Opened 17 years ago

Closed 17 years ago

#1176 closed defect (duplicate)

Mplayer [Crash] and Valgrind reports Invalid Write in mov_build_index (demux_mov.c:211)

Reported by: nstockma@… Owned by: r_togni@…
Priority: normal Component: demuxer
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: no Analyzed by developer: no

Description

Disclaimer: This bug's stack trace appears very similar to Bug 1153 and Bug 1170, However it crashes in a different place than 1153 and its stack trace is not quite identical to 1170 so I am reporting it in case it is a separate bug. (Sorry in advance if it is a duplicate!)

Here's an mp4 file where Valgrind reports an Invalid Write and Mplayer crashes.
The mp4 file (10-92.mp4) can be found inside the .tgz archive at the URL
above. The bug is easily reproducible.

I confirmed that this bug is reproducible on Linux OS, Debian x32 with the
following subversion of MPlayer: dev-SVN-r27262-4.1.2

I used a 32-bit Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz.

To reproduce:
wget http://www.metafuzz.com/testcases/711570-10-2544342019-InvalidWrite.tgz
tar xzfv 711570-10-2544342019-InvalidWrite.tgz
valgrind mplayer 10-92.mp4

Here is the output from Valgrind and Mplayer on my machine:

user@debian:~/mplayer$ valgrind mplayer ../Desktop/10-92.mp4
==1017== Memcheck, a memory error detector.
==1017== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==1017== Using LibVEX rev 1854, a library for dynamic binary translation.
==1017== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==1017== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==1017== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==1017== For more details, rerun with: -v
==1017==
MPlayer dev-SVN-r27262-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (Family: 6, Model: 15, Stepping: 6)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2

Playing ../Desktop/10-92.mp4.
libavformat file format detected.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x8647530]Could not find codec parameters (Data: 0x0000)
LAVF_header: av_find_stream_info() failed
ISO: Unknown File Type Major Brand: �som
Quicktime/MOV file format detected.
Warning! pts=-975231470 length=2923200
MOV: durmap and chunkmap sample count differ (865900167 vs 0)
<=============================================================================================
==1017== Invalid write of size 4
==1017== Stack hash: 3532604570
==1017== at 0x8140E6A: mov_build_index (demux_mov.c:211)
==1017== by 0x81424B6: lschunks (demux_mov.c:1312)
==1017== by 0x8143D75: mov_read_header (demux_mov.c:1931)
==1017== by 0x8125D8E: demux_open_stream (demuxer.c:864)
==1017== by 0x8126061: demux_open (demuxer.c:991)
==1017== by 0x80791AE: main (mplayer.c:3238)
==1017== Address 0x4 is not stack'd, malloc'd or (recently) free'd

MPlayer interrupted by signal 11 in module: demux_open

  • MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
  • MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug.

==1017==
==1017== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 27 from 1)
==1017== malloc/free: in use at exit: 4,292,854 bytes in 2,208 blocks.
==1017== malloc/free: 2,349 allocs, 140 frees, 5,568,023 bytes allocated.
==1017== For counts of detected errors, rerun with: -v
==1017== searching for pointers to 2,208 not-freed blocks.
==1017== checked 7,160,868 bytes.
==1017==
==1017== LEAK SUMMARY:
==1017== definitely lost: 0 bytes in 0 blocks.
==1017== possibly lost: 0 bytes in 0 blocks.
==1017== still reachable: 4,292,854 bytes in 2,208 blocks.
==1017== suppressed: 0 bytes in 0 blocks.
==1017== Rerun with --leak-check=full to see details of leaked memory.

The following is a backtrace using gdb:

(gdb) bt
#0 mov_build_index (trak=0x89b36b8, timescale=24464)

at libmpdemux/demux_mov.c:211

#1 0x081424b7 in lschunks (demuxer=0x89b19f0, level=0, endpos=2216938,

trak=0x0) at libmpdemux/demux_mov.c:1312

#2 0x08143d76 in mov_read_header (demuxer=0x89b19f0)

at libmpdemux/demux_mov.c:1931

#3 0x08125d8f in demux_open_stream (stream=0x89b2378,

file_format=<value optimized out>, force=0, audio_id=-1, video_id=-1,
dvdsub_id=-2, filename=0x89a8540 "../Desktop/10-92.mp4")
at libmpdemux/demuxer.c:864

