Opened 16 years ago
Last modified 14 years ago
#1158 new defect
Conditional jump and invalid read followed by crash
| Reported by: | Owned by: | reimar | |
|---|---|---|---|
| Priority: | normal | Component: | streaming |
| Version: | HEAD | Severity: | normal |
| Keywords: | Cc: | catchconv-bugreports@… | |
| Blocked By: | Blocking: | ||
| Reproduced by developer: | no | Analyzed by developer: | no |
Description
The fussed file 101-the-mummy3-trailer.mp4 (in the archive at the URL above) caused Mplayer to crash in module demux_open. Valgrind reports conditional jump or move at multiple places and invalid read at gen_sh_video (demux_mov.c:1120).
This is reproducible on Linux Debian Etch, with the latest Subversion head
mplayer (r27249). The machine used is VMWare Player.
Reproduce as follows:
wget http://www.eecs.berkeley.edu/~zhl210/7074-101-1794632606-UninitCondition.tgz
tar xzf 7074-101-1794632606-UninitCondition.tgz
Valgrind mplayer 101-the-mummy3-trailer.mp4
Here is the report by Valgrind:
==26051== Memcheck, a memory error detector.
==26051== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==26051== Using LibVEX rev 1854, a library for dynamic binary translation.
==26051== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==26051== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==26051== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==26051== For more details, rerun with: -v
==26051==
MPlayer dev-SVN-r27249-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2
Playing 101-the-mummy3-trailer.mp4.
libavformat file format detected.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863daf0]stream 0, missing mandatory atoms, broken header
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863daf0]error reading header: -1
LAVF_header: av_open_input_stream() failed
Quicktime/MOV file format detected.
Warning! pts=9079200 length=277531104
==26051== Conditional jump or move depends on uninitialised value(s)
==26051== Stack hash: 4251520308
==26051== at 0x81393CC: mov_build_index (demux_mov.c:200)
==26051== by 0x813AA86: lschunks (demux_mov.c:1312)
==26051== by 0x813C345: mov_read_header (demux_mov.c:1931)
==26051== by 0x811E32E: demux_open_stream (demuxer.c:864)
==26051== by 0x811E601: demux_open (demuxer.c:991)
==26051== by 0x807799E: main (mplayer.c:3238)
==26051==
==26051== Use of uninitialised value of size 4
==26051== Stack hash: 3737027877
==26051== at 0x40B64B9: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==26051==
==26051== Conditional jump or move depends on uninitialised value(s)
==26051== Stack hash: 2037143885
==26051== at 0x40B64C1: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==26051==
==26051== Conditional jump or move depends on uninitialised value(s)
==26051== Stack hash: 3963005709
==26051== at 0x40B80B1: vfprintf (in /lib/tls/i686/cmov/libc-2.3.6.so)
==26051== by 0x40D8F80: vsnprintf (in /lib/tls/i686/cmov/libc-2.3.6.so)
==26051== by 0x807C52D: mp_msg (mp_msg.c:177)
==26051== by 0x81393F3: mov_build_index (demux_mov.c:201)
==26051== by 0x813AA86: lschunks (demux_mov.c:1312)
==26051== by 0x813C345: mov_read_header (demux_mov.c:1931)
==26051== by 0x811E32E: demux_open_stream (demuxer.c:864)
==26051== by 0x811E601: demux_open (demuxer.c:991)
==26051== by 0x807799E: main (mplayer.c:3238)
==26051==
==26051== Conditional jump or move depends on uninitialised value(s)
