Valgrind reports uninitialised condition in demux_audio_open (demux_audio.c:429)

[nstockma@…]

Here's a wav file where Valgrind reports an "conditional jump or move depends on uninitialised value(s)". The wav file (1-short-dying.wav) can be found inside
the .tgz archive at the URL above. The bug is easily reproducible. Note that it does not cause MPlayer to crash.

I confirmed that this bug is reproducible on Linux OS, Debian x32 with the
latest subversion of MPlayer, dev-SVN-r27137-4.1.2

I used a 32-bit Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz.

To reproduce:

wget ​http://www.metafuzz.com/testcases/163139-1-3982677856-UninitCondition.tgz
tar xzfv 163139-1-3982677856-UninitCondition.tgz
valgrind mplayer 1-short-dying.wav

Here is the output from valgrind and mplayer on my machine:

user@debian:~/Desktop$ valgrind mplayer 1-short-dying.wav
==10138== Memcheck, a memory error detector.
==10138== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.==10138== Using LibVEX rev 1854, a library for dynamic binary translation.
==10138== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==10138== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==10138== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.==10138== For more details, rerun with: -v
==10138==
MPlayer dev-SVN-r27137-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 1-short-dying.wav.
==10138== Conditional jump or move depends on uninitialised value(s)
==10138== Stack hash: 1708061029
==10138== at 0x8123713: demux_audio_open (demux_audio.c:429)
==10138== by 0x811BB43: demux_open_stream (demuxer.c:771)
==10138== by 0x811BDE8: demux_open_stream (demuxer.c:843)
==10138== by 0x811BFD1: demux_open (demuxer.c:991)
==10138== by 0x80751CE: main (mplayer.c:3238)
==10138==
==10138== Conditional jump or move depends on uninitialised value(s)
==10138== Stack hash: 1616227140
==10138== at 0x81236E2: demux_audio_open (demux_audio.c:436)
==10138== by 0x811BB43: demux_open_stream (demuxer.c:771)
==10138== by 0x811BDE8: demux_open_stream (demuxer.c:843)
==10138== by 0x811BFD1: demux_open (demuxer.c:991)
==10138== by 0x80751CE: main (mplayer.c:3238)
==10138==
==10138== Conditional jump or move depends on uninitialised value(s)
==10138== Stack hash: 1631220428
==10138== at 0x81236EA: demux_audio_open (demux_audio.c:443)
==10138== by 0x811BB43: demux_open_stream (demuxer.c:771)
==10138== by 0x811BDE8: demux_open_stream (demuxer.c:843)
==10138== by 0x811BFD1: demux_open (demuxer.c:991)
==10138== by 0x80751CE: main (mplayer.c:3238)
==10138==
==10138== Conditional jump or move depends on uninitialised value(s)
==10138== Stack hash: 1646213716
==10138== at 0x81236F2: demux_audio_open (demux_audio.c:450)
==10138== by 0x811BB43: demux_open_stream (demuxer.c:771)
==10138== by 0x811BDE8: demux_open_stream (demuxer.c:843)
==10138== by 0x811BFD1: demux_open (demuxer.c:991)
==10138== by 0x80751CE: main (mplayer.c:3238)
==10138==
==10138== Conditional jump or move depends on uninitialised value(s)
==10138== Stack hash: 1726802639
==10138== at 0x812371D: demux_audio_open (demux_audio.c:429)
==10138== by 0x811BB43: demux_open_stream (demuxer.c:771)
==10138== by 0x811BDE8: demux_open_stream (demuxer.c:843)
==10138== by 0x811BFD1: demux_open (demuxer.c:991)
==10138== by 0x80751CE: main (mplayer.c:3238)
==10138==
==10138== Conditional jump or move depends on uninitialised value(s)
==10138== Stack hash: 2047284170
==10138== at 0x81237C8: demux_audio_open (demux_audio.c:443)
==10138== by 0x811BB43: demux_open_stream (demuxer.c:771)
==10138== by 0x811BDE8: demux_open_stream (demuxer.c:843)
==10138== by 0x811BFD1: demux_open (demuxer.c:991)
==10138== by 0x80751CE: main (mplayer.c:3238)
==10138==
==10138== Conditional jump or move depends on uninitialised value(s)
==10138== Stack hash: 2437109658
==10138== at 0x8123898: demux_audio_open (demux_audio.c:450)
==10138== by 0x811BB43: demux_open_stream (demuxer.c:771)
==10138== by 0x811BDE8: demux_open_stream (demuxer.c:843)
==10138== by 0x811BFD1: demux_open (demuxer.c:991)
==10138== by 0x80751CE: main (mplayer.c:3238)
Audio file file format detected.
==========================================================================
Opening audio decoder: [pcm] Uncompressed PCM audio decoder
AUDIO: 44100 Hz, 2 ch, s16le, 1411.2 kbit/33.33% (ratio: 176400->529200)
Selected audio codec: [pcm] afm: pcm (Uncompressed PCM)
==========================================================================
AO: [oss] 44100Hz 2ch s16le (2 bytes per sample)
Video: no video
Starting playback...
A: 0.0 (unknown) of 11.0 (11.0) ??,?%

Exiting... (End of file)
==10138==
==10138== ERROR SUMMARY: 32337 errors from 7 contexts (suppressed: 17 from 1)
==10138== malloc/free: in use at exit: 32,908 bytes in 12 blocks.
==10138== malloc/free: 2,328 allocs, 2,316 frees, 1,313,705 bytes allocated.
==10138== For counts of detected errors, rerun with: -v
==10138== searching for pointers to 12 not-freed blocks.
==10138== checked 2,743,064 bytes.
==10138==
==10138== LEAK SUMMARY:
==10138== definitely lost: 0 bytes in 0 blocks.
==10138== possibly lost: 0 bytes in 0 blocks.
==10138== still reachable: 32,908 bytes in 12 blocks.
==10138== suppressed: 0 bytes in 0 blocks.
==10138== Rerun with --leak-check=full to see details of leaked memory.

I have not attempted to review this bug to determine whether it represents a
security risk or not.

This bug was found using the zzuf fuzzer. It was found as part of the SUPERB-TRUST 2008 project ( see ​http://www.truststc.org/superb/ ) and the metafuzz project ( see ​http://metafuzz.com/, stack hash 3982677856 ).

Let me know if I can provide more information.

[reimar]

They really have no relevance, such a file will be unplayable anyway, it does not matter if MPlayer will try to play it as PCM or DTS (and the likelyhood of an incorrect detection due to this is basically 0 anyway).
Still, fixed in SVN r27143.