Context Navigation

← Previous Ticket
Next Ticket →

#2264 closed defect (invalid)

mss2: crash with fuzzed file

Reported by:	ami_stuff	Owned by:	beastd
Priority:	normal	Component:	undetermined
Version:	unspecified	Severity:	blocker
Keywords:		Cc:
Blocked By:		Blocking:
Reproduced by developer:	yes	Analyzed by developer:	no

Description

http://www.datafilehost.com/d/0d549d0f

knoppix@Microknoppix:/media/sdb1$ valgrind --leak-check=full mplayer/mplayer mss2_fuzz.wmv
==5906== Memcheck, a memory error detector
==5906== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==5906== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==5906== Command: mplayer/mplayer mss2_fuzz.wmv
==5906== 
--5906-- WARNING: Serious error when reading debug info
--5906-- When reading debug info from /usr/lib/i386-linux-gnu/libGL.so.1.2:
--5906-- Can't make sense of .got section mapping
--5906-- WARNING: Serious error when reading debug info
--5906-- When reading debug info from /usr/lib/i386-linux-gnu/libglapi.so.0.0.0:
--5906-- Can't make sense of .got section mapping
MPlayer 1.2-4.7 (C) 2000-2015 MPlayer Team

Playing mss2_fuzz.wmv.
libavformat version 56.40.101 (internal)
ASF file format detected.
[asfheader] Video stream found, -vid 2
VIDEO:  [MSS2]  320x240  24bpp  1000.000 fps  3145.7 kbps (384.0 kbyte/s)
Load subtitles in ./
==========================================================================
Opening video decoder: [ffmpeg] FFmpeg's libavcodec codec family
libavcodec version 56.60.100 (internal)
Selected video codec: [ffmss2] vfm: ffmpeg (FFmpeg MS Screen 2)
==========================================================================
Audio: no sound
Starting playback...
Could not find matching colorspace - retrying with -vf scale...
Opening video filter: [scale]
Movie-Aspect is undefined - no prescaling applied.
[swscaler @ 0xf65580]bicubic scaler, from rgb24 to bgra using MMXEXT
[swscaler @ 0xf65580]using unscaled rgb24 -> bgra special converter
VO: [x11] 320x240 => 320x240 BGRA 
Movie-Aspect is undefined - no prescaling applied.
VO: [x11] 320x240 => 320x240 BGRA 
New_Face failed. Maybe the font path is wrong.
Please supply the text font file (~/.mplayer/subfont.ttf).
subtitle font: load_sub_face failed.
New_Face failed. Maybe the font path is wrong.
Please supply the text font file (~/.mplayer/subfont.ttf).
subtitle font: load_sub_face failed.
V:   3.0   2/  2 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.1   3/  3 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.1   4/  4 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.2   5/  5 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.2   6/  6 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.2   7/  7 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.3   8/  8 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.3   9/  9 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.4  10/ 10 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.4  11/ 11 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.4  12/ 12 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.5  13/ 13 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.5  14/ 14 1219% 367%  0.0% 0 0 
Error while decoding frame!
V:   3.6  15/ 15 1137% 341%  0.0% 0 0 
Error while decoding frame!
V:   3.6  16/ 16 1062% 318%  0.0% 0 0 
Error while decoding frame!
V:   3.6  17/ 17 996% 298%  0.0% 0 0 
Error while decoding frame!
V:   3.7  18/ 18 937% 280%  0.0% 0 0 
Error while decoding frame!
V:   3.7  19/ 19 885% 265%  0.0% 0 0 
Error while decoding frame!
V:   3.8  20/ 20 839% 251%  0.0% 0 0 
Error while decoding frame!
V:   3.8  21/ 21 797% 238%  0.0% 0 0 
Error while decoding frame!
V:   3.8  22/ 22 759% 227%  0.0% 0 0 
Error while decoding frame!
V:   3.9  23/ 23 724% 217%  0.0% 0 0 
Error while decoding frame!
V:   3.9  24/ 24 693% 207%  0.0% 0 0 
Error while decoding frame!
V:   4.0  25/ 25 664% 198%  0.0% 0 0 
Error while decoding frame!
V:   4.0  26/ 26 637% 190%  0.0% 0 0 
Error while decoding frame!
V:   4.0  27/ 27 613% 183%  0.0% 0 0 
Error while decoding frame!
