(rc2) [PATCH] crash on mms stream

[terjelm@…]

Mplayer crashes on any mms stream from ​http://www.aftenposten.no/webtv/

Command to repeat the problem:
mplayer mms://vod1.aftenposten.no/player/2009-05/633790414589531250.wmv

Output:

MPlayer 1.0rc2-4.3.3 (C) 2000-2007 MPlayer Team
CPU: Intel(R) Core(TM)2 Duo CPU T7800 @ 2.60GHz (Family: 6, Model: 15, Stepping: 11)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled with runtime CPU detection.
mplayer: could not connect to socket
mplayer: No such file or directory
Failed to open LIRC support. You will not be able to use your remote control.

Playing mms://vod1.aftenposten.no/player/2009-05/633790414589531250.wmv.
STREAM_ASF, URL: mms://vod1.aftenposten.no/player/2009-05/633790414589531250.wmv
Resolving vod1.aftenposten.no for AF_INET6...
Couldn't resolve name for AF_INET6: vod1.aftenposten.no
Resolving vod1.aftenposten.no for AF_INET...
Connecting to server vod1.aftenposten.no[80.91.40.5]: 1755...
Connected

MPlayer interrupted by signal 13 in module: open_stream

• MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.

Platform:
Ubuntu 9.04
MPlayer 1.0rc2-4.3.3 (from repository)

Output from gdb:
$ gdb mplayer
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <​http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
(no debugging symbols found)
(gdb) r mms://vod1.aftenposten.no/player/2009-05/633790414589531250.wmv
Starting program: /usr/bin/mplayer mms://vod1.aftenposten.no/player/2009-05/633790414589531250.wmv
(no debugging symbols found)
...
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
(no debugging symbols found)
...
(no debugging symbols found)
[New Thread 0x7fb15b547840 (LWP 16911)]
MPlayer 1.0rc2-4.3.3 (C) 2000-2007 MPlayer Team
CPU: Intel(R) Core(TM)2 Duo CPU T7800 @ 2.60GHz (Family: 6, Model: 15, Stepping: 11)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled with runtime CPU detection.
mplayer: could not connect to socket
mplayer: No such file or directory
Failed to open LIRC support. You will not be able to use your remote control.

Playing mms://vod1.aftenposten.no/player/2009-05/633790414589531250.wmv.
STREAM_ASF, URL: mms://vod1.aftenposten.no/player/2009-05/633790414589531250.wmv
Resolving vod1.aftenposten.no for AF_INET6...
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
Couldn't resolve name for AF_INET6: vod1.aftenposten.no
Resolving vod1.aftenposten.no for AF_INET...
Connecting to server vod1.aftenposten.no[80.91.40.5]: 1755...
Connected

Program received signal SIGPIPE, Broken pipe.
[Switching to Thread 0x7fb15b547840 (LWP 16911)]
0x00007fb15aadd465 in send () from /lib/libpthread.so.0

(gdb) bt
#0 0x00007fb15aadd465 in send () from /lib/libpthread.so.0
#1 0x00000000006461e7 in ?? ()
#2 0x0000000000646a2c in asf_mmst_streaming_start ()
#3 0x000000000062a322 in ?? ()
#4 0x000000000061d291 in open_stream_plugin ()
#5 0x000000000061d54c in open_stream_full ()
#6 0x000000000047476d in main ()

(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x7fb15aadd445 to 0x7fb15aadd485:
0x00007fb15aadd445 <send+37>: (bad)
0x00007fb15aadd446 <send+38>: and %al,(%rax)
0x00007fb15aadd448 <send+40>: mov %edi,%r13d
0x00007fb15aadd44b <send+43>: mov %rdx,%rbp
0x00007fb15aadd44e <send+46>: test %eax,%eax
0x00007fb15aadd450 <send+48>: jne 0x7fb15aadd490 <send+112>
0x00007fb15aadd452 <send+50>: xor %r9d,%r9d
0x00007fb15aadd455 <send+53>: xor %r8d,%r8d
0x00007fb15aadd458 <send+56>: movslq %ecx,%r10
0x00007fb15aadd45b <send+59>: movslq %edi,%rdi
0x00007fb15aadd45e <send+62>: mov $0x2c,%eax
0x00007fb15aadd463 <send+67>: syscall
0x00007fb15aadd465 <send+69>: cmp $0xfffffffffffff000,%rax
0x00007fb15aadd46b <send+75>: mov %rax,%rbx
0x00007fb15aadd46e <send+78>: ja 0x7fb15aadd4c6 <send+166>
0x00007fb15aadd470 <send+80>: mov %rbx,%rax
0x00007fb15aadd473 <send+83>: mov 0x8(%rsp),%rbp
0x00007fb15aadd478 <send+88>: mov (%rsp),%rbx
0x00007fb15aadd47c <send+92>: mov 0x10(%rsp),%r12
0x00007fb15aadd481 <send+97>: mov 0x18(%rsp),%r13
End of assembler dump.

