Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#966 closed defect (fixed)

Signal 11 crash in libavformat/utils.c::av_read_packet() when reading WAV file

Reported by: dmolnar@… Owned by: reimar
Priority: normal Component: core
Version: HEAD Severity: normal
Keywords: Cc: daw-bugzilla@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

* Overview: I found a test case WAV file for mplayer compiled from the 2007-12-22 snapshot (dev-SVN-r25488-4.1.2) that causes a segfault. The crash occurs both without and with Valgrind 3.2; before crashing, Valgrind reports an invalid read of 4 bytes from address 0x8.

The test case is "2-snippet3.wav" available at the URL
http://www.cs.berkeley.edu/~dmolnar/2-snippet3.wav
(Warning: registers as 688M to wget!)

This test case is a similar WAV file but DOES NOT exhibit the crash:
http://www.cs.berkeley.edu/~dmolnar/snippet3.wav

Please let me know if there is any more information I can provide or questions I can answer.

* To reproduce:

1) mplayer 2-snippet3.wav

* My OS+platform:
Debian etch, Core 2 Duo T7300

uname -a:
Linux debian 2.6.18-4-486 #1 Mon Mar 26 16:39:10 UTC 2007 i686 GNU/Linux

user@debian:~/mplayer/mplayer-checkout-2007-12-22/libavformat$ ls -l /lib/libc[.-]*
-rwxr-xr-x 1 root root 1147548 2007-07-30 22:41 /lib/libc-2.3.6.so
lrwxrwxrwx 1 root root 13 2007-12-21 05:12 /lib/libc.so.6 -> libc-2.3.6.so

user@debian:~/mplayer/mplayer-checkout-2007-12-22/libavformat$ gcc -v
Using built-in specs.
Target: i486-linux-gnu
Configured with: ../src/configure -v --enable-languages=c,c++,fortran,objc,obj-c++,treelang --prefix=/usr --enable-shared --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --enable-nls --program-suffix=-4.1 --enable-cxa_atexit --enable-clocale=gnu --enable-libstdcxx-debug --enable-mpfr --with-tune=i686 --enable-checking=release i486-linux-gnu
Thread model: posix
gcc version 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)

user@debian:~/mplayer/mplayer-checkout-2007-12-22/libavformat$ ld -v
GNU ld version 2.17 Debian GNU/Linux

user@debian:~/mplayer/mplayer-checkout-2007-12-22/libavformat$ as --version
GNU assembler 2.17 Debian GNU/Linux
Copyright 2005 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License. This program has absolutely no warranty.
This assembler was configured for a target of `i486-linux-gnu'.

user@debian:~/mplayer/mplayer-checkout-2007-12-22/libavformat$ cat /proc/cpuinfoprocessor : 0
vendor_id : GenuineIntel?
cpu family : 6
model : 15
model name : Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz
stepping : 8
cpu MHz : 2001.177
cache size : 4096 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss nx constant_tsc pni ds_cpl
bogomips : 4008.20

* Mplayer output:

user@debian:~/mplayer/badcases$ ../inst/bin/mplayer 2-snippet3.wav
MPlayer dev-SVN-r25488-4.1.2 (C) 2000-2007 MPlayer Team
CPU: Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz (Family: 6, Model: 15, Stepping: 10)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 2-snippet3.wav.
libavformat file format detected.

MPlayer interrupted by signal 11 in module: demux_open

  • MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
  • MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.

* Valgrind output:

==19227== Invalid read of size 4
==19227== at 0x81DA14C: av_read_packet (utils.c:502)
==19227== by 0x81DF39C: av_read_frame_internal (utils.c:805)
==19227== by 0x81E017A: av_find_stream_info (utils.c:1837)
==19227== by 0x817E848: demux_open_lavf (demux_lavf.c:483)
==19227== by 0x812B5EA: demux_open_stream (demuxer.c:777)
==19227== by 0x812B8CB: demux_open (demuxer.c:872)
==19227== by 0x8074481: main (mplayer.c:2973)
==19227== Address 0x8 is not stack'd, malloc'd or (recently) free'd

* gdb session (backtrace, disassembly, registers):