V:   4.1  28/ 28 590% 176%  0.0% 0 0 
Error while decoding frame!
V:   4.1  29/ 29 569% 170%  0.0% 0 0 
Error while decoding frame!
V:   4.2  30/ 30 549% 164%  0.0% 0 0 
Error while decoding frame!
V:   4.2  31/ 31 531% 159%  0.0% 0 0 
Error while decoding frame!
V:   4.2  32/ 32 514% 154%  0.0% 0 0 
Error while decoding frame!
V:   4.3  33/ 33 498% 149%  0.0% 0 0 
Error while decoding frame!
V:   4.3  34/ 34 483% 144%  0.0% 0 0 
Error while decoding frame!
V:   4.4  35/ 35 469% 140%  0.0% 0 0 
Error while decoding frame!
V:   4.4  36/ 36 455% 136%  0.0% 0 0 
Error while decoding frame!
V:   4.4  37/ 37 443% 132%  0.0% 0 0 
Error while decoding frame!
V:   4.5  38/ 38 431% 129%  0.0% 0 0 
Error while decoding frame!
V:   4.5  39/ 39 419% 125%  0.0% 0 0 
Error while decoding frame!
V:   4.6  40/ 40 409% 122%  0.0% 0 0 
Error while decoding frame!
V:   4.6  41/ 41 399% 119%  0.0% 0 0 
Error while decoding frame!
V:   4.6  42/ 42 399% 116%  0.0% 0 0 
Error while decoding frame!
V:   4.7  43/ 43 390% 113%  0.0% 0 0 
Error while decoding frame!
V:   4.7  44/ 44 381% 111%  0.0% 0 0 
Error while decoding frame!
V:   4.8  45/ 45 372% 108%  0.0% 0 0 
Error while decoding frame!
V:   4.8  46/ 46 364% 106%  0.0% 0 0 
Error while decoding frame!
V:   4.8  47/ 47 356% 103%  0.0% 0 0 
Error while decoding frame!
V:   4.9  48/ 48 348% 101%  0.0% 0 0 
Error while decoding frame!
V:   4.9  49/ 49 343% 99%  0.0% 0 0 
Error while decoding frame!
V:   5.0  50/ 50 336% 97%  0.0% 0 0 
Error while decoding frame!
V:   5.0  51/ 51 329% 95%  0.0% 0 0 
Error while decoding frame!
V:   5.0  52/ 52 323% 93%  0.0% 0 0 
Error while decoding frame!
V:   5.1  53/ 53 317% 91%  0.0% 0 0 
Error while decoding frame!
V:   5.1  54/ 54 311% 90%  0.0% 0 0 
Error while decoding frame!
V:   5.2  55/ 55 305% 88%  0.0% 0 0 
Error while decoding frame!
V:   5.2  56/ 56 300% 86%  0.0% 0 0 
Error while decoding frame!
V:   5.2  57/ 57 294% 85%  0.0% 0 0 
Error while decoding frame!
V:   5.3  58/ 58 289% 83%  0.0% 0 0 
Error while decoding frame!
V:   5.3  59/ 59 284% 82%  0.0% 0 0 
Error while decoding frame!
V:   5.4  60/ 60 280% 80%  0.0% 0 0 
Error while decoding frame!
V:   5.4  61/ 61 275% 79%  0.0% 0 0 
Error while decoding frame!
V:   5.4  62/ 62 271% 78%  0.0% 0 0 
Error while decoding frame!
V:   5.5  63/ 63 266% 77%  0.0% 0 0 
Error while decoding frame!
V:   5.5  64/ 64 262% 75%  0.0% 0 0 
Error while decoding frame!
V:   5.6  65/ 65 258% 74%  0.0% 0 0 
Error while decoding frame!
V:   5.6  66/ 66 254% 73%  0.0% 0 0 
Error while decoding frame!
V:   5.6  67/ 67 250% 72%  0.0% 0 0 
Error while decoding frame!
V:   5.7  68/ 68 246% 71%  0.0% 0 0 
Error while decoding frame!
V:   5.7  69/ 69 243% 70%  0.0% 0 0 
Error while decoding frame!
V:   5.8  70/ 70 239% 69%  0.0% 0 0 
Error while decoding frame!
