Opened 16 years ago
Closed 16 years ago
#948 closed defect (fixed)
Crash in asx_parse_entryref()
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Component: | streaming |
| Version: | 1.0rc2 | Severity: | major |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Reproduced by developer: | no | Analyzed by developer: | no |
Description
Tried to play a live stream with mplayer -playlist http://host/file.asx and it crashes when apparently parsing the ASX file. Not sure if the bug is real or if it might even pose a security risk as it ultimately crashes in a strncasecmp() call in libc.
Version is 1.0rc2 as provided by Gentoo portage on November 26, 2007 1am -0500. See below for full details (sorry if lines wrap). Let me know if you need more info.
Gentoo Linux (~amd64 for mplayer)
$ uname -a
Linux omexis 2.6.22-gentoo-r5 #2 SMP Fri Sep 7 22:54:45 EDT 2007 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 5200+ AuthenticAMD GNU/Linux
$ ls -l /lib/libc[.-]*
-rwxr-xr-x 1 root root 1293456 Nov 24 00:41 /lib/libc-2.6.1.so
lrwxrwxrwx 1 root root 13 Nov 24 00:41 /lib/libc.so.6 -> libc-2.6.1.so
$ gcc -v; ld -v
Using built-in specs.
Target: x86_64-pc-linux-gnu
Configured with: /var/tmp/portage/sys-devel/gcc-4.1.2/work/gcc-4.1.2/configure --prefix=/usr --bindir=/usr/x86_64-pc-linux-gnu/gcc-bin/4.1.2 --includedir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2/include --datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.1.2 --mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.1.2/man --infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.1.2/info --with-gxx-include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2/include/g++-v4 --host=x86_64-pc-linux-gnu --build=x86_64-pc-linux-gnu --disable-altivec --enable-nls --without-included-gettext --with-system-zlib --disable-checking --disable-werror --enable-secureplt --disable-libunwind-exceptions --enable-multilib --enable-libmudflap --disable-libssp --disable-libgcj --enable-languages=c,c++ --enable-shared --enable-threads=posix --enable-cxa_atexit --enable-clocale=gnu
Thread model: posix
gcc version 4.1.2 (Gentoo 4.1.2)
GNU ld (GNU Binutils) 2.18
$ as --version
GNU assembler (GNU Binutils) 2.18
Copyright 2007 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or later.
This program has absolutely no warranty.
This assembler was configured for a target of `x86_64-pc-linux-gnu'.
$ cat /proc/cpuinfo
processor : 0
vendor_id : AuthenticAMD
cpu family : 15
model : 67
model name : AMD Athlon(tm) 64 X2 Dual Core Processor 5200+
stepping : 2
cpu MHz : 2612.036
cache size : 1024 KB
physical id : 0
siblings : 2
core id : 0
cpu cores : 2
fpu : yes
fpu_exception : yes
cpuid level : 1
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt rdtscp lm 3dnowext 3dnow pni cx16 lahf_lm cmp_legacy svm extapic cr8_legacy
bogomips : 5227.99
TLB size : 1024 4K pages
clflush size : 64
cache_alignment : 64
address sizes : 40 bits physical, 48 bits virtual
power management: ts fid vid ttp tm stc
processor : 1
vendor_id : AuthenticAMD
cpu family : 15
model : 67
model name : AMD Athlon(tm) 64 X2 Dual Core Processor 5200+
stepping : 2
