Opened 16 years ago

Closed 16 years ago

#956 closed defect (fixed)

Crash on malformed WMV file

Reported by: dan@… Owned by: r_togni@…
Priority: normal Component: demuxer
Version: HEAD Severity: normal
Keywords: Cc:
Blocked By: Blocking:
Reproduced by developer: no Analyzed by developer: no

Description

mplayer crashes when playing the attached malformed WMV file with the following (not very helpful) stack trace:

$ gdb mplayer
GNU gdb 6.6-3mdv2008.0 (Mandriva Linux release 2008.0)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i586-mandriva-linux-gnu"...
(no debugging symbols found)
Using host libthread_db library "/lib/i686/libthread_db.so.1".
(gdb) run crash.wmv
Starting program: /usr/bin/mplayer crash.wmv
/usr/bin/mplayer: /usr/lib/libpulse.so.0: no version information available (required by /usr/bin/mplayer)
[Thread debugging using libthread_db enabled]
[New Thread -1239021872 (LWP 18940)]
MPlayer 1.0-1.rc2.4plf2008.1-4.2.2 (C) 2000-2007 MPlayer Team
CPU: Intel Celeron 2/Pentium III Coppermine,Geyserville (Family: 6, Model: 8, Stepping: 3)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 0
Compiled with runtime CPU detection.
mplayer: could not connect to socket
mplayer: No such file or directory
Failed to open LIRC support. You will not be able to use your remote control.

Playing crash.wmv.
ASF file format detected.
[asfheader] Audio stream found, -aid 1
[asfheader] Video stream found, -vid 2

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1239021872 (LWP 18940)]
0x081da208 in ?? ()
(gdb) bt
#0 0x081da208 in ?? ()
#1 0x081d7a75 in ds_fill_buffer ()
#2 0x081da975 in ?? ()
#3 0x081d7387 in ?? ()
#4 0x081d769c in demux_open ()
#5 0x080bd46b in main ()
(gdb)

This is on a 733 MHz Pentium III running the PLF mplayer-1.0-1.rc2.4plf2008.1.i586.rpm package on Mandriva 2008

Attachments (1)

crash.wmv (87.9 KB ) - added by dan@… 16 years ago.
Corrupt WMV file causing crash

Download all attachments as: .zip

Change History (6)

by dan@…, 16 years ago

Attachment: crash.wmv added

Corrupt WMV file causing crash

comment:1 by dan@…, 16 years ago

This file was manually extracted from a (probably corrupt) download of the file http://s2.streamingfarm.tv/streamingfarm/skysails_clips/20070823_SkySails_Erklaerfilm_e03_768k.wmv

comment:2 by compn, 16 years ago

op_sys: LinuxAll
rep_platform: PC (x86 with SSE)All
Version: 1.0rc2HEAD

-demuxer lavf does not crash on the file.

the packaged mplayer usually have debugging symbols stripped out.
here is a proper gdb

E:\temp>gdb e:\mplayer-testclips\mplayer\mplayer.exe
GNU gdb 5.2.1
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i686-pc-mingw32"...
(gdb) run crash.wmv
Starting program: e:\mplayer-testclips\mplayer\mplayer.exe crash.wmv

Program received signal SIGSEGV, Segmentation fault.
demux_asf_fill_buffer (demux=0x3348e38, ds=0x3348330) at demux_asf.c:502
502 case 1: len=p[0];p++;break; byte
(gdb) bt
#0 demux_asf_fill_buffer (demux=0x3348e38, ds=0x3348330) at demux_asf.c:502
#1 0x004bb179 in ds_fill_buffer (ds=0x3348330) at demuxer.c:423
#2 0x004e743b in demux_open_asf (demuxer=0x3348e38) at demux_asf.c:642
#3 0x004bbc6b in demux_open_stream (stream=0x3348490, file_format=6, force=0,

audio_id=-1, video_id=-1, dvdsub_id=-2, filename=0x3336fc0 "crash.wmv")
at demuxer.c:728

