invalid read with fuzzed file

[ami_stuff]

knoppix@Microknoppix:/media/sdb1$ valgrind --leak-check=full mplayer/mplayer -demuxer lavf dxtory_fuzz.avi
==23359== Memcheck, a memory error detector
==23359== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==23359== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==23359== Command: mplayer/mplayer -demuxer lavf dxtory_fuzz.avi
==23359== 
--23359-- WARNING: Serious error when reading debug info
--23359-- When reading debug info from /usr/lib/i386-linux-gnu/libGL.so.1.2:
--23359-- Can't make sense of .got section mapping
--23359-- WARNING: Serious error when reading debug info
--23359-- When reading debug info from /usr/lib/i386-linux-gnu/libglapi.so.0.0.0:
--23359-- Can't make sense of .got section mapping
MPlayer 1.2-4.7 (C) 2000-2015 MPlayer Team

Playing dxtory_fuzz.avi.
libavformat version 56.40.101 (internal)
libavformat file format detected.
[avi @ 0xd1e940]too big INFO subchunk
[avi @ 0xd1e940]Something went wrong during header parsing, I will ignore it and try to continue anyway.
[avi @ 0xd1e940]non-interleaved AVI
[dxtory @ 0xe4c360]Slice sizes mismatch: got 1073763535 instead of 21711
[dxtory @ 0xe4c360]Slice sizes mismatch: got 9344 instead of 9216
[dxtory @ 0xe4c360]invalid slice size 9232 (only 9228 bytes left)
[lavf] stream 0: video (dxtory), -vid 0
VIDEO:  [xtor]  1024x768  24bpp  1.000 fps    0.0 kbps ( 0.0 kbyte/s)
Load subtitles in ./
==========================================================================
Opening video decoder: [ffmpeg] FFmpeg's libavcodec codec family
libavcodec version 56.60.100 (internal)
Selected video codec: [ffxtor] vfm: ffmpeg (FFmpeg Dxtory)
==========================================================================
Audio: no sound
Starting playback...
Unexpected decoder output format Planar YVU9
[dxtory @ 0xe4c360]Slice sizes mismatch: got 1073763535 instead of 21711
[dxtory @ 0xe4c360]Slice sizes mismatch: got 9344 instead of 9216
[dxtory @ 0xe4c360]invalid slice size 9232 (only 9228 bytes left)
Error while decoding frame!
[dxtory @ 0xe4c360]Frame header 7000009 is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.
[dxtory @ 0xe4c360]If you want to help, upload a sample of this file to ftp://upload.ffmpeg.org/incoming/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org)
Error while decoding frame!
[dxtory @ 0xe4c360]Slice sizes mismatch: got 12117 instead of 12053
[dxtory @ 0xe4c360]Slice sizes mismatch: got 2863311530 instead of 10975
[dxtory @ 0xe4c360]Slice sizes mismatch: got 1431655765 instead of 10425
[dxtory @ 0xe4c360]Slice sizes mismatch: got 2863311530 instead of 11826
[dxtory @ 0xe4c360]Slice sizes mismatch: got 1431655765 instead of 10193
[dxtory @ 0xe4c360]Slice sizes mismatch: got 2864360106 instead of 12526
[dxtory @ 0xe4c360]Slice sizes mismatch: got 2863311530 instead of 11380
[dxtory @ 0xe4c360]Slice sizes mismatch: got 1431655765 instead of 11602
[dxtory @ 0xe4c360]Slice sizes mismatch: got 1431663957 instead of 11214
[dxtory @ 0xe4c360]Slice sizes mismatch: got 2863311530 instead of 9216
[dxtory @ 0xe4c360]Slice sizes mismatch: got 1431655765 instead of 9216
[dxtory @ 0xe4c360]Slice sizes mismatch: got 1431655765 instead of 9216
[dxtory @ 0xe4c360]Slice sizes mismatch: got 1431655509 instead of 9216
[dxtory @ 0xe4c360]Slice sizes mismatch: got 1431655765 instead of 9216
[dxtory @ 0xe4c360]Slice sizes mismatch: got 1431655765 instead of 9216
[dxtory @ 0xe4c360]Slice sizes mismatch: got 1431655765 instead of 9216
==23359== Invalid read of size 4
==23359==    at 0x5B4BA0: decode_frame (get_bits.h:265)
==23359==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==23359==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==23359==    by 0x606B647: ???