V:   5.8  71/ 71 236% 68%  0.0% 0 0 
Error while decoding frame!
V:   5.8  72/ 72 233% 67%  0.0% 0 0 
Error while decoding frame!
V:   5.9  73/ 73 229% 66%  0.0% 0 0 
Error while decoding frame!
V:   5.9  74/ 74 226% 65%  0.0% 0 0 
Error while decoding frame!
==5906== Invalid write of size 20 0 
==5906==    at 0x856AF0: vc1_decode_i_blocks (vc1_block.c:2544)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x7ad4678 is 0 bytes after a block of size 2,312 alloc'd
==5906==    at 0x48268A4: memalign (vg_replace_malloc.c:694)
==5906==    by 0x482695E: posix_memalign (vg_replace_malloc.c:835)
==5906==    by 0xB846C7: av_malloc (mem.c:97)
==5906==    by 0xB79767: av_buffer_alloc (buffer.c:71)
==5906==    by 0xB797D6: av_buffer_allocz (buffer.c:84)
==5906==    by 0x766827: ff_alloc_picture (mpegpicture.c:211)
==5906==    by 0x7684A2: alloc_picture.constprop.5 (mpegvideo.c:341)
==5906==    by 0x76C6A1: ff_mpv_frame_start (mpegvideo.c:1240)
==5906==    by 0x793219: mss2_decode_frame (mss2.c:401)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906== 
==5906== Invalid write of size 2
==5906==    at 0x856AF5: vc1_decode_i_blocks (vc1_block.c:2545)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x7ad467a is 2 bytes after a block of size 2,312 alloc'd
==5906==    at 0x48268A4: memalign (vg_replace_malloc.c:694)
==5906==    by 0x482695E: posix_memalign (vg_replace_malloc.c:835)
==5906==    by 0xB846C7: av_malloc (mem.c:97)
==5906==    by 0xB79767: av_buffer_alloc (buffer.c:71)
==5906==    by 0xB797D6: av_buffer_allocz (buffer.c:84)
==5906==    by 0x766827: ff_alloc_picture (mpegpicture.c:211)
==5906==    by 0x7684A2: alloc_picture.constprop.5 (mpegvideo.c:341)
==5906==    by 0x76C6A1: ff_mpv_frame_start (mpegvideo.c:1240)
==5906==    by 0x793219: mss2_decode_frame (mss2.c:401)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906== 
==5906== Invalid write of size 4
==5906==    at 0x856AC4: vc1_decode_i_blocks (vc1_block.c:2542)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x7ad2da8 is 0 bytes after a block of size 760 alloc'd
==5906==    at 0x48268A4: memalign (vg_replace_malloc.c:694)
==5906==    by 0x482695E: posix_memalign (vg_replace_malloc.c:835)
==5906==    by 0xB846C7: av_malloc (mem.c:97)
==5906==    by 0xB79767: av_buffer_alloc (buffer.c:71)
==5906==    by 0xB797D6: av_buffer_allocz (buffer.c:84)
==5906==    by 0x76679B: ff_alloc_picture (mpegpicture.c:192)
==5906==    by 0x7684A2: alloc_picture.constprop.5 (mpegvideo.c:341)
==5906==    by 0x76C6A1: ff_mpv_frame_start (mpegvideo.c:1240)
==5906==    by 0x793219: mss2_decode_frame (mss2.c:401)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906== 
==5906== Invalid write of size 1
==5906==    at 0x856AD2: vc1_decode_i_blocks (vc1_block.c:2543)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x7ad293e is 0 bytes after a block of size 190 alloc'd
==5906==    at 0x48268A4: memalign (vg_replace_malloc.c:694)
==5906==    by 0x482695E: posix_memalign (vg_replace_malloc.c:835)
==5906==    by 0xB846C7: av_malloc (mem.c:97)
==5906==    by 0xB79767: av_buffer_alloc (buffer.c:71)
==5906==    by 0xB797D6: av_buffer_allocz (buffer.c:84)
==5906==    by 0x766790: ff_alloc_picture (mpegpicture.c:191)
==5906==    by 0x7684A2: alloc_picture.constprop.5 (mpegvideo.c:341)
==5906==    by 0x76C6A1: ff_mpv_frame_start (mpegvideo.c:1240)
==5906==    by 0x793219: mss2_decode_frame (mss2.c:401)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906== 
==5906== Invalid read of size 1
==5906==    at 0x856B9B: vc1_decode_i_blocks (vc1_block.c:467)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x60bc909 is 0 bytes after a block of size 697 alloc'd
==5906==    at 0x48268A4: memalign (vg_replace_malloc.c:694)
==5906==    by 0x482695E: posix_memalign (vg_replace_malloc.c:835)
==5906==    by 0xB846C7: av_malloc (mem.c:97)
==5906==    by 0xB848F6: av_mallocz (mem.c:254)
==5906==    by 0x767C9F: init_context_frame (mpegvideo.c:756)
==5906==    by 0x23914B: ff_mpv_common_init (mpegvideo.c:934)
==5906==    by 0x229E03: ff_h263_decode_init (h263dec.c:138)
==5906==    by 0x23AE23: ff_msmpeg4_decode_init (msmpeg4dec.c:298)
==5906==    by 0x23C55F: mss2_decode_init (mss2.c:788)
==5906==    by 0x84B75F: avcodec_open2 (utils.c:1665)
==5906==    by 0x3B4A4F: init (vd_ffmpeg.c:499)
==5906==    by 0x13F: ???