==26051== Stack hash: 1187874697
==26051== at 0x40BA8AD: vfprintf (in /lib/tls/i686/cmov/libc-2.3.6.so)
==26051== by 0x40D8F80: vsnprintf (in /lib/tls/i686/cmov/libc-2.3.6.so)
==26051== by 0x807C52D: mp_msg (mp_msg.c:177)
==26051== by 0x81393F3: mov_build_index (demux_mov.c:201)
==26051== by 0x813AA86: lschunks (demux_mov.c:1312)
==26051== by 0x813C345: mov_read_header (demux_mov.c:1931)
==26051== by 0x811E32E: demux_open_stream (demuxer.c:864)
==26051== by 0x811E601: demux_open (demuxer.c:991)
==26051== by 0x807799E: main (mplayer.c:3238)
==26051==
==26051== Conditional jump or move depends on uninitialised value(s)
==26051== Stack hash: 2069565109
==26051== at 0x40B8159: vfprintf (in /lib/tls/i686/cmov/libc-2.3.6.so)
==26051== by 0x40D8F80: vsnprintf (in /lib/tls/i686/cmov/libc-2.3.6.so)
==26051== by 0x807C52D: mp_msg (mp_msg.c:177)
==26051== by 0x81393F3: mov_build_index (demux_mov.c:201)
==26051== by 0x813AA86: lschunks (demux_mov.c:1312)
==26051== by 0x813C345: mov_read_header (demux_mov.c:1931)
==26051== by 0x811E32E: demux_open_stream (demuxer.c:864)
==26051== by 0x811E601: demux_open (demuxer.c:991)
==26051== by 0x807799E: main (mplayer.c:3238)
MOV: durmap and chunkmap sample count differ (2522 vs 0)
==26051==
==26051== Conditional jump or move depends on uninitialised value(s)
==26051== Stack hash: 940442524
==26051== at 0x8139494: mov_build_index (demux_mov.c:223)
==26051== by 0x813AA86: lschunks (demux_mov.c:1312)
==26051== by 0x813C345: mov_read_header (demux_mov.c:1931)
==26051== by 0x811E32E: demux_open_stream (demuxer.c:864)
==26051== by 0x811E601: demux_open (demuxer.c:991)
==26051== by 0x807799E: main (mplayer.c:3238)
==26051==
==26051== Conditional jump or move depends on uninitialised value(s)
==26051== Stack hash: 509266624
==26051== at 0x40B80B1: vfprintf (in /lib/tls/i686/cmov/libc-2.3.6.so)
==26051== by 0x40D8F80: vsnprintf (in /lib/tls/i686/cmov/libc-2.3.6.so)
==26051== by 0x807C52D: mp_msg (mp_msg.c:177)
==26051== by 0x813985A: mov_build_index (demux_mov.c:224)
==26051== by 0x813AA86: lschunks (demux_mov.c:1312)
==26051== by 0x813C345: mov_read_header (demux_mov.c:1931)
==26051== by 0x811E32E: demux_open_stream (demuxer.c:864)
==26051== by 0x811E601: demux_open (demuxer.c:991)
==26051== by 0x807799E: main (mplayer.c:3238)
==26051==
==26051== Conditional jump or move depends on uninitialised value(s)
==26051== Stack hash: 2029102908
==26051== at 0x40BA8AD: vfprintf (in /lib/tls/i686/cmov/libc-2.3.6.so)
==26051== by 0x40D8F80: vsnprintf (in /lib/tls/i686/cmov/libc-2.3.6.so)
==26051== by 0x807C52D: mp_msg (mp_msg.c:177)
==26051== by 0x813985A: mov_build_index (demux_mov.c:224)
==26051== by 0x813AA86: lschunks (demux_mov.c:1312)
==26051== by 0x813C345: mov_read_header (demux_mov.c:1931)
==26051== by 0x811E32E: demux_open_stream (demuxer.c:864)
==26051== by 0x811E601: demux_open (demuxer.c:991)
==26051== by 0x807799E: main (mplayer.c:3238)
==26051==
==26051== Conditional jump or move depends on uninitialised value(s)
==26051== Stack hash: 2910793320
==26051== at 0x40B8159: vfprintf (in /lib/tls/i686/cmov/libc-2.3.6.so)
==26051== by 0x40D8F80: vsnprintf (in /lib/tls/i686/cmov/libc-2.3.6.so)
==26051== by 0x807C52D: mp_msg (mp_msg.c:177)
==26051== by 0x813985A: mov_build_index (demux_mov.c:224)
==26051== by 0x813AA86: lschunks (demux_mov.c:1312)
==26051== by 0x813C345: mov_read_header (demux_mov.c:1931)