==23359==  Address 0x78c5b1a is 251,738 bytes inside a block of size 251,740 alloc'd
==23359==    at 0x4828308: malloc (vg_replace_malloc.c:263)
==23359==    by 0x3B7F76: demux_lavf_fill_buffer (demuxer.h:296)
==23359==    by 0x338247: ds_fill_buffer (demuxer.c:649)
==23359==    by 0x33959F: ds_get_packet (demuxer.c:868)
==23359==    by 0x3395FA: ds_get_packet_pts (demuxer.c:884)
==23359==    by 0x288BE4: update_video (mplayer.c:1802)
==23359==    by 0x27C5E6: main (mplayer.c:3811)
==23359== 
==23359== Invalid read of size 1
==23359==    at 0x5B415D: decode_frame (get_bits.h:309)
==23359==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==23359==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==23359==    by 0x606B647: ???
==23359==  Address 0x78c5b1c is 0 bytes after a block of size 251,740 alloc'd
==23359==    at 0x4828308: malloc (vg_replace_malloc.c:263)
==23359==    by 0x3B7F76: demux_lavf_fill_buffer (demuxer.h:296)
==23359==    by 0x338247: ds_fill_buffer (demuxer.c:649)
==23359==    by 0x33959F: ds_get_packet (demuxer.c:868)
==23359==    by 0x3395FA: ds_get_packet_pts (demuxer.c:884)
==23359==    by 0x288BE4: update_video (mplayer.c:1802)
==23359==    by 0x27C5E6: main (mplayer.c:3811)
==23359== 
==23359== Invalid read of size 1
==23359==    at 0x5B420D: decode_frame (get_bits.h:309)
==23359==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==23359==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==23359==    by 0x606B647: ???
==23359==  Address 0x78c5b21 is 5 bytes after a block of size 251,740 alloc'd
==23359==    at 0x4828308: malloc (vg_replace_malloc.c:263)
==23359==    by 0x3B7F76: demux_lavf_fill_buffer (demuxer.h:296)
==23359==    by 0x338247: ds_fill_buffer (demuxer.c:649)
==23359==    by 0x33959F: ds_get_packet (demuxer.c:868)
==23359==    by 0x3395FA: ds_get_packet_pts (demuxer.c:884)
==23359==    by 0x288BE4: update_video (mplayer.c:1802)
==23359==    by 0x27C5E6: main (mplayer.c:3811)
==23359== 
==23359== Invalid read of size 4
==23359==    at 0x5B4C27: decode_frame (get_bits.h:265)
==23359==    by 0x4009A9: PE_LoadResource (pe_resource.c:153)
==23359==  Address 0x78c5b21 is 5 bytes after a block of size 251,740 alloc'd
==23359==    at 0x4828308: malloc (vg_replace_malloc.c:263)
==23359==    by 0x3B7F76: demux_lavf_fill_buffer (demuxer.h:296)
==23359==    by 0x338247: ds_fill_buffer (demuxer.c:649)
==23359==    by 0x33959F: ds_get_packet (demuxer.c:868)
==23359==    by 0x3395FA: ds_get_packet_pts (demuxer.c:884)
==23359==    by 0x288BE4: update_video (mplayer.c:1802)
==23359==    by 0x27C5E6: main (mplayer.c:3811)
==23359== 
==23359== Invalid read of size 1
==23359==    at 0x5B4285: decode_frame (get_bits.h:309)
==23359==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==23359==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==23359==    by 0x606B647: ???
==23359==  Address 0x78c5b22 is 6 bytes after a block of size 251,740 alloc'd
==23359==    at 0x4828308: malloc (vg_replace_malloc.c:263)
==23359==    by 0x3B7F76: demux_lavf_fill_buffer (demuxer.h:296)
==23359==    by 0x338247: ds_fill_buffer (demuxer.c:649)
==23359==    by 0x33959F: ds_get_packet (demuxer.c:868)
==23359==    by 0x3395FA: ds_get_packet_pts (demuxer.c:884)
==23359==    by 0x288BE4: update_video (mplayer.c:1802)
==23359==    by 0x27C5E6: main (mplayer.c:3811)
==23359== 
==23359== Invalid read of size 4
==23359==    at 0x5B4BE8: decode_frame (get_bits.h:265)
==23359==    by 0xA800AAA9: ???
==23359==  Address 0x78c5b23 is 7 bytes after a block of size 251,740 alloc'd
==23359==    at 0x4828308: malloc (vg_replace_malloc.c:263)
==23359==    by 0x3B7F76: demux_lavf_fill_buffer (demuxer.h:296)
==23359==    by 0x338247: ds_fill_buffer (demuxer.c:649)
==23359==    by 0x33959F: ds_get_packet (demuxer.c:868)
==23359==    by 0x3395FA: ds_get_packet_pts (demuxer.c:884)
==23359==    by 0x288BE4: update_video (mplayer.c:1802)
==23359==    by 0x27C5E6: main (mplayer.c:3811)
==23359== 
==23359== Invalid read of size 4
==23359==    at 0x5B4C27: decode_frame (get_bits.h:265)
==23359==    by 0x9AA1F: ???
