Opened 5 years ago

Closed 4 years ago

#2127 closed defect (fixed)

[with PATCH] MPlayer interrupted by signal 11 in module: open_stream when playing movie title from DVD Resident Evil: Extinction

Reported by: auerswal@… Owned by: reimar
Priority: normal Component: core
Version: HEAD Severity: normal
Keywords: Cc: cehoyos
Blocked By: Blocking:
Reproduced by developer: no Analyzed by developer: no

Description

MPlayer crashed when trying to play the movie title of the Resident Evil: Extiction DVD using 'mplayer dvd://2'. MPlayer can play this DVD when using 'mplayer dvdnav://'. The DVD is played by my hardware DVD player as well (interpreting the DVD's menus, of course).

Attachments (5)

mplayer-dvd_title2.log (4.2 KB) - added by auerswal@… 5 years ago.
$ ./mplayer -v -dvd-device /dev/sr1 dvd://2
gdb.log (11.9 KB) - added by auerswal@… 5 years ago.
GDB log of debug enabled MPlayer
system_info.txt (2.9 KB) - added by auerswal@… 5 years ago.
system info (asked for in http://www.mplayerhq.hu/DOCS/HTML/en/bugreports_what.html)
mplayer-dvd-fix_re3_playback.patch (546 bytes) - added by auerswal@… 5 years ago.
The attached patch fixes the issue for me.
mplayer-dvd-fix_re3_playback-v2.patch (548 bytes) - added by auerswal@… 5 years ago.
Different fix using continue instead of break

Download all attachments as: .zip

Change History (15)

Changed 5 years ago by auerswal@…

$ ./mplayer -v -dvd-device /dev/sr1 dvd://2

Changed 5 years ago by auerswal@…

GDB log of debug enabled MPlayer

comment:1 Changed 5 years ago by auerswal@…

Changed 5 years ago by auerswal@…

comment:2 Changed 5 years ago by auerswal@…

Changed 5 years ago by auerswal@…

The attached patch fixes the issue for me.

comment:3 Changed 5 years ago by auerswal@…

The DVD seems to pretend there are more chapters in this title than there are, resulting in a NULL pointer dereference.

I added some debugging output to stream/stream_dvd.c::list_chapters() to find this.

ptt=0xb2f7928
vts_file->vts_ptt_srpt->title[title_no].nr_of_ptts=21
i=0
pgc=0xb2f7c78
cell=1
i=1
pgc=0xb2f7c78
cell=2
i=2
pgc=0xb2f7c78
cell=3
i=3
pgc=0xb2f7c78
cell=4
i=4
pgc=0xb2f7c78
cell=5
i=5
pgc=0xb2f7c78
cell=6
i=6
pgc=0xb2f7c78
cell=7
i=7
pgc=0xb2f7c78
cell=8
i=8
pgc=0xb2f7c78
cell=9
i=9
pgc=0xb2f7c78
cell=10
i=10
pgc=0xb2f7c78
cell=11
i=11
pgc=0xb2f7c78
cell=12
i=12
pgc=0xb2f7c78
cell=13
i=13
pgc=0xb2f7c78
cell=15
i=14
pgc=0xb2f7c78
cell=16
i=15
pgc=0xb2f7c78
cell=17
i=16
pgc=0xb2f7c78
cell=18
i=17
pgc=0xb2f7c78
cell=19
i=18
pgc=0xb2f7c78
cell=20
i=19
pgc=0xb2f8020
cell=1
i=20
pgc=(nil)

MPlayer interrupted by signal 11 in module: open_stream

  • MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
  • MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.

comment:4 Changed 5 years ago by auerswal@…

  • Summary changed from MPlayer interrupted by signal 11 in module: open_stream when playing movie title from DVD Resident Evil: Extinction to [with PATCH] MPlayer interrupted by signal 11 in module: open_stream when playing movie title from DVD Resident Evil: Extinction

Changed 5 years ago by auerswal@…

Different fix using continue instead of break

comment:5 Changed 5 years ago by auerswal@…

This fixes the issue for me as well. The first version is more conservative (exiting the loop as soon as no valid chapter is found) while the second is more resilient by just ignoring invalid chapters. Thus the second version might list more chapters if a middle entry is missing.

Both patches work without any issues for all DVDs I have tested so far. Only RE3 shows the corrupt chapter list for the main title so far. Correct chapter lists work the same as before, obviously.

comment:6 Changed 5 years ago by cehoyos

  • Cc cehoyos@… added

Please send the patch(es) to mplayer-dev-eng

comment:7 Changed 5 years ago by reimar

I suspect that this is actually an out-of-bounds read and it's pure luck that your NULL check fixes it.
Wouldn't comparing the index against nr_of_pgci_srp work as well? If so that should be more correct.
Though I am unsure if this shouldn't be libdvdread's responsibility to validate and/or fix.

comment:8 Changed 5 years ago by auerswal@…

(In reply to comment #6)

I suspect that this is actually an out-of-bounds read and it's pure luck
that your NULL check fixes it.

Well, it obviously is not pure luck, because the error is dereferencing a NULL pointer. That holds for this one DVD and does not tell anthing about different DVDs.

Wouldn't comparing the index against nr_of_pgci_srp work as well? If so that
should be more correct.

Which one to believe? What if both are wrong? This is where robustness trumps correctness.

Though I am unsure if this shouldn't be libdvdread's responsibility to
validate and/or fix.

The root cause is very probably a defective (not fully standards compliant) DVD. This is a business model and will never be fixed. I don't think libdvdread should fake DVD contents to ensure some third party application can keep its false assumptions.

MPlayer is trying to parse some DVD structures to print a chapter list, but only prints it when -identify is specified. On this DVD it crashes during this operation, although this never printed list is of no use at all. That is not robust. I can understand that you want the code to run even if not needed to find bugs in it. I don't understand that you want it to crash on some interestingly mastered commercial DVD.

comment:9 Changed 4 years ago by reimar

  • Analyzed by developer unset
  • Reproduced by developer unset

Well, it obviously is not pure luck, because the error is dereferencing a NULL pointer. That holds for this one DVD and does not tell anthing about different DVDs.

If it, as I expect, is an out-of-bounds read then it actually only holds with this DVD, on your computer, with that libc, with ASLR disabled etc. etc., and that would make it pure luck.

Which one to believe? What if both are wrong? This is where robustness trumps correctness.

You get no robustness by relying on uninitialized memory to be NULL, you get something that regularly falls over like a house of cards while it's at the same time impossible to debug because errors only happen randomly.
But even with your argument certainly checking both should be better, and for that it would have helped hugely if you had answered my question whether that would work or not.

I don't understand that you want it to crash on some interestingly mastered commercial DVD.

No crashes are best, but reproducible crashes are better than random ones.
Anyway I just threw all checks at it that made sense to me. Obviously checking if there is also dvdread bug and fixing it would have been better, but for that I would have needed more information.

comment:10 Changed 4 years ago by reimar

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.