==26051== by 0x811E32E: demux_open_stream (demuxer.c:864)
==26051== by 0x811E601: demux_open (demuxer.c:991)
==26051== by 0x807799E: main (mplayer.c:3238)
MOV: durmap or chunkmap bigger than sample count (2522 vs 474)
==26051==
==26051== Conditional jump or move depends on uninitialised value(s)
==26051== Stack hash: 316731562
==26051== at 0x813986A: mov_build_index (demuxer.h:301)
==26051== by 0x813AA86: lschunks (demux_mov.c:1312)
==26051== by 0x813C345: mov_read_header (demux_mov.c:1931)
==26051== by 0x811E32E: demux_open_stream (demuxer.c:864)
==26051== by 0x811E601: demux_open (demuxer.c:991)
==26051== by 0x807799E: main (mplayer.c:3238)
==26051==
==26051== Conditional jump or move depends on uninitialised value(s)
==26051== Stack hash: 1958332165
==26051== at 0x401D931: realloc (vg_replace_malloc.c:429)
==26051== by 0x81398C4: mov_build_index (demuxer.h:305)
==26051== by 0x813AA86: lschunks (demux_mov.c:1312)
==26051== by 0x813C345: mov_read_header (demux_mov.c:1931)
==26051== by 0x811E32E: demux_open_stream (demuxer.c:864)
==26051== by 0x811E601: demux_open (demuxer.c:991)
==26051== by 0x807799E: main (mplayer.c:3238)
==26051==
==26051== Conditional jump or move depends on uninitialised value(s)
==26051== Stack hash: 320704949
==26051== at 0x81394C9: mov_build_index (demux_mov.c:235)
==26051== by 0x813AA86: lschunks (demux_mov.c:1312)
==26051== by 0x813C345: mov_read_header (demux_mov.c:1931)
==26051== by 0x811E32E: demux_open_stream (demuxer.c:864)
==26051== by 0x811E601: demux_open (demuxer.c:991)
==26051== by 0x807799E: main (mplayer.c:3238)
==26051==
==26051== Conditional jump or move depends on uninitialised value(s)
==26051== Stack hash: 2539711573
==26051== at 0x81394E9: mov_build_index (demux_mov.c:235)
==26051== by 0x813AA86: lschunks (demux_mov.c:1312)
==26051== by 0x813C345: mov_read_header (demux_mov.c:1931)
==26051== by 0x811E32E: demux_open_stream (demuxer.c:864)
==26051== by 0x811E601: demux_open (demuxer.c:991)
==26051== by 0x807799E: main (mplayer.c:3238)
==26051==
==26051== Conditional jump or move depends on uninitialised value(s)
==26051== Stack hash: 814828724
==26051== at 0x813954C: mov_build_index (demux_mov.c:247)
==26051== by 0x813AA86: lschunks (demux_mov.c:1312)
==26051== by 0x813C345: mov_read_header (demux_mov.c:1931)
==26051== by 0x811E32E: demux_open_stream (demuxer.c:864)
==26051== by 0x811E601: demux_open (demuxer.c:991)
==26051== by 0x807799E: main (mplayer.c:3238)
[mov] Video stream found, -vid 0
==26051==
==26051== Invalid read of size 1
==26051== Stack hash: 2372702564
==26051== at 0x81379A6: gen_sh_video (demux_mov.c:1120)
==26051== by 0x813B934: lschunks (demux_mov.c:1323)
==26051== by 0x813C345: mov_read_header (demux_mov.c:1931)
==26051== by 0x811E32E: demux_open_stream (demuxer.c:864)
==26051== by 0x811E601: demux_open (demuxer.c:991)
==26051== by 0x807799E: main (mplayer.c:3238)
==26051== Address 0x4c is not stack'd, malloc'd or (recently) free'd
MPlayer interrupted by signal 11 in module: demux_open
- MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
- MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.
==26051==
==26051== ERROR SUMMARY: 5065 errors from 16 contexts (suppressed: 21 from 1)
==26051== malloc/free: in use at exit: 213,180 bytes in 2,191 blocks.
==26051== malloc/free: 2,331 allocs, 140 frees, 1,379,342 bytes allocated.
