Valgrind reports InvalidRead in gen_sh_video() (demux_mov.c:931)

[thiennga408@…]

In the tgz archive which can be downloaded from the URL ​http://www.metafuzz.com/testcases/965225-3-2988657393-InvalidRead.tgz, there is an mp4 file (3-geass.mp4) where Valgrind reports an invalid read of 1 byte at an invalid memory location. Note that this bug causes MPlayer to crash.

I confirmed that this bug is reproducible on Linux OS, Debian x32 with the latest subversion of MPlayer, r27138-4.1.2.

I used a 32-bit Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz.

To reproduce:

wget ​http://www.metafuzz.com/testcases/965225-3-2988657393-InvalidRead.tgz
tar xzvf 965225-3-2988657393-InvalidRead.tgz
valgrind mplayer 3-geass.mp4

The following is the output from Valgrind:

==14175== Memcheck, a memory error detector.
==14175== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==14175== Using LibVEX rev 1854, a library for dynamic binary translation.
==14175== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==14175== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==14175== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==14175== For more details, rerun with: -v
==14175==
MPlayer dev-SVN-r27138-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, St epping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 965225-3-2988657393-InvalidRead.tgz_FILES/3-geass.mp4.
libavformat file format detected.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x8633e30]Could not find codec parameters (Video: 0 x0000)
LAVF_header: av_find_stream_info() failed
Quicktime/MOV file format detected.
* constant samplesize & variable duration not yet supported! *
Contact the author if you have such sample file!
[mov] Video stream found, -vid 0
==14175== Invalid read of size 1
==14175== Stack hash: 845380958
==14175== at 0x81376E8: gen_sh_video (demux_mov.c:931)
==14175== by 0x813B904: lschunks (demux_mov.c:1318)
==14175== by 0x813C315: mov_read_header (demux_mov.c:1926)
==14175== by 0x811E2DE: demux_open_stream (demuxer.c:864)
==14175== by 0x811E5B1: demux_open (demuxer.c:991)
==14175== by 0x80777AE: main (mplayer.c:3238)
==14175== Address 0x4b is not stack'd, malloc'd or (recently) free'd

MPlayer interrupted by signal 11 in module: demux_open

• MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
• MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug .

==14175==
==14175== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 19 from 1)
==14175== malloc/free: in use at exit: 98,405 bytes in 2,181 blocks.
==14175== malloc/free: 2,320 allocs, 139 frees, 1,373,914 bytes allocated.
==14175== For counts of detected errors, rerun with: -v
==14175== searching for pointers to 2,181 not-freed blocks.
==14175== checked 2,814,804 bytes.
==14175==
==14175== LEAK SUMMARY:
==14175== definitely lost: 0 bytes in 0 blocks.
==14175== possibly lost: 0 bytes in 0 blocks.
==14175== still reachable: 98,405 bytes in 2,181 blocks.
==14175== suppressed: 0 bytes in 0 blocks.
==14175== Rerun with --leak-check=full to see details of leaked memory.

This bug was found using the zzuf fuzzer. This bug was found as part of the
metafuzz project. See ​http://www.metafuzz.com, stack hash 2988657393.

Let me know if I can provide more information.

[reimar]

Probably fixed in SVN r27142