Opened 8 years ago

Last modified 8 years ago

#1983 new defect

null pointer dereference upon trying to play new 'Thor' DVD

Reported by: newren@… Owned by: reimar
Priority: normal Component: core
Version: unspecified Severity: normal
Keywords: Cc:
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

When trying to play a new 'Thor' DVD (rented from RedBox?) under mplayer, I consistently get segfaults, from Fedora 12 to Fedora 15. Under Fedora 15 with the debuginfo packages installed, I see the following from valgrind and gdb:

$ valgrind --tool=memcheck --db-attach=yes mplayer dvd://
==3276== Memcheck, a memory error detector
==3276== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==3276== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info
==3276== Command: mplayer dvd://
==3276==
MPlayer SVN-r33251-4.6.0 (C) 2000-2011 MPlayer Team
mplayer: could not connect to socket
mplayer: No such file or directory
Failed to open LIRC support. You will not be able to use your remote control.

Playing dvd://.
libdvdread: Using libdvdcss version 1.2.10 for DVD access
==3276== Warning: noted but unhandled ioctl 0x5390 with no size/direction hints
==3276== This could cause spurious value errors to appear.
==3276== See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a proper wrapper.
==3276== Warning: noted but unhandled ioctl 0x5392 with no size/direction hints
==3276== This could cause spurious value errors to appear.
==3276== See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a proper wrapper.
==3276== Warning: noted but unhandled ioctl 0x5392 with no size/direction hints
==3276== This could cause spurious value errors to appear.
==3276== See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a proper wrapper.
Please send bug report - no VTS_TMAPT ??
==3276== Invalid read of size 2
==3276== at 0x55E2E5: open_s (stream_dvd.c:847)
==3276== by 0x540C31: open_stream_full (stream.c:186)
==3276== by 0x5403B0: open_stream (open.c:65)
==3276== by 0x42E1D0: main (mplayer.c:3201)
==3276== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==3276==
==3276==
==3276== ---- Attach to debugger ? --- [Return/N/n/Y/y/C/c] ---- ==3276== starting debugger with cmd: /usr/bin/gdb -nw /proc/3277/fd/1014 3277
GNU gdb (GDB) Fedora (7.3-43.fc15)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /proc/3277/fd/1014...Reading symbols from /usr/lib/debug/usr/bin/mplayer.debug...done.
done.
Attaching to program: /proc/3277/fd/1014, process 3277
<Snipped lots of symbol reading output here...>
Reading symbols from /lib64/libnss_files.so.2...Reading symbols from /usr/lib/debug/lib64/libnss_files-2.14.so.debug...done.
done.
Loaded symbols for /lib64/libnss_files.so.2
open_s (stream=0xda17ca0, mode=<optimized out>, opts=0xda17c50, file_format=0x9167d0) at stream/stream_dvd.c:847
847 mp_msg(MSGT_OPEN,MSGL_STATUS, MSGTR_DVDnumTitles, tt_srpt->nr_of_srpts );
Missing separate debuginfos, use: debuginfo-install dbus-libs-1.4.6-5.fc15.x86_64 dirac-libs-1.0.2-6.fc15.x86_64 expat-2.0.1-11.fc15.x86_64 flac-1.2.1-6.fc12.x86_64 freeglut-2.6.0-6.fc15.x86_64 gnutls-2.10.5-1.fc15.x86_64 gpm-libs-1.20.6-16.fc15.x86_64 libICE-1.0.6-3.fc15.x86_64 libSM-1.2.0-2.fc15.x86_64 libXau-1.0.6-2.fc15.x86_64 libXdamage-1.1.3-2.fc15.x86_64 libXfixes-5.0-1.fc15.x86_64 libXi-1.4.3-2.fc15.x86_64 libXtst-1.2.0-2.fc15.x86_64 libasyncns-0.8-2.fc15.x86_64 libdrm-2.4.26-1.fc15.x86_64 libgcrypt-1.4.6-1.fc15.x86_64 libgpg-error-1.9-2.fc15.x86_64 libsndfile-1.0.25-1.fc15.x86_64 libtasn1-2.7-2.fc15.x86_64 libuuid-2.19.1-1.4.fc15.x86_64 libva-1.0.14-1.fc15.x86_64 libvpx-0.9.7.1-1.fc15.x86_64 libxcb-1.7-2.fc15.x86_64 libxml2-2.7.8-6.fc15.x86_64 ncurses-libs-5.8-2.20110319.fc15.x86_64 openjpeg-libs-1.4-6.fc15.x86_64 orc-0.4.14-1.fc15.x86_64 schroedinger-1.0.10-2.fc15.x86_64 slang-2.2.3-2.fc15.x86_64 tcp_wrappers-libs-7.6-60.fc15.x86_64 xcb-util-0.3.6-2.fc15.x86_64
(gdb) list
842 mp_msg(MSGT_IDENTIFY, MSGL_V, "ID_DVD_VOLUME_ID=%s\n", volid);
843 }
844 /
845 * Make sure our title number is valid.
846 */
847 mp_msg(MSGT_OPEN,MSGL_STATUS, MSGTR_DVDnumTitles, tt_srpt->nr_of_srpts );

848 if(dvd_title < 1
dvd_title > tt_srpt->nr_of_srpts) {

849 mp_msg(MSGT_OPEN,MSGL_ERR, MSGTR_DVDinvalidTitle, dvd_title);
850 ifoClose( vmg_file );
851 DVDClose( dvd );
(gdb) info locals
d = <optimized out>
ttn = <optimized out>
pgc_id = <optimized out>
pgc = <optimized out>
dvd = 0xda1d9a0
vmg_file = 0xda1da10
tt_srpt = 0x0
vts_file = <optimized out>
pgn = <optimized out>
title = <optimized out>
p = 0xda17c50
k = <optimized out>
(gdb) p tt_srpt
$1 = (tt_srpt_t *) 0x0
(gdb)

I don't see this with other DVDs. Unfortunately, as I don't own this one and need to return it, I won't be able to reproduce for much longer... I'm submitting this report in the hopes that it's helpful, though.

Change History (1)

comment:1 Changed 8 years ago by newren@…

If it helps, lsdvd would also crash similarly on the same DVD; see https://sourceforge.net/tracker/?func=detail&aid=3413515&group_id=133848&atid=823590

Note: See TracTickets for help on using tickets.