Opened 17 years ago
Last modified 14 years ago
#1178 new defect
[crash] Valgrind reports InvalidRead size4, and the .ogg file crashes the mplayer .vorbis_decode_init (bitstream.h:659)
| Reported by: | Owned by: | reimar | |
|---|---|---|---|
| Priority: | normal | Component: | demuxer |
| Version: | HEAD | Severity: | normal |
| Keywords: | Cc: | catchconv-bugreports@… | |
| Blocked By: | Blocking: | ||
| Reproduced by developer: | no | Analyzed by developer: | no |
Description
For this .ogg file, Valgrind 3.3.1 reports invalidRead in the latest subversion of Mplayer , SVN-r27262-4.1.2, and the Mplayer chrashes.
System Info:
OS: Debian Etch Linux, Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz
uname -a: Linux debian 2.6.18-4-486 #1 Mon Mar 26 16:39:10 UTC 2007 i686 GNU/Linux
To reproduce:
wget http://www.metafuzz.com/testcases/220497-21-7225245952-result256.tgz
tar xzf 220497-21-7225245952-result256.tgz
valgrind mplayer 21-Nad.ogg
Valgrind result:
libavformat file format detected.
==12065== Invalid read of size 4<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>
==12065== Stack hash: 3937173639
==12065== at 0x84FFC4A: vorbis_decode_init (bitstream.h:659)
==12065== by 0x82EDE9D: avcodec_open (utils.c:831)
==12065== by 0x82643DA: av_find_stream_info (utils.c:1760)
==12065== by 0x81A3045: demux_open_lavf (demux_lavf.c:466)
==12065== by 0x811E20E: demux_open_stream (demuxer.c:864)
==12065== by 0x811E4E1: demux_open (demuxer.c:991)
==12065== by 0x807799E: main (mplayer.c:3238)
==12065== Address 0x4328e19 is 3,993 bytes inside a block of size 3,995 alloc'd==12065== Stack hash: 2176887360
==12065== at 0x401D96E: realloc (vg_replace_malloc.c:429)
==12065== by 0x82A72BF: vorbis_header (oggparsevorbis.c:149)
==12065== by 0x82A5D9F: ogg_packet (oggdec.c:369)
==12065== by 0x82A5F01: ogg_read_header (oggdec.c:408)
==12065== by 0x82619FE: av_open_input_stream (utils.c:398)
==12065== by 0x81A3024: demux_open_lavf (demux_lavf.c:459)
==12065== by 0x811E20E: demux_open_stream (demuxer.c:864)
==12065== by 0x811E4E1: demux_open (demuxer.c:991)
==12065== by 0x807799E: main (mplayer.c:3238)
[ogg @ 0x863db10]Could not find codec parameters (Audio: vorbis, 112 kb/s)
MPlayer interrupted by signal 8 in module: demux_open
- MPlayer crashed by bad usage of CPU/FPU/RAM.<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>
==12065== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 19 from 1)
==12065== malloc/free: in use at exit: 451,980 bytes in 3,247 blocks.
==12065== malloc/free: 4,139 allocs, 892 frees, 104,810,121 bytes allocated.
==12065== For counts of detected errors, rerun with: -v
==12065== searching for pointers to 3,247 not-freed blocks.
==12065== checked 3,218,776 bytes.
==12065==
==12065== LEAK SUMMARY:
==12065== definitely lost: 0 bytes in 0 blocks.
==12065== possibly lost: 0 bytes in 0 blocks.
==12065== still reachable: 451,980 bytes in 3,247 blocks.
==12065== suppressed: 0 bytes in 0 blocks.
################################################################################
'gdb' backtrace
(gdb) run -v 21-Nad.ogg
Starting program: /usr/local/bin/mplayer -v 21-Nad.ogg
Failed to read a valid object file image from memory.
[Thread debugging using libthread_db enabled]
[New Thread -1210492704 (LWP 12366)]
MPlayer dev-SVN-r27262-4.1.2 (C) 2000-2008 MPlayer Team
CPU: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz (Family: 6, Model: 15, Stepping: 13)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX MMX2 SSE SSE2
get_path('codecs.conf') -> '/home/user/.mplayer/codecs.conf'
Reading /home/user/.mplayer/codecs.conf: Can't open '/home/user/.mplayer/codecs.conf': No such file or directory
Reading /usr/local/etc/mplayer/codecs.conf: Can't open '/usr/local/etc/mplayer/codecs.conf': No such file or directory
Using built-in default codecs.conf.
Configuration: --enable-debug=3
CommandLine: '-v' '21-Nad.ogg'
get_path('font/font.desc') -> '/home/user/.mplayer/font/font.desc'
font: can't open file: /home/user/.mplayer/font/font.desc
font: can't open file: /usr/local/share/mplayer/font/font.desc
Using MMX (with tiny bit MMX2) Optimized OnScreenDisplay
Using nanosleep() timing
get_path('input.conf') -> '/home/user/.mplayer/input.conf'
Can't open input config file /home/user/.mplayer/input.conf: No such file or directory
Can't open input config file /usr/local/etc/mplayer/input.conf: No such file or directory
Falling back on default (hardcoded) input config
get_path('21-Nad.ogg.conf') -> '/home/user/.mplayer/21-Nad.ogg.conf'
Playing 21-Nad.ogg.
get_path('sub/') -> '/home/user/.mplayer/sub/'
[file] File size is 98421 bytes
STREAM: [file] 21-Nad.ogg
STREAM: Description: File
STREAM: Author: Albeu
STREAM: Comment: based on the code from ??? (probably Arpi)
LAVF_check: Ogg
Checking for YUV4MPEG2
ASF_check: not ASF guid!