==26051== For counts of detected errors, rerun with: -v
==26051== searching for pointers to 2,191 not-freed blocks.
==26051== checked 2,961,896 bytes.
==26051==
==26051== LEAK SUMMARY:
==26051== definitely lost: 23,760 bytes in 6 blocks.
==26051== possibly lost: 0 bytes in 0 blocks.
==26051== still reachable: 189,420 bytes in 2,185 blocks.
==26051== suppressed: 0 bytes in 0 blocks.
==26051== Rerun with --leak-check=full to see details of leaked memory.
Here is the backtrace using gdb:
[Thread debugging using libthread_db enabled]
[New Thread -1209677152 (LWP 26392)]
MPlayer dev-SVN-r27249-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz (Family: 6, Model: 15, Stepping: 13)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2
get_path('codecs.conf') -> '/home/user/.mplayer/codecs.conf'
Reading /home/user/.mplayer/codecs.conf: Can't open '/home/user/.mplayer/codecs.conf': No such file or directory
Reading /usr/local/etc/mplayer/codecs.conf: Can't open '/usr/local/etc/mplayer/codecs.conf': No such file or directory
Using built-in default codecs.conf.
Configuration: --enable-debug=3
CommandLine: '-v' '101-the-mummy3-trailer.mp4'
get_path('font/font.desc') -> '/home/user/.mplayer/font/font.desc'
font: can't open file: /home/user/.mplayer/font/font.desc
font: can't open file: /usr/local/share/mplayer/font/font.desc
Using MMX (with tiny bit MMX2) Optimized OnScreenDisplay
Using nanosleep() timing
get_path('input.conf') -> '/home/user/.mplayer/input.conf'
Can't open input config file /home/user/.mplayer/input.conf: No such file or directory
Can't open input config file /usr/local/etc/mplayer/input.conf: No such file or directory
Falling back on default (hardcoded) input config
get_path('101-the-mummy3-trailer.mp4.conf') -> '/home/user/.mplayer/101-the-mummy3-trailer.mp4.conf'
Playing 101-the-mummy3-trailer.mp4.
get_path('sub/') -> '/home/user/.mplayer/sub/'
[file] File size is 6472527 bytes
STREAM: [file] 101-the-mummy3-trailer.mp4
STREAM: Description: File
STREAM: Author: Albeu
STREAM: Comment: based on the code from ??? (probably Arpi)
LAVF_check: QuickTime/MPEG-4/Motion JPEG 2000 format
libavformat file format detected.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863daf0]stream 0, missing mandatory atoms, broken header
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x863daf0]error reading header: -1
LAVF_header: av_open_input_stream() failed
Checking for YUV4MPEG2
ASF_check: not ASF guid!
Checking for NuppelVideo
Checking for REAL
Checking for SMJPEG
Checking for Nullsoft Streaming Video
Checking for MOV
ISO: File Type Major Brand: ISO Base Media
ISO: File Type Minor Version: 512
ISO: File Type Compatible Brand #0: mp41
MOV: Movie DATA found!
MOV: Movie header found!
Quicktime/MOV file format detected.
MOV: Movie header (100 bytes): tscale=90000 dur=9079200
MOV: Track #0:
MOV: unknown chunk: tk�d 84
MOV: Media stream!
MOV: Media header!
MOV: Handler header: /vide () VideoHandler
MOV: unknown handler class: 0x0 ()
MOV: Media info!
MOV: Video header!
MOV: unknown chunk: dinf 28
MOV: Sample info!
MOV: Description list! (cnt:1)
MOV: desc #0: mp4v (136 bytes)
MOV: Sample duration table! (1 blocks)
Warning! pts=9079200 length=277531104
MOV: unknown chunk: sts� 924
MOV: unknown chunk: svsc 20
MOV: Sample size table! (entries=474 ss=0) (ver:0,flags:0)
MOV: Chunk offset table! (2522 chunks)
MOV track #0: 2522 chunks, 474 samples
pts=277531104 scale=90000 time=3083.679
MOV: durmap and chunkmap sample count differ (2522 vs 104089)
MOV: durmap or chunkmap bigger than sample count (104089 vs 474)
==> Found video stream: 0
[mov] Video stream found, -vid 0
MOV: Found unknown movie atom eSds (66)!