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1210292544 (LWP 359)]
0x081d744c in av_read_packet (s=0x8821ec0, pkt=0x8822d88) at utils.c:502
502 switch(st->codec->codec_type){
(gdb)
(gdb) bt
#0 0x081d744c in av_read_packet (s=0x8821ec0, pkt=0x8822d88) at utils.c:502
#1 0x081dc69d in av_read_frame_internal (s=0x8821ec0, pkt=0xbf92ad00)

at utils.c:805

#2 0x081dd47b in av_find_stream_info (ic=0x8821ec0) at utils.c:1837
#3 0x0817bb39 in demux_open_lavf (demuxer=0x881ff80) at demux_lavf.c:483
#4 0x081288db in demux_open_stream (stream=0x881f5e8,

file_format=<value optimized out>, force=0, audio_id=-1, video_id=-1,
dvdsub_id=-2, filename=0x88162b8 "2-snippet3.wav") at demuxer.c:777

#5 0x08128bbc in demux_open (vs=0x881f5e8, file_format=0, audio_id=-1,

video_id=-1, dvdsub_id=-2, filename=0x88162b8 "2-snippet3.wav")
at demuxer.c:872

#6 0x08074252 in main (argc=2, argv=0xbf92c184) at mplayer.c:2973

(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x81d742c to 0x81d746c:
0x081d742c <av_read_packet+12>: pop %ebp
0x081d742d <av_read_packet+13>: or $0x89,%al
0x081d742f <av_read_packet+15>: sbb $0x24,%al
0x081d7431 <av_read_packet+17>: call 0x81d73a0 <av_init_packet>
0x081d7436 <av_read_packet+22>: mov 0x4(%esi),%eax
0x081d7439 <av_read_packet+25>: mov %ebx,0x4(%esp)
0x081d743d <av_read_packet+29>: mov %esi,(%esp)
0x081d7440 <av_read_packet+32>: call *0x14(%eax)
0x081d7443 <av_read_packet+35>: mov %eax,%ecx
0x081d7445 <av_read_packet+37>: mov 0x18(%ebx),%eax
0x081d7448 <av_read_packet+40>: mov 0x18(%esi,%eax,4),%eax
0x081d744c <av_read_packet+44>: mov 0x8(%eax),%edx
0x081d744f <av_read_packet+47>: mov 0xe0(%edx),%eax
0x081d7455 <av_read_packet+53>: cmp $0x1,%eax
0x081d7458 <av_read_packet+56>: je 0x81d7490 <av_read_packet+112>
0x081d745a <av_read_packet+58>: cmp $0x3,%eax
0x081d745d <av_read_packet+61>: je 0x81d74a2 <av_read_packet+130>
0x081d745f <av_read_packet+63>: test %eax,%eax
0x081d7461 <av_read_packet+65>: je 0x81d7470 <av_read_packet+80>
0x081d7463 <av_read_packet+67>: add $0x10,%esp
0x081d7466 <av_read_packet+70>: mov %ecx,%eax
0x081d7468 <av_read_packet+72>: pop %ebx
---Type <return> to continue, or q <return> to quit---
0x081d7469 <av_read_packet+73>: pop %esi
0x081d746a <av_read_packet+74>: pop %ebp
0x081d746b <av_read_packet+75>: ret
End of assembler dump.
(gdb)
(gdb) info all-registers
eax 0x0 0
ecx 0xfffffffb -5
edx 0x0 0
ebx 0x8822d88 142749064
esp 0xbf92a690 0xbf92a690
ebp 0xbf92a6a8 0xbf92a6a8
esi 0x8821ec0 142745280
edi 0x0 0
eip 0x81d744c 0x81d744c <av_read_packet+44>
eflags 0x10282 [ SF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 3000000 (raw 0x4014b71b000000000000)
st6 1 (raw 0x3fff8000000000000000)
---Type <return> to continue, or q <return> to quit---
st7 1 (raw 0x3fff8000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x73 115
fioff 0x8271dde 136781278
foseg 0x7b 123
fooff 0xbf92acbc -1080906564
fop 0x35d 861
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

---Type <return> to continue, or q <return> to quit---

0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
mm0 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,

0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm1 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,

0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

---Type <return> to continue, or q <return> to quit---
mm2 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,

0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm3 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,

0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm4 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,

0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm5 {uint64 = 0xb71b000000000000, v2_int32 = {0x0, 0xb71b0000},

v4_int16 = {0x0, 0x0, 0x0, 0xb71b}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x1b, 0xb7}}

mm6 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},

v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x80}}

mm7 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},

v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x80}}

(gdb)

Change History (2)

comment:1 Changed 12 years ago by reimar

  • Resolution set to fixed
  • Status changed from new to closed

Should be fixed in FFmpeg SVN r11307.

comment:2 Changed 12 years ago by daw-bugzilla@…

  • Cc daw-bugzilla@… added
Note: See TracTickets for help on using tickets.