Checking for NuppelVideo
Checking for REAL
Checking for SMJPEG
Searching demuxer type for filename 21-Nad.ogg ext: .ogg
Trying demuxer 18 based on filename extension
demuxer: continue fuzzy content-based format guessing...
Checking for Nullsoft Streaming Video
Checking for MOV
Checking for VIVO
header block 1 size: 103
AVS: avs_check_file - attempting to open file 21-Nad.ogg
AVS: File is too big, aborting...
Checking for PVA
Checking for MPEG-TS...
TRIED UP TO POSITION 70169, FOUND 47, packet_size= 0, SEEMS A TS? 0
Checking for LMLM4 Stream Format
Invalid packet in LMLM4 stream: ch=20327 size=131064
LMLM4 Stream Format not found
MPEG Stream reached EOF
ds_fill_buffer: EOF reached (stream: video)
MPEG packet stats: p100: 2 p101: 0 p1B6: 0 p12x: 0 sli: 0 a: 0 b: 0 c: 0 idr: 0 sps: 0 pps: 0 PES: 1 MP3: 15, synced: 0
Not MPEG System Stream format... (maybe Transport Stream?)
stream_seek: WARNING! Can't seek to 0x0 !
MPEG Stream reached EOF
ds_fill_buffer: EOF reached (stream: video)
MPEG packet stats: p100: 1 p101: 0 p1B6: 0 p12x: 0 sli: 0 a: 0 b: 0 c: 0 idr: 0 sps: 0 pps: 0 PES: 1 MP3: 15, synced: 0
Not MPEG System Stream format... (maybe Transport Stream?)
stream_seek: WARNING! Can't seek to 0x0 !
stream_seek: WARNING! Can't seek to 0x0 !
ds_fill_buffer: EOF reached (stream: video)
LAVF_check: Ogg
libavformat file format detected.
[ogg @ 0x863db10]Could not find codec parameters (Audio: vorbis, 112 kb/s)
Program received signal SIGFPE, Arithmetic exception.
[Switching to Thread -1210492704 (LWP 12366)]
0x08550367 in divdi3 ()
(gdb)
(gdb) bt
#0 0x08550367 in divdi3 ()
#1 0x08548529 in av_rescale_rnd (a=326656, b=1000000, c=0,
rnd=AV_ROUND_NEAR_INF) at mathematics.c:69
#2 0x085485be in av_rescale_q (a=1, bq={num = 1, den = 0}, cq=
{num = 1, den = 1000000}) at mathematics.c:115
#3 0x0826069d in av_update_stream_timings (ic=0x89b0420) at utils.c:1514
#4 0x082608bc in fill_all_stream_timings (ic=0x1) at utils.c:1541
#5 0x08264016 in av_find_stream_info (ic=0x89b0420) at utils.c:1703
#6 0x081a3046 in demux_open_lavf (demuxer=0x89a7138)
at libmpdemux/demux_lavf.c:466
#7 0x0811e20f in demux_open_stream (stream=0x89a6790,
file_format=<value optimized out>, force=0, audio_id=-1, video_id=-1,
dvdsub_id=-2, filename=0x899d470 "21-Nad.ogg") at libmpdemux/demuxer.c:864
#8 0x0811e4e2 in demux_open (vs=0x89a6790, file_format=0, audio_id=-1,
video_id=-1, dvdsub_id=-2, filename=0x899d470 "21-Nad.ogg")
at libmpdemux/demuxer.c:991
#9 0x0807799f in main (argc=3, argv=0xbf84f934) at mplayer.c:3238
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x8550347 to 0x8550387:
0x08550347 <divdi3+359>: lock ja 0x8550265 <divdi3+133>
0x0855034e <divdi3+366>: mov $0x1,%ecx
0x08550353 <divdi3+371>: xor %eax,%eax
0x08550355 <divdi3+373>: jmp 0x8550270 <divdi3+144>
0x0855035a <divdi3+378>: lea 0x0(%esi),%esi
0x08550360 <divdi3+384>: mov $0x1,%eax
0x08550365 <divdi3+389>: xor %edx,%edx
0x08550367 <divdi3+391>: div %esi
0x08550369 <divdi3+393>: mov %eax,%ecx
0x0855036b <divdi3+395>: jmp 0x8550248 <divdi3+104>
0x08550370 <divdi3+400>: mov 0xfffffff0(%ebp),%eax
0x08550373 <divdi3+403>: movzbl 0xffffffe8(%ebp),%ecx
0x08550377 <divdi3+407>: shl %cl,%eax
0x08550379 <divdi3+409>: cmp %edi,%eax
0x0855037b <divdi3+411>: jae 0x8550301 <divdi3+289>
0x0855037d <divdi3+413>: mov 0xffffffc8(%ebp),%ecx
0x08550380 <divdi3+416>: xor %eax,%eax
0x08550382 <divdi3+418>: dec %ecx
0x08550383 <divdi3+419>: jmp 0x8550270 <divdi3+144>
End of assembler dump.
(gdb) info all=[K-registers
eax 0x1 1
ecx 0x0 0
edx 0x0 0
ebx 0x4c 76
esp 0xbf84db90 0xbf84db90
ebp 0xbf84dbc8 0xbf84dbc8
esi 0x0 0
edi 0x0 0
eip 0x8550367 0x8550367 <divdi3+391>
eflags 0x210246 [ PF ZF IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 1 (raw 0x3fff8000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x20 32
ftag 0xffff 65535
---Type <return> to continue, or q <return> to quit---
fiseg 0x73 115
fioff 0x84fca9c 139446940
foseg 0x7b 123
fooff 0xbf84dcd8 -1081811752
fop 0x15d 349
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <r
