Opened 16 years ago

Closed 14 years ago

#1167 closed defect (fixed)

Valgrind reports conditional jump or move depends on uninitialised value(s) in demux_avi_select_stream() (demux_avi.c:74)

Reported by: thiennga408@… Owned by: reimar
Priority: normal Component: demuxer
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: no Analyzed by developer: no

Description

In the tgz archive which can be downloaded from the URL
http://www.metafuzz.com/testcases/139106-2-2302462433-UninitCondition.tgz, there
is an avi file (2-dog.avi) where Valgrind reports conditional jump or move depends on uninitialised value(s) in demux_avi_select_stream().

I confirmed that this bug is reproducible in the latest subversion of MPlayer,
r27255-4.1.2 .

My System Information:
OS: Linux Debian x32
kernel: Linux debian 2.6.18-6-486 #1 Fri Jun 6 21:47:01 UTC 2008 i686 GNU/Linux
libc version: libc-2.3.6.so
gcc version 4.1.2 20061115
ld version 2.17

My Hardware Information:
32-bit Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz
Multimedia audio controller: Ensoniq ES1371 [AudioPCI-97] (rev 02)

To reproduce:
wget http://www.metafuzz.com/testcases/139106-2-2302462433-UninitCondition.tgz
tar xzvf 139106-2-2302462433-UninitCondition.tgz
valgrind mplayer 2-dog.avi

The following is the output from Valgrind:

==9503== Memcheck, a memory error detector.
==9503== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==9503== Using LibVEX rev 1854, a library for dynamic binary translation.
==9503== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==9503== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==9503== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==9503== For more details, rerun with: -v
==9503==
MPlayer dev-SVN-r27255-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing 139106-2-2302462433-UninitCondition.tgz_FILES/2-dog.avi.
AVI file format detected.
==9503== Conditional jump or move depends on uninitialised value(s)
==9503== Stack hash: 2346575672
==9503== at 0x812604B: demux_avi_select_stream (demux_avi.c:74)
==9503== by 0x8126E7F: demux_open_hack_avi (demux_avi.c:453)
==9503== by 0x811E20F: demux_open_stream (demuxer.c:811)
==9503== by 0x811E601: demux_open (demuxer.c:991)
==9503== by 0x807799E: main (mplayer.c:3238)
==9503==
==9503== Conditional jump or move depends on uninitialised value(s)
==9503== Stack hash: 1739347508
==9503== at 0x8125F07: demux_avi_select_stream (demuxer.h:368)
==9503== by 0x8126E7F: demux_open_hack_avi (demux_avi.c:453)
==9503== by 0x811E20F: demux_open_stream (demuxer.c:811)
==9503== by 0x811E601: demux_open (demuxer.c:991)
==9503== by 0x807799E: main (mplayer.c:3238)
AVI_NI: No video stream found.
libavformat file format detected.
[avi @ 0x863dc50]unknown stream type 73647161
LAVF_header: av_open_input_stream() failed

Exiting... (End of file)
==9503==
==9503== ERROR SUMMARY: 65495 errors from 2 contexts (suppressed: 19 from 1)
==9503== malloc/free: in use at exit: 33,736 bytes in 12 blocks.
==9503== malloc/free: 2,438 allocs, 2,426 frees, 1,874,099 bytes allocated.
==9503== For counts of detected errors, rerun with: -v
==9503== searching for pointers to 12 not-freed blocks.
==9503== checked 2,862,288 bytes.
==9503==
==9503== LEAK SUMMARY:
==9503== definitely lost: 836 bytes in 1 blocks.
==9503== possibly lost: 0 bytes in 0 blocks.
==9503== still reachable: 32,900 bytes in 11 blocks.
==9503== suppressed: 0 bytes in 0 blocks.
==9503== Rerun with --leak-check=full to see details of leaked memory.

This bug was found using the zzuf fuzzer.

This bug was found as part of the SUPERB-TRUST 2008 project; see
http://www.truststc.org/superb/

Please let me know if you need more information.

Change History (2)

comment:1 by compn, 14 years ago

Owner: changed from r_togni@… to reimar

comment:2 by reimar, 14 years ago

Resolution: fixed
Status: newclosed

Fixed by SVN r32707.

Note: See TracTickets for help on using tickets.