cpu MHz : 2612.036
cache size : 1024 KB
physical id : 0
siblings : 2
core id : 1
cpu cores : 2
fpu : yes
fpu_exception : yes
cpuid level : 1
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt rdtscp lm 3dnowext 3dnow pni cx16 lahf_lm cmp_legacy svm extapic cr8_legacy
bogomips : 5224.11
TLB size : 1024 4K pages
clflush size : 64
cache_alignment : 64
address sizes : 40 bits physical, 48 bits virtual
power management: ts fid vid ttp tm stc
$ gdb -q mplayer
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) run -v -playlist http://webclust1.liquidcompass.cc/sos4stnrd/asx/WBTZ.asx
Starting program: /usr/bin/mplayer -v -playlist http://webclust1.liquidcompass.cc/sos4stnrd/asx/WBTZ.asx
MPlayer dev-SVN-rUNKNOWN-4.1.2 (C) 2000-2007 MPlayer Team
CPU: AMD Athlon(tm) 64 X2 Dual Core Processor 5200+ (Family: 15, Model: 67, Stepping: 2)
MMX supported but disabled
MMX2 supported but disabled
SSE supported but disabled
SSE2 supported but disabled
3DNow supported but disabled
3DNowExt supported but disabled
CPUflags: MMX: 0 MMX2: 0 3DNow: 0 3DNow2: 0 SSE: 0 SSE2: 0
Compiled for x86 CPU with extensions:
Filename for url is now http://webclust1.liquidcompass.cc/sos4stnrd/asx/WBTZ.asx
Filename for url is now http://webclust1.liquidcompass.cc/sos4stnrd/asx/WBTZ.asx
STREAM_HTTP(1), URL: http://webclust1.liquidcompass.cc/sos4stnrd/asx/WBTZ.asx
Resolving webclust1.liquidcompass.cc for AF_INET6...
Couldn't resolve name for AF_INET6: webclust1.liquidcompass.cc
Resolving webclust1.liquidcompass.cc for AF_INET...
Connecting to server webclust1.liquidcompass.cc[38.116.132.38]: 80...
--- HTTP DEBUG HEADER --- START ---
protocol: [HTTP/1.1]
http minor version: [1]
uri: [(null)]
method: [(null)]
status code: [200]
reason phrase: [OK]
body size: [0]
Fields:
0 - Date: Mon, 26 Nov 2007 05:43:42 GMT
1 - Server: Apache/2.0.49 (Linux/SuSE)
2 - Last-Modified: Mon, 26 Nov 2007 05:30:01 GMT
3 - ETag: "16602-22a-41776840"
4 - Accept-Ranges: bytes
5 - Content-Length: 554
6 - Connection: close
7 - Content-Type: text/plain; charset=ISO-8859-1
--- HTTP DEBUG HEADER --- END ---
Content-Type: [text/plain; charset=ISO-8859-1]
Content-Length: [554]
Cache size set to 320 KBytes
STREAM: [null] http://webclust1.liquidcompass.cc/sos4stnrd/asx/WBTZ.asx
STREAM: Description: http streaming
STREAM: Author: Bertrand, Albeau, Reimar Doeffinger, Arpi?
STREAM: Comment: plain http
Parsing playlist file http://webclust1.liquidcompass.cc/sos4stnrd/asx/WBTZ.asx...
Trying asx...
Detected asx format
Filename for url is now http://cas-m.streamadz.com/cas/mirror/adz_view.php?publisherID=866&type=gateway&ext=.ASX&limit=1&canskip=no&syncview=no
Filename for url is now http://cas-m.streamadz.com/cas/mirror/adz_view.php?publisherID=866&type=gateway&ext=.ASX&limit=1&canskip=no&syncview=no
STREAM_HTTP(1), URL: http://cas-m.streamadz.com/cas/mirror/adz_view.php?publisherID=866&type=gateway&ext=.ASX&limit=1&canskip=no&syncview=no
Resolving cas-m.streamadz.com for AF_INET6...
Couldn't resolve name for AF_INET6: cas-m.streamadz.com
Resolving cas-m.streamadz.com for AF_INET...
Connecting to server cas-m.streamadz.com[38.116.147.102]: 80...