==5906== 
==5906== Invalid write of size 1
==5906==    at 0x856BC9: vc1_decode_i_blocks (vc1_block.c:2557)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x60bc90a is 1 bytes after a block of size 697 alloc'd
==5906==    at 0x48268A4: memalign (vg_replace_malloc.c:694)
==5906==    by 0x482695E: posix_memalign (vg_replace_malloc.c:835)
==5906==    by 0xB846C7: av_malloc (mem.c:97)
==5906==    by 0xB848F6: av_mallocz (mem.c:254)
==5906==    by 0x767C9F: init_context_frame (mpegvideo.c:756)
==5906==    by 0x23914B: ff_mpv_common_init (mpegvideo.c:934)
==5906==    by 0x229E03: ff_h263_decode_init (h263dec.c:138)
==5906==    by 0x23AE23: ff_msmpeg4_decode_init (msmpeg4dec.c:298)
==5906==    by 0x23C55F: mss2_decode_init (mss2.c:788)
==5906==    by 0x84B75F: avcodec_open2 (utils.c:1665)
==5906==    by 0x3B4A4F: init (vd_ffmpeg.c:499)
==5906==    by 0x13F: ???
==5906== 
==5906== Invalid read of size 1
==5906==    at 0x856BAF: vc1_decode_i_blocks (vc1_block.c:469)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x60bc90a is 1 bytes after a block of size 697 alloc'd
==5906==    at 0x48268A4: memalign (vg_replace_malloc.c:694)
==5906==    by 0x482695E: posix_memalign (vg_replace_malloc.c:835)
==5906==    by 0xB846C7: av_malloc (mem.c:97)
==5906==    by 0xB848F6: av_mallocz (mem.c:254)
==5906==    by 0x767C9F: init_context_frame (mpegvideo.c:756)
==5906==    by 0x23914B: ff_mpv_common_init (mpegvideo.c:934)
==5906==    by 0x229E03: ff_h263_decode_init (h263dec.c:138)
==5906==    by 0x23AE23: ff_msmpeg4_decode_init (msmpeg4dec.c:298)
==5906==    by 0x23C55F: mss2_decode_init (mss2.c:788)
==5906==    by 0x84B75F: avcodec_open2 (utils.c:1665)
==5906==    by 0x3B4A4F: init (vd_ffmpeg.c:499)
==5906==    by 0x13F: ???
==5906== 
==5906== Invalid read of size 1
==5906==    at 0x856BB3: vc1_decode_i_blocks (vc1_block.c:468)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x60bc909 is 0 bytes after a block of size 697 alloc'd
==5906==    at 0x48268A4: memalign (vg_replace_malloc.c:694)
==5906==    by 0x482695E: posix_memalign (vg_replace_malloc.c:835)
==5906==    by 0xB846C7: av_malloc (mem.c:97)
==5906==    by 0xB848F6: av_mallocz (mem.c:254)
==5906==    by 0x767C9F: init_context_frame (mpegvideo.c:756)
==5906==    by 0x23914B: ff_mpv_common_init (mpegvideo.c:934)
==5906==    by 0x229E03: ff_h263_decode_init (h263dec.c:138)
==5906==    by 0x23AE23: ff_msmpeg4_decode_init (msmpeg4dec.c:298)
==5906==    by 0x23C55F: mss2_decode_init (mss2.c:788)
==5906==    by 0x84B75F: avcodec_open2 (utils.c:1665)
==5906==    by 0x3B4A4F: init (vd_ffmpeg.c:499)
==5906==    by 0x13F: ???