==23359==  Address 0x78c5b45 is not stack'd, malloc'd or (recently) free'd
==23359== 
==23359== Invalid read of size 4
==23359==    at 0x5B4BE8: decode_frame (get_bits.h:265)
==23359==    by 0xA8AAAA54: ???
==23359==  Address 0x78c5b46 is not stack'd, malloc'd or (recently) free'd
==23359== 
==23359== Invalid read of size 4
==23359==    at 0x5B4C27: decode_frame (get_bits.h:265)
==23359==    by 0xAA1FFF: silk_lsf2lpc (common.h:187)
==23359==  Address 0x78c5b59 is not stack'd, malloc'd or (recently) free'd
==23359== 
==23359== Invalid read of size 4
==23359==    at 0x5B4BE8: decode_frame (get_bits.h:265)
==23359==    by 0xA8AA54FF: ???
==23359==  Address 0x78c5b5a is not stack'd, malloc'd or (recently) free'd
==23359== 
==23359== Invalid read of size 4
==23359==    at 0x5B4C27: decode_frame (get_bits.h:265)
==23359==    by 0x1FFFFF: ??? (in /media/sdb1/mplayer/mplayer)
==23359==  Address 0x78c5b6d is not stack'd, malloc'd or (recently) free'd
==23359== 
==23359== Invalid read of size 4
==23359==    at 0x5B4BE8: decode_frame (get_bits.h:265)
==23359==    by 0xA854FFFF: ???
==23359==  Address 0x78c5b6e is not stack'd, malloc'd or (recently) free'd
==23359== 
==23359== Invalid read of size 4
==23359==    at 0x5B4C27: decode_frame (get_bits.h:265)
==23359==  Address 0x78c5b82 is not stack'd, malloc'd or (recently) free'd
==23359== 
==23359== Invalid read of size 4
==23359==    at 0x5B4BE8: decode_frame (get_bits.h:265)
==23359==    by 0xA7FFFFFF: ???
==23359==  Address 0x78c5b83 is not stack'd, malloc'd or (recently) free'd
==23359== 
Unexpected decoder output format Planar YVU9
[dxtory @ 0xe4c360]Slice sizes mismatch: got 268451836 instead of 16380
[dxtory @ 0xe4c360]Slice sizes mismatch: got 8189 instead of 16381
[dxtory @ 0xe4c360]invalid slice size 4203536 (only 18464 bytes left)
Error while decoding frame!
V:   0.0   0/  0 ??% ??% ??,?% 0 0 


Exiting... (End of file)
==23359== 
==23359== HEAP SUMMARY:
==23359==     in use at exit: 165,755 bytes in 504 blocks
==23359==   total heap usage: 5,665 allocs, 5,161 frees, 13,736,340 bytes allocated
==23359== 
==23359== 6 bytes in 1 blocks are definitely lost in loss record 12 of 449
==23359==    at 0x4828308: malloc (vg_replace_malloc.c:263)
==23359==    by 0x4F6987F: strdup (strdup.c:43)
==23359==    by 0x39559B: get_term_charset (getch2.c:317)
==23359==    by 0x4F08E15: (below main) (libc-start.c:244)
==23359== 
==23359== 20 bytes in 1 blocks are possibly lost in loss record 133 of 449
==23359==    at 0x4827E54: operator new(unsigned int) (vg_replace_malloc.c:282)
==23359==    by 0x52F72C4: std::string::_Rep::_S_create(unsigned int, unsigned int, std::allocator<char> const&) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17)
==23359==    by 0x52F9569: char* std::string::_S_construct<char const*>(char const*, char const*, std::allocator<char> const&, std::forward_iterator_tag) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17)
==23359==    by 0x52F9641: std::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, unsigned int, std::allocator<char> const&) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17)
==23359==    by 0x6C73D74: llvm::Module::Module(llvm::StringRef, llvm::LLVMContext&) (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==23359==    by 0x6C123C1: LLVMModuleCreateWithNameInContext (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==23359==    by 0x6643818: ??? (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==23359==    by 0x6643A22: ??? (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==23359==    by 0x63DE5BC: ??? (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==23359==    by 0x63F888F: ??? (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==23359==    by 0x639A8D9: ??? (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==23359==    by 0x6396FF2: ??? (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==23359== 
==23359== 22 bytes in 1 blocks are definitely lost in loss record 142 of 449
==23359==    at 0x4828308: malloc (vg_replace_malloc.c:263)
==23359==    by 0x4F6987F: strdup (strdup.c:43)
==23359==    by 0x2DC5B5: copy_str (m_option.c:419)
==23359==    by 0x2D97EF: m_config_add_option (m_option.h:518)
==23359==    by 0x2DA200: m_config_register_options (m_config.c:380)
