[with PATCH] MPlayer interrupted by signal 11 in module: open_stream when playing movie title from DVD Resident Evil: Extinction

[auerswal@…]

MPlayer crashed when trying to play the movie title of the Resident Evil: Extiction DVD using 'mplayer dvd://2'. MPlayer can play this DVD when using 'mplayer dvdnav://'. The DVD is played by my hardware DVD player as well (interpreting the DVD's menus, of course).

[auerswal@…]

$ ./mplayer -v -dvd-device /dev/sr1 dvd://2

[auerswal@…]

GDB log of debug enabled MPlayer

[auerswal@…]

system info (asked for in ​http://www.mplayerhq.hu/DOCS/HTML/en/bugreports_what.html)

[auerswal@…]

The attached patch fixes the issue for me.

[auerswal@…]

The DVD seems to pretend there are more chapters in this title than there are, resulting in a NULL pointer dereference.

I added some debugging output to stream/stream_dvd.c::list_chapters() to find this.

ptt=0xb2f7928
vts_file->vts_ptt_srpt->title[title_no].nr_of_ptts=21
i=0
pgc=0xb2f7c78
cell=1
i=1
pgc=0xb2f7c78
cell=2
i=2
pgc=0xb2f7c78
cell=3
i=3
pgc=0xb2f7c78
cell=4
i=4
pgc=0xb2f7c78
cell=5
i=5
pgc=0xb2f7c78
cell=6
i=6
pgc=0xb2f7c78
cell=7
i=7
pgc=0xb2f7c78
cell=8
i=8
pgc=0xb2f7c78
cell=9
i=9
pgc=0xb2f7c78
cell=10
i=10
pgc=0xb2f7c78
cell=11
i=11
pgc=0xb2f7c78
cell=12
i=12
pgc=0xb2f7c78
cell=13
i=13
pgc=0xb2f7c78
cell=15
i=14
pgc=0xb2f7c78
cell=16
i=15
pgc=0xb2f7c78
cell=17
i=16
pgc=0xb2f7c78
cell=18
i=17
pgc=0xb2f7c78
cell=19
i=18
pgc=0xb2f7c78
cell=20
i=19
pgc=0xb2f8020
cell=1
i=20
pgc=(nil)

MPlayer interrupted by signal 11 in module: open_stream

• MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
• MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.

[auerswal@…]

Different fix using continue instead of break

[auerswal@…]

This fixes the issue for me as well. The first version is more conservative (exiting the loop as soon as no valid chapter is found) while the second is more resilient by just ignoring invalid chapters. Thus the second version might list more chapters if a middle entry is missing.

Both patches work without any issues for all DVDs I have tested so far. Only RE3 shows the corrupt chapter list for the main title so far. Correct chapter lists work the same as before, obviously.

[cehoyos]

Please send the patch(es) to mplayer-dev-eng

[reimar]

I suspect that this is actually an out-of-bounds read and it's pure luck that your NULL check fixes it.
Wouldn't comparing the index against nr_of_pgci_srp work as well? If so that should be more correct.
Though I am unsure if this shouldn't be libdvdread's responsibility to validate and/or fix.

[auerswal@…]

(In reply to comment #6)

I suspect that this is actually an out-of-bounds read and it's pure luck
that your NULL check fixes it.

Well, it obviously is not pure luck, because the error is dereferencing a NULL pointer. That holds for this one DVD and does not tell anthing about different DVDs.

Wouldn't comparing the index against nr_of_pgci_srp work as well? If so that
should be more correct.

Which one to believe? What if both are wrong? This is where robustness trumps correctness.

Though I am unsure if this shouldn't be libdvdread's responsibility to
validate and/or fix.

The root cause is very probably a defective (not fully standards compliant) DVD. This is a business model and will never be fixed. I don't think libdvdread should fake DVD contents to ensure some third party application can keep its false assumptions.

MPlayer is trying to parse some DVD structures to print a chapter list, but only prints it when -identify is specified. On this DVD it crashes during this operation, although this never printed list is of no use at all. That is not robust. I can understand that you want the code to run even if not needed to find bugs in it. I don't understand that you want it to crash on some interestingly mastered commercial DVD.

[reimar]

Well, it obviously is not pure luck, because the error is dereferencing a NULL pointer. That holds for this one DVD and does not tell anthing about different DVDs.

If it, as I expect, is an out-of-bounds read then it actually only holds with this DVD, on your computer, with that libc, with ASLR disabled etc. etc., and that would make it pure luck.

Which one to believe? What if both are wrong? This is where robustness trumps correctness.

You get no robustness by relying on uninitialized memory to be NULL, you get something that regularly falls over like a house of cards while it's at the same time impossible to debug because errors only happen randomly.
But even with your argument certainly checking both should be better, and for that it would have helped hugely if you had answered my question whether that would work or not.

I don't understand that you want it to crash on some interestingly mastered commercial DVD.

No crashes are best, but reproducible crashes are better than random ones.
Anyway I just threw all checks at it that made sense to me. Obviously checking if there is also dvdread bug and fixing it would have been better, but for that I would have needed more information.