Opened 17 years ago

Last modified 14 years ago

#1183 new defect

Error in Video Decoding: Invalid Read

Reported by: sckhan@… Owned by: reimar
Priority: normal Component: vd
Version: HEAD Severity: normal
Keywords: Cc: catchconv-bugreports@…
Blocked By: Blocking:
Reproduced by developer: no Analyzed by developer: no

Description

The following report is for the SUPERB-TRUST 2008, the cyber security project.

#Error found at test case .mqv file for mplayer version (dev-SVN-r27270-4.1.2)
valgrind report the Invalid Read.

#The test case is "65-nosound_lavf_works.mqv" can be found at the URL

*http://www.eecs.berkeley.edu/~sckhan/65-nosound_lavf_works.mqv

#Reproducible with the following command

*valgrind mplayer 65-nosound_lavf_works.mqv

Can also be run as:

*valgrind --log-file=log17 mplayer 65-nosound_lavf_works.mqv

#OS: Debian Etch Linux

#Valgrind output:

==24828== Invalid read of size 8
==24828== Stack hash: 3978047526
==24828== at 0x82F0BA2: put_pixels8_x2_mmx2 (dsputil_mmx_avg.h:36)
==24828== by 0x83481E2: MPV_motion (mpegvideo_common.h:359)
==24828== by 0x834FE2A: MPV_decode_mb (mpegvideo.c:1838)
==24828== by 0x84116A4: decode_slice (h263dec.c:243)
==24828== by 0x84127E0: ff_h263_decode_frame (h263dec.c:636)
==24828== by 0x82ED63F: avcodec_decode_video (utils.c:897)
==24828== by 0x8199119: decode (vd_ffmpeg.c:781)
==24828== by 0x80DB69A: decode_video (dec_video.c:369)
==24828== by 0x80786A6: main (mplayer.c:1761)
==24828== Address 0x45abab1 is 241 bytes inside a block of size 807 free'd
==24828== Stack hash: 160996529
==24828== at 0x401D43C: free (vg_replace_malloc.c:323)
==24828== by 0x825FCB4: av_destruct_packet (utils.c:190)
==24828== by 0x81A3932: demux_lavf_fill_buffer (avformat.h:121)
==24828== by 0x811E964: ds_fill_buffer (demuxer.c:498)
==24828== by 0x811F007: ds_get_packet_pts (demuxer.c:619)
==24828== by 0x8078660: main (mplayer.c:1751)
==24828==
==24828== Invalid read of size 1
==24828== Stack hash: 341059440
==24828== at 0x82B6000: ff_emulated_edge_mc (dsputil.c:508)
==24828== by 0x834D63E: MPV_motion (mpegvideo_common.h:327)
==24828== by 0x834FE2A: MPV_decode_mb (mpegvideo.c:1838)
==24828== by 0x84116A4: decode_slice (h263dec.c:243)
==24828== by 0x84127E0: ff_h263_decode_frame (h263dec.c:636)
==24828== by 0x82ED63F: avcodec_decode_video (utils.c:897)
==24828== by 0x8199119: decode (vd_ffmpeg.c:781)
==24828== by 0x80DB69A: decode_video (dec_video.c:369)
==24828== by 0x80786A6: main (mplayer.c:1761)
==24828== Address 0x45abef8 is 360 bytes inside a block of size 807 free'd
==24828== Stack hash: 944893910
==24828== at 0x401D43C: free (vg_replace_malloc.c:323)
==24828== by 0x811E9FF: ds_fill_buffer (demuxer.h:286)
==24828== by 0x811F007: ds_get_packet_pts (demuxer.c:619)
==24828== by 0x8078660: main (mplayer.c:1751)
==24828==
==24828== Invalid write of size 1
==24828== Stack hash: 617055701
==24828== at 0x82B6005: ff_emulated_edge_mc (dsputil.c:508)
==24828== by 0x834D63E: MPV_motion (mpegvideo_common.h:327)
==24828== by 0x834FE2A: MPV_decode_mb (mpegvideo.c:1838)
==24828== by 0x84116A4: decode_slice (h263dec.c:243)
==24828== by 0x84127E0: ff_h263_decode_frame (h263dec.c:636)
==24828== by 0x82ED63F: avcodec_decode_video (utils.c:897)
==24828== by 0x8199119: decode (vd_ffmpeg.c:781)
==24828== by 0x80DB69A: decode_video (dec_video.c:369)
==24828== by 0x80786A6: main (mplayer.c:1761)
==24828== Address 0x45ab658 is 440 bytes inside a block of size 1,032 free'd
==24828== Stack hash: 3888950742
==24828== at 0x401D43C: free (vg_replace_malloc.c:323)
==24828== by 0x825FCB4: av_destruct_packet (utils.c:190)
==24828== by 0x826287D: av_read_frame_internal (avformat.h:121)
==24828== by 0x8262D9C: av_read_frame (utils.c:1037)
==24828== by 0x81A381A: demux_lavf_fill_buffer (demux_lavf.c:542)
==24828== by 0x811E964: ds_fill_buffer (demuxer.c:498)
==24828== by 0x811F007: ds_get_packet_pts (demuxer.c:619)
==24828== by 0x8078660: main (mplayer.c:1751)
==24828==
==24828== Invalid read of size 1
==24828== Stack hash: 4175629392
==24828== at 0x82B6000: ff_emulated_edge_mc (dsputil.c:508)
==24828== by 0x834D69E: MPV_motion (mpegvideo_common.h:332)
==24828== by 0x834FE2A: MPV_decode_mb (mpegvideo.c:1838)