==23359==    by 0x4F08E15: (below main) (libc-start.c:244)
==23359== 
==23359== 30 bytes in 1 blocks are possibly lost in loss record 195 of 449
==23359==    at 0x4827E54: operator new(unsigned int) (vg_replace_malloc.c:282)
==23359==    by 0x52F72C4: std::string::_Rep::_S_create(unsigned int, unsigned int, std::allocator<char> const&) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17)
==23359==    by 0x52F9569: char* std::string::_S_construct<char const*>(char const*, char const*, std::allocator<char> const&, std::forward_iterator_tag) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17)
==23359==    by 0x52F9641: std::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, unsigned int, std::allocator<char> const&) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17)
==23359==    by 0x6D43AD9: llvm::Twine::str() const (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==23359==    by 0x6D42091: llvm::Triple::setTriple(llvm::Twine const&) (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==23359==    by 0x668A350: llvm::JIT::selectTarget(llvm::Module*, llvm::StringRef, llvm::StringRef, llvm::SmallVectorImpl<std::string> const&, std::string*) (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==23359==    by 0x667A872: llvm::JIT::createJIT(llvm::Module*, std::string*, llvm::JITMemoryManager*, llvm::CodeGenOpt::Level, bool, llvm::CodeModel::Model, llvm::StringRef, llvm::StringRef, llvm::SmallVectorImpl<std::string> const&) (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==23359==    by 0x66906CA: llvm::EngineBuilder::create() (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==23359==    by 0x669BE3D: LLVMCreateJITCompilerForModule (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==23359==    by 0x669C032: LLVMCreateJITCompiler (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==23359==    by 0x6643959: ??? (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==23359== 
==23359== 30 bytes in 1 blocks are possibly lost in loss record 196 of 449
==23359==    at 0x4827E54: operator new(unsigned int) (vg_replace_malloc.c:282)
==23359==    by 0x52F72C4: std::string::_Rep::_S_create(unsigned int, unsigned int, std::allocator<char> const&) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17)
==23359==    by 0x52F9569: char* std::string::_S_construct<char const*>(char const*, char const*, std::allocator<char> const&, std::forward_iterator_tag) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17)
==23359==    by 0x52F9641: std::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, unsigned int, std::allocator<char> const&) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17)
==23359==    by 0x2F748AFF: ???
==23359== 
==23359== 112 bytes in 1 blocks are definitely lost in loss record 303 of 449
==23359==    at 0x4826A68: calloc (vg_replace_malloc.c:566)
==23359==    by 0x4E858B5: ??? (in /usr/lib/i386-linux-gnu/libGL.so.1.2)
==23359== 
==23359== 400 bytes in 1 blocks are definitely lost in loss record 349 of 449
==23359==    at 0x4828308: malloc (vg_replace_malloc.c:263)
==23359==    by 0x4BDDE90: XGetVisualInfo (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==23359==    by 0x4E61AF4: ??? (in /usr/lib/i386-linux-gnu/libGL.so.1.2)
==23359== 
==23359== LEAK SUMMARY:
==23359==    definitely lost: 540 bytes in 4 blocks
==23359==    indirectly lost: 0 bytes in 0 blocks
==23359==      possibly lost: 80 bytes in 3 blocks
==23359==    still reachable: 165,135 bytes in 497 blocks
==23359==         suppressed: 0 bytes in 0 blocks
==23359== Reachable blocks (those to which a pointer was found) are not shown.
==23359== To see them, rerun with: --leak-check=full --show-reachable=yes
==23359== 
==23359== For counts of detected and suppressed errors, rerun with: -v
==23359== ERROR SUMMARY: 463 errors from

[reimar]

I am not sure the MTS2 should be considered a bug.
The mts2 decoder in FFmpeg does not check for bitstream read overflows and does not force the safe reader, and we do not set CONFIG_SAFE_BITSTREAM_READER.
Thus overreads from get_bits/get_vlc functions are expected.
Same applies to the dxtory decoder.
You might want to change CONFIG_SAFE_BITSTREAM_READER to 1 in configure for these kind of tests (or submit a patch to make it an option).
In can confirm that setting it to 1 avoids the invalid reads.