#4 0x08126062 in demux_open (vs=0x89b2378, file_format=0, audio_id=-1,

video_id=-1, dvdsub_id=-2, filename=0x89a8540 "../Desktop/10-92.mp4")
at libmpdemux/demuxer.c:991

#5 0x080791af in main (argc=4, argv=0xbf95f844) at mplayer.c:3238

(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x8140e4a to 0x8140e8a:
0x08140e4a <mov_build_index+426>: xor $0x24,%al
0x08140e4c <mov_build_index+428>: call 0x80754b4 <calloc@plt>
0x08140e51 <mov_build_index+433>: mov 0x8(%ebp),%ecx
0x08140e54 <mov_build_index+436>: test %esi,%esi
0x08140e56 <mov_build_index+438>: mov %eax,%ebx
0x08140e58 <mov_build_index+440>: mov %eax,0x58(%ecx)
0x08140e5b <mov_build_index+443>: jle 0x8140e70 <mov_build_index+464>
0x08140e5d <mov_build_index+445>: mov 0x20(%ecx),%ecx
0x08140e60 <mov_build_index+448>: xor %edx,%edx
0x08140e62 <mov_build_index+450>: mov %edx,%eax
0x08140e64 <mov_build_index+452>: inc %edx
0x08140e65 <mov_build_index+453>: shl $0x4,%eax
0x08140e68 <mov_build_index+456>: cmp %edx,%esi
0x08140e6a <mov_build_index+458>: mov %ecx,0x4(%eax,%ebx,1)
0x08140e6e <mov_build_index+462>: jne 0x8140e62 <mov_build_index+450>
0x08140e70 <mov_build_index+464>: mov 0x8(%ebp),%eax
0x08140e73 <mov_build_index+467>: movl $0x0,0x20(%eax)
0x08140e7a <mov_build_index+474>: mov 0x54(%eax),%eax
0x08140e7d <mov_build_index+477>: test %eax,%eax
0x08140e7f <mov_build_index+479>: jne 0x8140ec2 <mov_build_index+546>
0x08140e81 <mov_build_index+481>: mov 0x8(%ebp),%ecx
0x08140e84 <mov_build_index+484>: mov 0x6c(%ecx),%eax
0x08140e87 <mov_build_index+487>: cmp $0x1,%eax
End of assembler dump.

(gdb) info all-registers
eax 0x0 0
ecx 0x0 0
edx 0x1 1
ebx 0x0 0
esp 0xbf95e280 0xbf95e280
ebp 0xbf95e328 0xbf95e328
esi 0x339c9687 865900167
edi 0xffffff00 -256
eip 0x8140e6a 0x8140e6a <mov_build_index+458>
eflags 0x10202 [ IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 1 (raw 0x3fff8000000000000000)
st6 90000 (raw 0x400fafc8000000000000)
st7 32.479999999999996873611962655559182 (raw 0x400481eb851eb851e800)
fctrl 0x37f 895
fstat 0x20 32
ftag 0xffff 65535
fiseg 0x73 115
fioff 0xb7cd2326 -1211292890
foseg 0x7b 123
fooff 0xbf95c1b8 -1080704584
fop 0x55c 1372
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},

v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

uint128 = 0x00000000000000000000000000000000}

mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
mm0 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm1 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm2 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm3 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm4 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,

0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

mm5 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},

v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0x0, 0x80}}

mm6 {uint64 = 0xafc8000000000000, v2_int32 = {0x0, 0xafc80000},

v4_int16 = {0x0, 0x0, 0x0, 0xafc8}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

0xc8, 0xaf}}

mm7 {uint64 = 0x81eb851eb851e800, v2_int32 = {0xb851e800,

0x81eb851e}, v4_int16 = {0xe800, 0xb851, 0x851e, 0x81eb}, v8_int8 = {0x0,
0xe8, 0x51, 0xb8, 0x1e, 0x85, 0xeb, 0x81}}

This bug was found using the Zzuf fuzzer. It was found as part of the
SUPERB-TRUST 2008 project ( see http://www.truststc.org/superb/ ) and the
metafuzz project ( see http://metafuzz.com/, stack hash 2544342019).

Please let me know if I can provide more information.

Change History (1)

comment:1 by reimar, 17 years ago

Resolution: duplicate
Status: newclosed

* This bug has been marked as a duplicate of bug 1113 *

Note: See TracTickets for help on using tickets.