==24828== by 0x84116A4: decode_slice (h263dec.c:243)
==24828== by 0x84127E0: ff_h263_decode_frame (h263dec.c:636)
==24828== by 0x82ED63F: avcodec_decode_video (utils.c:897)
==24828== by 0x8199119: decode (vd_ffmpeg.c:781)
==24828== by 0x80DB69A: decode_video (dec_video.c:369)
==24828== by 0x80786A6: main (mplayer.c:1761)
==24828== Address 0x45abf08 is 376 bytes inside a block of size 807 free'd
==24828== Stack hash: 944893910
==24828== at 0x401D43C: free (vg_replace_malloc.c:323)
==24828== by 0x811E9FF: ds_fill_buffer (demuxer.h:286)
==24828== by 0x811F007: ds_get_packet_pts (demuxer.c:619)
==24828== by 0x8078660: main (mplayer.c:1751)
==24828==
==24828== Invalid write of size 1
==24828== Stack hash: 156658357
==24828== at 0x82B6005: ff_emulated_edge_mc (dsputil.c:508)
==24828== by 0x834D69E: MPV_motion (mpegvideo_common.h:332)
==24828== by 0x834FE2A: MPV_decode_mb (mpegvideo.c:1838)
==24828== by 0x84116A4: decode_slice (h263dec.c:243)
==24828== by 0x84127E0: ff_h263_decode_frame (h263dec.c:636)
==24828== by 0x82ED63F: avcodec_decode_video (utils.c:897)
==24828== by 0x8199119: decode (vd_ffmpeg.c:781)
==24828== by 0x80DB69A: decode_video (dec_video.c:369)
==24828== by 0x80786A6: main (mplayer.c:1761)
==24828== Address 0x45ab218 is 0 bytes after a block of size 1,192 alloc'd
==24828== Stack hash: 2267558601
==24828== at 0x401C882: memalign (vg_replace_malloc.c:460)
==24828== by 0x85491A4: av_malloc (mem.c:61)
==24828== by 0x8549226: av_mallocz (mem.c:134)
==24828== by 0x834230E: alloc_picture (mpegvideo.c:223)
==24828== by 0x83425C0: MPV_frame_start (mpegvideo.c:868)
==24828== by 0x84127A3: ff_h263_decode_frame (h263dec.c:615)
==24828== by 0x82ED63F: avcodec_decode_video (utils.c:897)
==24828== by 0x8199119: decode (vd_ffmpeg.c:781)
==24828== by 0x80DB69A: decode_video (dec_video.c:369)
==24828== by 0x80786A6: main (mplayer.c:1761)
==24828==
==24828== Invalid read of size 1
==24828== Stack hash: 893051962
==24828== at 0x82B600A: ff_emulated_edge_mc (dsputil.c:507)
==24828== by 0x834D63E: MPV_motion (mpegvideo_common.h:327)
==24828== by 0x834FE2A: MPV_decode_mb (mpegvideo.c:1838)
==24828== by 0x84116A4: decode_slice (h263dec.c:243)
==24828== by 0x84127E0: ff_h263_decode_frame (h263dec.c:636)
==24828== by 0x82ED63F: avcodec_decode_video (utils.c:897)
==24828== by 0x8199119: decode (vd_ffmpeg.c:781)
==24828== by 0x80DB69A: decode_video (dec_video.c:369)
==24828== by 0x80786A6: main (mplayer.c:1761)
==24828== Address 0x45abaa2 is 226 bytes inside a block of size 807 free'd
==24828== Stack hash: 160996529
==24828== at 0x401D43C: free (vg_replace_malloc.c:323)
==24828== by 0x825FCB4: av_destruct_packet (utils.c:190)
==24828== by 0x81A3932: demux_lavf_fill_buffer (avformat.h:121)
==24828== by 0x811E964: ds_fill_buffer (demuxer.c:498)
==24828== by 0x811F007: ds_get_packet_pts (demuxer.c:619)
==24828== by 0x8078660: main (mplayer.c:1751)
==24828==
==24828== ERROR SUMMARY: 30037 errors from 130 contexts (suppressed: 19 from 1)
==24828== malloc/free: in use at exit: 32,926 bytes in 14 blocks.
==24828== malloc/free: 4,763 allocs, 4,749 frees, 5,763,846 bytes allocated.
==24828== For counts of detected errors, rerun with: -v
==24828== searching for pointers to 14 not-freed blocks.
==24828== checked 2,898,828 bytes.
==24828==
==24828== LEAK SUMMARY:
==24828== definitely lost: 0 bytes in 0 blocks.
==24828== possibly lost: 0 bytes in 0 blocks.
==24828== still reachable: 32,926 bytes in 14 blocks.
==24828== suppressed: 0 bytes in 0 blocks.
==24828== Rerun with --leak-check=full to see details of leaked memory.

#Above error message is just a part of the log file...

*This report to inform the error found in Mplayer where it has Invalid Read of different sizes when run with the test case: 65-nosound_lavf_works.mqv with Stack hash: 160996529 and error back trace at: av_destruct_packet (utils.c:190).

#The bug is found in making comparison of the fuzzing tools (zzuf and catchconv) and is a part of the metafuzz project.

*URL at: metafuzz.com

Change History (1)

comment:1 by compn, 14 years ago

Owner: changed from r_togni@… to reimar
Note: See TracTickets for help on using tickets.