--- HTTP DEBUG HEADER --- START ---
protocol: [HTTP/1.1]
http minor version: [1]
uri: [(null)]
method: [(null)]
status code: [200]
reason phrase: [OK]
body size: [0]
Fields:
0 - Date: Mon, 26 Nov 2007 06:02:09 GMT
1 - Server: Apache/2.2.3 (Linux/SUSE)
2 - X-Powered-By: PHP/5.1.2
3 - Content-Length: 0
4 - Connection: close
5 - Content-Type: text/html
--- HTTP DEBUG HEADER --- END ---
Content-Type: [text/html]
Content-Length: [0]
Cache size set to 320 KBytes
STREAM: [null] http://cas-m.streamadz.com/cas/mirror/adz_view.php?publisherID=866&type=gateway&ext=.ASX&limit=1&canskip=no&syncview=no
STREAM: Description: http streaming
STREAM: Author: Bertrand, Albeau, Reimar Doeffinger, Arpi?
STREAM: Comment: plain http
Adding playlist http://cas-m.streamadz.com/cas/mirror/adz_view.php?publisherID=866&type=gateway&ext=.ASX&limit=1&canskip=no&syncview=no to element entryref
Trying asx...
Trying Winamp playlist...
Trying extended m3u playlist...
Trying reference-ini playlist...
Trying smil playlist...
Detected smil playlist format
Program received signal SIGSEGV, Segmentation fault.
0x00002ab52a0a57da in strncasecmp () from /lib/libc.so.6
(gdb) bt
#0 0x00002ab52a0a57da in strncasecmp () from /lib/libc.so.6
#1 0x000000000042d5b0 in play_tree_parser_get_play_tree (p=0xdb5360, forced=1)
at playtreeparser.c:462
#2 0x00000000004211e2 in asx_parse_entryref (parser=<value optimized out>,
buffer=<value optimized out>, _attribs=<value optimized out>)
at asxparser.c:487
#3 0x0000000000421933 in asx_parser_build_tree (
buffer=0xdb4209 "<!-- END OF GATEWAY CODE -->\r\n<ENTRY>\r\n<title>This is the link to your streaming server</title>\r\n<PARAM NAME=\"livestream\" VALUE=\"yes\" />\r\n<REF HREF=\"http://wmc1.liquidcompass.cc/WBTZ\" />\r\n</ENTRY>",
deep=<value optimized out>) at asxparser.c:655
#4 0x000000000042d8d2 in play_tree_parser_get_play_tree (p=0xdb2830, forced=1)
at playtreeparser.c:198
#5 0x000000000042df27 in parse_playtree (stream=<value optimized out>,
forced=1) at playtreeparser.c:664
#6 0x000000000042e058 in parse_playlist_file (
file=0x7fff852af2cc "http://webclust1.liquidcompass.cc/sos4stnrd/asx/WBTZ.asx") at playtreeparser.c:741
#7 0x000000000041bcb5 in m_config_parse_mp_command_line (config=0xda26c0,
argc=4, argv=0x7fff852ae258) at parser-mpcmd.c:44
#8 0x0000000000415a4b in main (argc=4, argv=0x7fff852ae258) at mplayer.c:2339
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x2ab52a0a57ba to 0x2ab52a0a57fa:
0x00002ab52a0a57ba <strncasecmp+10>: cmp %rsi,%rdi
0x00002ab52a0a57bd <strncasecmp+13>: sete %dl
0x00002ab52a0a57c0 <strncasecmp+16>: test %r9,%r9
0x00002ab52a0a57c3 <strncasecmp+19>: mov %fs:(%rax),%rcx
0x00002ab52a0a57c7 <strncasecmp+23>: sete %al
0x00002ab52a0a57ca <strncasecmp+26>: xor %r10d,%r10d
0x00002ab52a0a57cd <strncasecmp+29>: or %al,%dl
0x00002ab52a0a57cf <strncasecmp+31>: jne 0x2ab52a0a57fe <strncasecmp+78>
0x00002ab52a0a57d1 <strncasecmp+33>: mov 0x70(%rcx),%rcx
0x00002ab52a0a57d5 <strncasecmp+37>: jmp 0x2ab52a0a57da <strncasecmp+42>
0x00002ab52a0a57d7 <strncasecmp+39>: inc %rdi
0x00002ab52a0a57da <strncasecmp+42>: movzbl (%rdi),%r8d
0x00002ab52a0a57de <strncasecmp+46>: movzbl (%rsi),%edx
