Opened 6 weeks ago

Last modified 6 weeks ago

#2326 new defect

Null dereference in demux_rawdv_fill_buffer

Reported by: Javantea Owned by: beastd
Priority: normal Component: demuxer
Version: 1.3 Severity: normal
Keywords: crash Cc:
Blocked By: Blocking:
Reproduced by developer: no Analyzed by developer: no


Summary of the bug:
A null dereference occurs in demux_rawdv_fill_buffer when a certain type of file is played with DISPLAY=.
How to reproduce:

DISPLAY= gdb mplayer
(gdb) run x.tgz
MPlayer 1.3.0-5.4.0 (C) 2000-2016 MPlayer Team
Can't open joystick device /dev/input/js0: No such file or directory
Can't init input joystick

Playing x.tgz.
libavformat version 57.71.100 (external)
RAWDV file format detected.
VIDEO:  [DVSD]  720x480  24bpp  29.970 fps    0.0 kbps ( 0.0 kbyte/s)
vo: couldn't open the X11 display ()!
Error opening/initializing the selected video_out (-vo) device.
Load subtitles in ./

Program received signal SIGSEGV, Segmentation fault.
demux_rawdv_fill_buffer (demuxer=0x555555aad9d0, ds=<optimized out>) at libmpdemux/demux_rawdv.c:125
125     libmpdemux/demux_rawdv.c: No such file or directory.
(gdb) bt
#0  demux_rawdv_fill_buffer (demuxer=0x555555aad9d0, ds=<optimized out>) at libmpdemux/demux_rawdv.c:125
#1  0x00005555556431f8 in demux_fill_buffer (ds=0x555555aa4750, demux=0x555555aad9d0) at libmpdemux/demuxer.c:649
#2  ds_get_next_pts (ds=0x555555aa4750) at libmpdemux/demuxer.c:958
#3  0x00005555555a1d85 in print_file_properties (filename=<optimized out>, mpctx=0x555555a13000 <mpctx_s>) at mplayer.c:537
#4  main (argc=2, argv=0x7fffffffd428) at mplayer.c:3615
(gdb) list
120        bytes_read=stream_read(demuxer->stream,dp_video->buffer,frames->frame_size);
121        if (bytes_read<frames->frame_size) {
122           free_demux_packet(dp_video);
123           return 0;
124        }
125        dp_video->pts=frames->current_frame/sh_video->fps;
126        dp_video->pos=frames->current_filepos;
127        dp_video->flags=0;
129        if (demuxer->audio && demuxer->audio->id>=-1)

(gdb) print sh_video
$1 = (sh_video_t *) 0x0
(gdb) print dp_video
$2 = <optimized out>
(gdb) print frames
$3 = (rawdv_frames_t *) 0x555555aa47f0

I wasn't able to find the cause because gdb wouldn't play nicely. There is some strange stuff occurring in that demuxer.

I can't repro it normally, I have to set DISPLAY=

To make a repro, it appears to require a 1MB or so tar.gz file.
For example:

DISPLAY= mplayer /usr/portage/distfiles/gperf-3.1.tar.gz

If you want to make your own:

tar czf bikeim-README.tgz
dd if=/dev/urandom bs=1024 count=1024 >>bikeim-README.tgz

If you can't repro let me know and I'll send you the file. I'm happy to help in any way I can.

Attachments (1)

test13.gz (143.0 KB) - added by Javantea 6 weeks ago.
Reproduction file minimized from gperf-3.1.tar.gz.

Download all attachments as: .zip

Change History (3)

comment:1 Changed 6 weeks ago by beastd

Unfortunately I cannot reproduce.

Is it also happening with newest MPlayer version from SVN?

comment:2 Changed 6 weeks ago by beastd

If you have a small file that triggers the crash you could also attach it to the ticket here.

Changed 6 weeks ago by Javantea

Reproduction file minimized from gperf-3.1.tar.gz.

Note: See TracTickets for help on using tickets.