==5906== 
==5906== Invalid write of size 2
==5906==    at 0x856D37: vc1_decode_i_blocks (vc1_block.c:588)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x76c8fa6 is 0 bytes after a block of size 2,150 alloc'd
==5906==    at 0x48268A4: memalign (vg_replace_malloc.c:694)
==5906==    by 0x482695E: posix_memalign (vg_replace_malloc.c:835)
==5906==    by 0xB846C7: av_malloc (mem.c:97)
==5906==    by 0xB848F6: av_mallocz (mem.c:254)
==5906==    by 0x767937: init_context_frame (mpegvideo.c:767)
==5906==    by 0x23914B: ff_mpv_common_init (mpegvideo.c:934)
==5906==    by 0x229E03: ff_h263_decode_init (h263dec.c:138)
==5906==    by 0x23AE23: ff_msmpeg4_decode_init (msmpeg4dec.c:298)
==5906==    by 0x23C55F: mss2_decode_init (mss2.c:788)
==5906==    by 0x84B75F: avcodec_open2 (utils.c:1665)
==5906==    by 0x3B4A4F: init (vd_ffmpeg.c:499)
==5906==    by 0x13F: ???
==5906== 
==5906== Invalid write of size 2
==5906==    at 0x856E67: vc1_decode_i_blocks (vc1_block.c:644)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x76d1882 is 2 bytes after a block of size 34,400 alloc'd
==5906==    at 0x48268A4: memalign (vg_replace_malloc.c:694)
==5906==    by 0x482695E: posix_memalign (vg_replace_malloc.c:835)
==5906==    by 0xB846C7: av_malloc (mem.c:97)
==5906==    by 0xB848F6: av_mallocz (mem.c:254)
==5906==    by 0x7675ED: init_duplicate_context (mpegvideo.c:387)
==5906==    by 0x239227: ff_mpv_common_init (mpegvideo.c:959)
==5906==    by 0x229E03: ff_h263_decode_init (h263dec.c:138)
==5906==    by 0x23AE23: ff_msmpeg4_decode_init (msmpeg4dec.c:298)
==5906==    by 0x23C55F: mss2_decode_init (mss2.c:788)
==5906==    by 0x84B75F: avcodec_open2 (utils.c:1665)
==5906==    by 0x3B4A4F: init (vd_ffmpeg.c:499)
==5906==    by 0x13F: ???
==5906== 
==5906== Invalid write of size 2
==5906==    at 0x856E76: vc1_decode_i_blocks (vc1_block.c:645)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x76d1892 is not stack'd, malloc'd or (recently) free'd
==5906== 
==5906== Invalid read of size 2
==5906==    at 0x856C9B: vc1_decode_i_blocks (vc1_block.c:342)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x76c8fa6 is 0 bytes after a block of size 2,150 alloc'd
==5906==    at 0x48268A4: memalign (vg_replace_malloc.c:694)
==5906==    by 0x482695E: posix_memalign (vg_replace_malloc.c:835)
==5906==    by 0xB846C7: av_malloc (mem.c:97)
==5906==    by 0xB848F6: av_mallocz (mem.c:254)
==5906==    by 0x767937: init_context_frame (mpegvideo.c:767)
==5906==    by 0x23914B: ff_mpv_common_init (mpegvideo.c:934)
==5906==    by 0x229E03: ff_h263_decode_init (h263dec.c:138)
==5906==    by 0x23AE23: ff_msmpeg4_decode_init (msmpeg4dec.c:298)
==5906==    by 0x23C55F: mss2_decode_init (mss2.c:788)
==5906==    by 0x84B75F: avcodec_open2 (utils.c:1665)
==5906==    by 0x3B4A4F: init (vd_ffmpeg.c:499)
==5906==    by 0x13F: ???
