270)
==18756== by 0x8078975: reinit_audio_chain (mplayer.c:1585)
==18756== by 0x807A2EE: main (mplayer.c:3582)
==18756==
==18756==
==18756== 65,865 bytes in 1 blocks are possibly lost in loss record 7 of 8
==18756== Stack hash: 1339846325
==18756== at 0x401D480: malloc (vg_replace_malloc.c:149)
==18756== by 0x815F580: ts_parse (demuxer.h:248)
==18756== by 0x815FAD3: demux_ts_fill_buffer (demux_ts.c:3224)
==18756== by 0x811E59C: ds_fill_buffer (demuxer.c:505)
==18756== by 0x811ED47: demux_read_data (demuxer.c:527)
==18756== by 0x81DFF53: mplayer_audio_read (ad_mp3lib.c:28)
==18756== by 0x81E5D5A: MP3_DecodeFrame (sr1.c:58)
==18756== by 0x81DFEE3: init (ad_mp3lib.c:48)
==18756== by 0x80DBFB0: init_audio (dec_audio.c:95)
==18756== by 0x80DC398: init_best_audio_codec (dec_audio.c:270)
==18756== by 0x8078975: reinit_audio_chain (mplayer.c:1585)
==18756== by 0x807A2EE: main (mplayer.c:3582)
==18756==
==18756== LEAK SUMMARY:
==18756== definitely lost: 5,992 bytes in 89 blocks.
==18756== indirectly lost: 199,139 bytes in 4 blocks.
==18756== possibly lost: 65,865 bytes in 1 blocks.
==18756== still reachable: 41,278 bytes in 14 blocks.
==18756== suppressed: 0 bytes in 0 blocks.
==18756== Reachable blocks (those to which a pointer was found) are not shown.
==18756== To see them, rerun with: --leak-check=full --show-reachable=yes

Change History (2)

comment:1 Changed 9 years ago by compn

  • Owner changed from r_togni@… to reimar

comment:2 Changed 9 years ago by reimar

  • Resolution set to fixed
  • Status changed from new to closed

Leaks are fixed by SVN r32696, uninitialized were fixed before, bad memcpy fixed in 32697, though I am not sure if an overlap besides src==dst is possible in which case that approach is overkill.

Note: See TracTickets for help on using tickets.