#4 0x004bbef9 in demux_open (vs=0x3348490, file_format=0, audio_id=-1,

video_id=-1, dvdsub_id=-2, filename=0x3336fc0 "crash.wmv") at demuxer.c:868

#5 0x00404bc2 in main (argc=2, argv=0x22a2728) at mplayer.c:2958
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x4e6d80 to 0x4e6dc0:
0x4e6d80 <demux_asf_fill_buffer+2768>: mov 0x2444c700,%al
0x4e6d85 <demux_asf_fill_buffer+2773>: add $0x6,%al
0x4e6d87 <demux_asf_fill_buffer+2775>: add %al,(%eax)
0x4e6d89 <demux_asf_fill_buffer+2777>: add %al,%bh
0x4e6d8b <demux_asf_fill_buffer+2779>: add $0x24,%al
0x4e6d8d <demux_asf_fill_buffer+2781>: pop %es
0x4e6d8e <demux_asf_fill_buffer+2782>: add %al,(%eax)
0x4e6d90 <demux_asf_fill_buffer+2784>: add %ch,%al
0x4e6d92 <demux_asf_fill_buffer+2786>: or (%edi),%ah
0x4e6d94 <demux_asf_fill_buffer+2788>: repnz (bad)
0x4e6d96 <demux_asf_fill_buffer+2790>: mov $0x1,%eax
0x4e6d9b <demux_asf_fill_buffer+2795>:

jmp 0x4e677e <demux_asf_fill_buffer+1230>

0x4e6da0 <demux_asf_fill_buffer+2800>: movzbl (%edi),%esi
0x4e6da3 <demux_asf_fill_buffer+2803>: inc %edi
0x4e6da4 <demux_asf_fill_buffer+2804>:

jmp 0x4e6694 <demux_asf_fill_buffer+996>

0x4e6da9 <demux_asf_fill_buffer+2809>: mov 0xffffff34(%ebp),%ebx
0x4e6daf <demux_asf_fill_buffer+2815>: movzbl 0xffffff83(%ebp),%eax
0x4e6db3 <demux_asf_fill_buffer+2819>: cmp 0x44(%ebx),%eax
0x4e6db6 <demux_asf_fill_buffer+2822>:

je 0x4e6eb4 <demux_asf_fill_buffer+3076>

---Type <return> to continue, or q <return> to quit---
0x4e6dbc <demux_asf_fill_buffer+2828>: mov 0xffffff38(%ebp),%esi
End of assembler dump.
(gdb) info all-registers
eax 0x0 0
ecx 0x0 0
edx 0x1 1
ebx 0x334c274 53789300
esp 0x22ebd0 0x22ebd0
ebp 0x22ed08 0x22ed08
esi 0x6a0a5df8 1779064312
edi 0x6d3f2068 1832853608
eip 0x4e6da0 0x4e6da0
eflags 0x210247 2163271
cs 0x1b 27
ss 0x23 35
ds 0x23 35
es 0x23 35
fs 0x38 56
gs 0x0 0
st0 -nan(0xff000000ff000000) (raw 0xffffff000000ff000000)
st1 0 (raw 0xffff0000000000000000)
st2 -nan(0xfe000000000000) (raw 0xffff00fe000000000000)
st3 -nan(0xfe000000000000) (raw 0xffff00fe000000000000)
st4 -nan(0xff000000ff000000) (raw 0xffffff000000ff000000)
st5 -nan(0xff000000000000) (raw 0xffff00ff000000000000)
st6 8000 (raw 0x400bfa00000000000000)
---Type <return> to continue, or q <return> to quit---
st7 10.924687499999999 (raw 0x4002aecb851eb851eb85)
fctrl 0xffff037f -64641
fstat 0xffff0020 -65504
ftag 0xffffffff -1
fiseg 0x0 0
fioff 0x0 0
foseg 0xffff0000 -65536
fooff 0x0 0
fop 0x0 0
(gdb) quit
The program is running. Exit anyway? (y or n) y

comment:3 by mplayer@…, 16 years ago

Cc: mplayer@… added

comment:4 by mplayer@…, 16 years ago

Cc: mplayer@… removed

comment:5 by r_togni@…, 16 years ago

Resolution: fixed
Status: newclosed

Fixed in svn r25957

Note: See TracTickets for help on using tickets.