==5906== 
==5906== Invalid write of size 4
==5906==    at 0x856EF1: vc1_decode_i_blocks (vc1_block.c:659)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x76d1980 is 192 bytes inside a block of size 8,496 free'd
==5906==    at 0x482750C: free (vg_replace_malloc.c:427)
==5906==    by 0x4F204B3: qsort_r (msort.c:300)
==5906==    by 0x4F205AD: qsort (msort.c:308)
==5906==    by 0x57787A: ff_init_vlc_sparse (bitstream.c:336)
==5906==    by 0x23B03E: ff_msmpeg4_decode_init (msmpeg4dec.c:315)
==5906==    by 0x23C55F: mss2_decode_init (mss2.c:788)
==5906==    by 0x84B75F: avcodec_open2 (utils.c:1665)
==5906==    by 0x3B4A4F: init (vd_ffmpeg.c:499)
==5906==    by 0x13F: ???
==5906== 
==5906== Invalid write of size 4
==5906==    at 0x856EFF: vc1_decode_i_blocks (vc1_block.c:659)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x76d1988 is 200 bytes inside a block of size 8,496 free'd
==5906==    at 0x482750C: free (vg_replace_malloc.c:427)
==5906==    by 0x4F204B3: qsort_r (msort.c:300)
==5906==    by 0x4F205AD: qsort (msort.c:308)
==5906==    by 0x57787A: ff_init_vlc_sparse (bitstream.c:336)
==5906==    by 0x23B03E: ff_msmpeg4_decode_init (msmpeg4dec.c:315)
==5906==    by 0x23C55F: mss2_decode_init (mss2.c:788)
==5906==    by 0x84B75F: avcodec_open2 (utils.c:1665)
==5906==    by 0x3B4A4F: init (vd_ffmpeg.c:499)
==5906==    by 0x13F: ???
==5906== 
==5906== Invalid write of size 4
==5906==    at 0x856F43: vc1_decode_i_blocks (vc1_block.c:671)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x76d1990 is 208 bytes inside a block of size 8,496 free'd
==5906==    at 0x482750C: free (vg_replace_malloc.c:427)
==5906==    by 0x4F204B3: qsort_r (msort.c:300)
==5906==    by 0x4F205AD: qsort (msort.c:308)
==5906==    by 0x57787A: ff_init_vlc_sparse (bitstream.c:336)
==5906==    by 0x23B03E: ff_msmpeg4_decode_init (msmpeg4dec.c:315)
==5906==    by 0x23C55F: mss2_decode_init (mss2.c:788)
==5906==    by 0x84B75F: avcodec_open2 (utils.c:1665)
==5906==    by 0x3B4A4F: init (vd_ffmpeg.c:499)
==5906==    by 0x13F: ???
==5906== 
==5906== Invalid write of size 4
==5906==    at 0x856F48: vc1_decode_i_blocks (vc1_block.c:671)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x76d1994 is 212 bytes inside a block of size 8,496 free'd
==5906==    at 0x482750C: free (vg_replace_malloc.c:427)
==5906==    by 0x4F204B3: qsort_r (msort.c:300)
==5906==    by 0x4F205AD: qsort (msort.c:308)
==5906==    by 0x57787A: ff_init_vlc_sparse (bitstream.c:336)
==5906==    by 0x23B03E: ff_msmpeg4_decode_init (msmpeg4dec.c:315)
==5906==    by 0x23C55F: mss2_decode_init (mss2.c:788)
==5906==    by 0x84B75F: avcodec_open2 (utils.c:1665)
==5906==    by 0x3B4A4F: init (vd_ffmpeg.c:499)
==5906==    by 0x13F: ???
==5906== 
==5906== Invalid write of size 4
==5906==    at 0x856F4E: vc1_decode_i_blocks (vc1_block.c:671)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x76d1998 is 216 bytes inside a block of size 8,496 free'd
==5906==    at 0x482750C: free (vg_replace_malloc.c:427)
==5906==    by 0x4F204B3: qsort_r (msort.c:300)
==5906==    by 0x4F205AD: qsort (msort.c:308)
==5906==    by 0x57787A: ff_init_vlc_sparse (bitstream.c:336)
==5906==    by 0x23B03E: ff_msmpeg4_decode_init (msmpeg4dec.c:315)
==5906==    by 0x23C55F: mss2_decode_init (mss2.c:788)
==5906==    by 0x84B75F: avcodec_open2 (utils.c:1665)
==5906==    by 0x3B4A4F: init (vd_ffmpeg.c:499)
==5906==    by 0x13F: ???