(gdb) info all-registers
rax 0xffffffffffffffe0 -32
rbx 0x0 0
rcx 0xffffffffffffffff -1
rdx 0x58 88
rsi 0x7fff636481f0 140734860919280
rdi 0x6 6
rbp 0x58 0x58
rsp 0x7fff636481c0 0x7fff636481c0
r8 0x0 0
r9 0x0 0
r10 0x0 0
r11 0x200246 2097734
r12 0x7fff636481f0 140734860919280
r13 0x6 6
r14 0x6 6
r15 0x6 6
rip 0x7fb15aadd465 0x7fb15aadd465 <send+69>
eflags 0x200246 [ PF ZF IF ID ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x31, 0x0, 0x2e,

0x0, 0x61, 0x0, 0x66, 0x0, 0x74, 0x0, 0x65, 0x0, 0x6e, 0x0, 0x70, 0x0}, v8_int16 = {0x31, 0x2e, 0x61,
0x66, 0x74, 0x65, 0x6e, 0x70}, v4_int32 = {0x2e0031, 0x660061, 0x650074, 0x70006e}, v2_int64 = {
0x660061002e0031, 0x70006e00650074}, uint128 = 0x0070006e0065007400660061002e0031}

xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x6f, 0x0, 0x73,

0x0, 0x74, 0x0, 0x3a, 0x0, 0x20, 0x0, 0x76, 0x0, 0x6f, 0x0, 0x64, 0x0}, v8_int16 = {0x6f, 0x73, 0x74,

---Type <return> to continue, or q <return> to quit---

0x3a, 0x20, 0x76, 0x6f, 0x64}, v4_int32 = {0x73006f, 0x3a0074, 0x760020, 0x64006f}, v2_int64 = {
0x3a00740073006f, 0x64006f00760020}, uint128 = 0x0064006f00760020003a00740073006f}

xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {

0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0,
0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}

xmm3 {v4_float = {0x331f0000, 0x0, 0x331f0000, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0xf0,

0x31, 0x3, 0x51, 0xb1, 0x7f, 0x0, 0x0, 0xf0, 0x31, 0x3, 0x51, 0xb1, 0x7f, 0x0, 0x0}, v8_int16 = {
0x31f0, 0x5103, 0x7fb1, 0x0, 0x31f0, 0x5103, 0x7fb1, 0x0}, v4_int32 = {0x510331f0, 0x7fb1,
0x510331f0, 0x7fb1}, v2_int64 = {0x7fb1510331f0, 0x7fb1510331f0},

uint128 = 0x00007fb1510331f000007fb1510331f0}

xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {

0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0,
0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}

xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {

0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0,
0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}

xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x8, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x8, 0x0, 0x0, 0x0, 0x8,
0x0, 0x0, 0x0}, v4_int32 = {0x8, 0x0, 0x8, 0x0}, v2_int64 = {0x8, 0x8},

uint128 = 0x00000000000000080000000000000008}

xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x7d, 0x0, 0x0, 0x0,

0x7e, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x80, 0x0, 0x0, 0x0}, v8_int16 = {0x7d, 0x0, 0x7e, 0x0,
0x7f, 0x0, 0x80, 0x0}, v4_int32 = {0x7d, 0x7e, 0x7f, 0x80}, v2_int64 = {0x7e0000007d, 0x800000007f},

uint128 = 0x000000800000007f0000007e0000007d}

xmm8 {v4_float = {0x32a70000, 0x0, 0x32a70000, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x70,

0x2a, 0x3, 0x51, 0xb1, 0x7f, 0x0, 0x0, 0x70, 0x2a, 0x3, 0x51, 0xb1, 0x7f, 0x0, 0x0}, v8_int16 = {
0x2a70, 0x5103, 0x7fb1, 0x0, 0x2a70, 0x5103, 0x7fb1, 0x0}, v4_int32 = {0x51032a70, 0x7fb1,
0x51032a70, 0x7fb1}, v2_int64 = {0x7fb151032a70, 0x7fb151032a70},

uint128 = 0x00007fb151032a7000007fb151032a70}

xmm9 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x8000000000000000, 0x8000000000000000},

v16_int8 = {0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,

0xff}, v8_int16 = {0xfffe, 0xffff, 0xffff, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff}, v4_int32 = {
0xfffffffe, 0xffffffff, 0xfffffffe, 0xffffffff}, v2_int64 = {0xfffffffffffffffe, 0xfffffffffffffffe},

uint128 = 0xfffffffffffffffefffffffffffffffe}

[kragen@…]

patch

[kragen@…]

reproduced in SVN (head):
recv() fails with ECONNRESET and subsequent send() causes the crash

attached patch fixes the problem by adding error handling to recv() and send() to abort stream processing and switching to next stream.

Problematic stream mms://vod1.aftenposten.no/player/2009-05/633790414589531250.wmv contains 2 sub streams whereas the 1st disconnects after connection establishment but the 2nd is playable. Reproduced behaviour by xine as well: it plays 2nd stream after failing during 1st.

Run regression: asf/tcp streams still playable.

[compn]

stream is 404, update title.