Opened 17 years ago
Last modified 14 years ago
#1171 new defect
Mplayer Crashed: Error in Audio Decoding: Invalid Read and Syscall param write(buf) points to uninitialised byte(s)
Reported by: | Owned by: | reimar | |
---|---|---|---|
Priority: | if idle | Component: | ad |
Version: | HEAD | Severity: | normal |
Keywords: | Cc: | catchconv-bugreports@… | |
Blocked By: | Blocking: | ||
Reproduced by developer: | no | Analyzed by developer: | no |
Description
The following report is for the SUPERB-TRUST 2008, the cyber security project.
#Error found at test case .mp3 file for mplayer version (dev-SVN-r27249-4.1.2)
valgrind report the Invalid Read.
#The test case is "8-onverges13.mp3" can be found at the URL
*http://www.eecs.berkeley.edu/~sckhan/8-onverges13.mp3
#Reproducible with the following command
*valgrind mplayer 8-onverges13.mp3
Can also be run as:
*valgrind --log-file=log5 mplayer 8-onverges13.mp3
#OS: Debian Etch Linux
#Valgrind output:
==7332== Memcheck, a memory error detector.
==7332== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==7332== Using LibVEX rev 1854, a library for dynamic binary translation.
==7332== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==7332== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==7332== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==7332== For more details, rerun with: -v
==7332==
==7332== My PID = 7332, parent PID = 26719. Prog and args are:
==7332== mplayer
==7332== 8-onverges13.mp3
==7332==
==7332== Syscall param write(buf) points to uninitialised byte(s)
==7332== Stack hash: 2550802113
==7332== at 0x4000792: (within /lib/ld-2.3.6.so)
==7332== Address 0x430fafc is 2,172 bytes inside a block of size 65,536 alloc'd
==7332== Stack hash: 2167162419
==7332== at 0x401D898: malloc (vg_replace_malloc.c:207)
==7332== by 0x401D9DC: realloc (vg_replace_malloc.c:429)
==7332== by 0x80DAB5E: decode_audio (dec_audio.c:401)
==7332== by 0x80784E9: main (mplayer.c:2044)
==7332==
==7332== Invalid read of size 4
==7332== Stack hash: 208377022
==7332== at 0x81E317B: dct36 (dct36.c:169)
==7332== by 0x81E76DD: do_layer3 (layer3.c:1212)
==7332== by 0x81E8DC5: MP3_DecodeFrame (sr1.c:539)
==7332== by 0x80DAA74: decode_audio (dec_audio.c:383)
==7332== by 0x80784E9: main (mplayer.c:2044)
==7332== Address 0x3189337c is not stack'd, malloc'd or (recently) free'd
==7332==
==7332== ERROR SUMMARY: 3 errors from 2 contexts (suppressed: 19 from 1)
==7332== malloc/free: in use at exit: 231,926 bytes in 2,203 blocks.
==7332== malloc/free: 23,157 allocs, 20,954 frees, 7,259,917 bytes allocated.
==7332== For counts of detected errors, rerun with: -v
==7332== searching for pointers to 2,203 not-freed blocks.
==7332== checked 3,067,872 bytes.
==7332==
==7332== LEAK SUMMARY:
==7332== definitely lost: 0 bytes in 0 blocks.
==7332== possibly lost: 0 bytes in 0 blocks.
==7332== still reachable: 231,926 bytes in 2,203 blocks.
==7332== suppressed: 0 bytes in 0 blocks.
==7332== Rerun with --leak-check=full to see details of leaked memory.
#The above valgrind output is saved as a log file(log8) and can be found at
URL:
*http://www.eecs.berkeley.edu/~sckhan/log8
#This report is for confirming the error using new test case: 8-onverges13.mp3 where the same error was found in the previous test case: t10.mp3 and can reproduce from: <wget http://www.cs.berkeley.edu/~nalvarez/t10.mp3> where the error is for the invalid read and use of uninitialised values with Stack hash: 208377022 and error: dct36 (dct36.c:169). With both test cases the mplayer crashes.
There is a new error/bug was found where Stack hash: 2167162419 and error: malloc (vg_replace_malloc.c:207) with new test case: 8-onverges13.mp3.
#The bug is found in making comparison of the fuzzing tools and is a part of
the metafuzz project.
*URL at: metafuzz.com
Change History (3)
comment:1 by , 17 years ago
Priority: | normal → if idle |
---|
comment:2 by , 17 years ago
Summary: | Error in Audio Decoding: Invalid Read and Syscall param write(buf) points to uninitialised byte(s) → Mplayer Crashed: Error in Audio Decoding: Invalid Read and Syscall param write(buf) points to uninitialised byte(s) |
---|
*Summary has been edited*
*Back-trace can be seen in the file (crash2)*
File link is at URL:
<http://www.eecs.berkeley.edu/~sckhan/crash2>
comment:3 by , 14 years ago
Owner: | changed from | to
---|
in mp3lib, read -> low priority