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1209677152 (LWP 26392)]
0x081379a6 in gen_sh_video (sh=0x89a84e8, trak=0x89a83a8,
timescale=<value optimized out>) at libmpdemux/demux_mov.c:1120
1120 } else if(sh->disp_w!=(trak->tkdata[77]|(trak->tkdata[76]<<8))){
(gdb) bt
#0 0x081379a6 in gen_sh_video (sh=0x89a84e8, trak=0x89a83a8,
timescale=<value optimized out>) at libmpdemux/demux_mov.c:1120
#1 0x0813b935 in lschunks (demuxer=0x89a67b0, level=0, endpos=6472527,
trak=0xd0) at libmpdemux/demux_mov.c:1323
#2 0x0813c346 in mov_read_header (demuxer=0x89a67b0)
at libmpdemux/demux_mov.c:1931
#3 0x0811e32f in demux_open_stream (stream=0x89a7138,
file_format=<value optimized out>, force=0, audio_id=-1, video_id=-1,
dvdsub_id=-2, filename=0x899d3f0 "101-the-mummy3-trailer.mp4")
at libmpdemux/demuxer.c:864
#4 0x0811e602 in demux_open (vs=0x89a7138, file_format=0, audio_id=-1,
video_id=-1, dvdsub_id=-2, filename=0x899d3f0 "101-the-mummy3-trailer.mp4")
at libmpdemux/demuxer.c:991
#5 0x0807799f in main (argc=3, argv=0xbffff724) at mplayer.c:3238
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x8137986 to 0x81379c6:
0x08137986 <gen_sh_video+742>: mov $0x43,%dh
0x08137988 <gen_sh_video+744>: sbb (%edi),%cl
0x0813798a <gen_sh_video+746>: mov $0x53,%dh
0x0813798c <gen_sh_video+748>: sbb %ecx,%eax
0x0813798e <gen_sh_video+750>: loopne 0x8137998 <gen_sh_video+760>
0x08137990 <gen_sh_video+752>: or %eax,%edx
0x08137992 <gen_sh_video+754>: test %esi,%esi
0x08137994 <gen_sh_video+756>: mov %edx,0xfc(%ecx)
0x0813799a <gen_sh_video+762>: je 0x8137b90 <gen_sh_video+1264>
0x081379a0 <gen_sh_video+768>: mov 0xffffff8c(%ebp),%eax
0x081379a3 <gen_sh_video+771>: mov 0x40(%eax),%ecx
0x081379a6 <gen_sh_video+774>: movzbl 0x4c(%ecx),%eax
0x081379aa <gen_sh_video+778>: movzbl 0x4d(%ecx),%edx
0x081379ae <gen_sh_video+782>: shl $0x8,%eax
0x081379b1 <gen_sh_video+785>: or %eax,%edx
0x081379b3 <gen_sh_video+787>: cmp %edx,%esi
0x081379b5 <gen_sh_video+789>: je 0x81379e5 <gen_sh_video+837>
0x081379b7 <gen_sh_video+791>: push %edx
0x081379b8 <gen_sh_video+792>: fildl (%esp)
0x081379bb <gen_sh_video+795>: mov 0xffffff90(%ebp),%edx
0x081379be <gen_sh_video+798>: fsts 0xec(%edx)
0x081379c4 <gen_sh_video+804>: movzbl 0x50(%ecx),%eax
---Type <return> to continue, or q <return> to quit---
End of assembler dump.
(gdb) info all-registers
eax 0x89a83a8 144343976
ecx 0x0 0
edx 0xd0 208
ebx 0x89a8450 144344144
esp 0xbfffe160 0xbfffe160
ebp 0xbfffe208 0xbfffe208
esi 0x170 368
edi 0x1 1
eip 0x81379a6 0x81379a6 <gen_sh_video+774>
eflags 0x210202 [ IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 90000 (raw 0x400fafc8000000000000)
st6 25 (raw 0x4003c800000000000000)
This bug was found as part of the SUPERB-TRUST 2008 project.