0x00002ab52a0a57e1 <strncasecmp+49>: inc %rsi
0x00002ab52a0a57e4 <strncasecmp+52>: movzbl %r8b,%eax
0x00002ab52a0a57e8 <strncasecmp+56>: mov (%rcx,%rax,4),%eax
0x00002ab52a0a57eb <strncasecmp+59>: mov %eax,%r10d
0x00002ab52a0a57ee <strncasecmp+62>: sub (%rcx,%rdx,4),%r10d
0x00002ab52a0a57f2 <strncasecmp+66>: jne 0x2ab52a0a57fe <strncasecmp+78>
0x00002ab52a0a57f4 <strncasecmp+68>: test %r8b,%r8b
0x00002ab52a0a57f7 <strncasecmp+71>: je 0x2ab52a0a57fe <strncasecmp+78>
0x00002ab52a0a57f9 <strncasecmp+73>: dec %r9
End of assembler dump.
(gdb) info all-reg
rax 0xffffffffffffff00 -256
rbx 0x0 0
rcx 0x2ab52a124760 46957583288160
rdx 0x0 0
rsi 0x826177 8544631
rdi 0x0 0
rbp 0x0 0x0
rsp 0x7fff852ab998 0x7fff852ab998
r8 0x2ab52ce36a90 46957630548624
r9 0xe 14
r10 0x0 0
r11 0x200246 2097734
r12 0xdb5360 14373728
r13 0x1 1
r14 0x7fff852abc98 140735427558552
r15 0x1 1
rip 0x2ab52a0a57da 0x2ab52a0a57da <strncasecmp+42>
eflags 0x210246 [ PF ZF IF RF ID ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x1, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0xcd, 0xcc, 0xcc, 0x3f, 0x99, 0x99, 0xf9, 0x3f, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xcccd, 0x3fcc, 0x9999, 0x3ff9, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x3fcccccd, 0x3ff99999, 0x0, 0x0}, v2_int64 = {
0x3ff999993fcccccd, 0x0}, uint128 = 0x00000000000000003ff999993fcccccd}
xmm1 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x9a, 0x99, 0x99, 0x99, 0x99, 0x99, 0xf9, 0x3f, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x999a, 0x9999, 0x9999, 0x3ff9, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x9999999a, 0x3ff99999, 0x0, 0x0}, v2_int64 = {
0x3ff999999999999a, 0x0}, uint128 = 0x00000000000000003ff999999999999a}
xmm2 {v4_float = {0x1, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x80, 0x3f, 0x0 <repeats 12 times>}, v8_int16 = {0x0,
0x3f80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x3f800000, 0x0, 0x0,
0x0}, v2_int64 = {0x3f800000, 0x0},
uint128 = 0x0000000000000000000000003f800000}
xmm3 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x0, 0x3ff00000, 0x0, 0x0}, v2_int64 = {
0x3ff0000000000000, 0x0}, uint128 = 0x00000000000000003ff0000000000000}
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x81, 0x80, 0x80, 0x3b, 0x0 <repeats 12 times>}, v8_int16 = {
0x8081, 0x3b80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x3b808081,
0x0, 0x0, 0x0}, v2_int64 = {0x3b808081, 0x0},
uint128 = 0x0000000000000000000000003b808081}
xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
---Type <return> to continue, or q <return> to quit---
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm8 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm9 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm10 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm11 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm12 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm13 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm14 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm15 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
(gdb)
That is a non-critical NULL-dereference and already fixed since r24990