==5906== 
==5906== Invalid write of size 4
==5906==    at 0x856F54: vc1_decode_i_blocks (vc1_block.c:671)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x76d199c is 220 bytes inside a block of size 8,496 free'd
==5906==    at 0x482750C: free (vg_replace_malloc.c:427)
==5906==    by 0x4F204B3: qsort_r (msort.c:300)
==5906==    by 0x4F205AD: qsort (msort.c:308)
==5906==    by 0x57787A: ff_init_vlc_sparse (bitstream.c:336)
==5906==    by 0x23B03E: ff_msmpeg4_decode_init (msmpeg4dec.c:315)
==5906==    by 0x23C55F: mss2_decode_init (mss2.c:788)
==5906==    by 0x84B75F: avcodec_open2 (utils.c:1665)
==5906==    by 0x3B4A4F: init (vd_ffmpeg.c:499)
==5906==    by 0x13F: ???
==5906== 
==5906== Invalid read of size 4
==5906==    at 0x856F41: vc1_decode_i_blocks (vc1_block.c:671)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x76d19e0 is 288 bytes inside a block of size 8,496 free'd
==5906==    at 0x482750C: free (vg_replace_malloc.c:427)
==5906==    by 0x4F204B3: qsort_r (msort.c:300)
==5906==    by 0x4F205AD: qsort (msort.c:308)
==5906==    by 0x57787A: ff_init_vlc_sparse (bitstream.c:336)
==5906==    by 0x23B03E: ff_msmpeg4_decode_init (msmpeg4dec.c:315)
==5906==    by 0x23C55F: mss2_decode_init (mss2.c:788)
==5906==    by 0x84B75F: avcodec_open2 (utils.c:1665)
==5906==    by 0x3B4A4F: init (vd_ffmpeg.c:499)
==5906==    by 0x13F: ???
==5906== 
==5906== Invalid read of size 4
==5906==    at 0x856F45: vc1_decode_i_blocks (vc1_block.c:671)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x76d19e4 is 292 bytes inside a block of size 8,496 free'd
==5906==    at 0x482750C: free (vg_replace_malloc.c:427)
==5906==    by 0x4F204B3: qsort_r (msort.c:300)
==5906==    by 0x4F205AD: qsort (msort.c:308)
==5906==    by 0x57787A: ff_init_vlc_sparse (bitstream.c:336)
==5906==    by 0x23B03E: ff_msmpeg4_decode_init (msmpeg4dec.c:315)
==5906==    by 0x23C55F: mss2_decode_init (mss2.c:788)
==5906==    by 0x84B75F: avcodec_open2 (utils.c:1665)
==5906==    by 0x3B4A4F: init (vd_ffmpeg.c:499)
==5906==    by 0x13F: ???
==5906== 
==5906== Invalid read of size 4
==5906==    at 0x856F4B: vc1_decode_i_blocks (vc1_block.c:671)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x76d19e8 is 296 bytes inside a block of size 8,496 free'd
==5906==    at 0x482750C: free (vg_replace_malloc.c:427)
==5906==    by 0x4F204B3: qsort_r (msort.c:300)
==5906==    by 0x4F205AD: qsort (msort.c:308)
==5906==    by 0x57787A: ff_init_vlc_sparse (bitstream.c:336)
==5906==    by 0x23B03E: ff_msmpeg4_decode_init (msmpeg4dec.c:315)
==5906==    by 0x23C55F: mss2_decode_init (mss2.c:788)
==5906==    by 0x84B75F: avcodec_open2 (utils.c:1665)
==5906==    by 0x3B4A4F: init (vd_ffmpeg.c:499)
==5906==    by 0x13F: ???
==5906== 
==5906== Invalid read of size 4
==5906==    at 0x856F51: vc1_decode_i_blocks (vc1_block.c:671)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x76d19ec is 300 bytes inside a block of size 8,496 free'd
==5906==    at 0x482750C: free (vg_replace_malloc.c:427)
==5906==    by 0x4F204B3: qsort_r (msort.c:300)
==5906==    by 0x4F205AD: qsort (msort.c:308)
==5906==    by 0x57787A: ff_init_vlc_sparse (bitstream.c:336)
==5906==    by 0x23B03E: ff_msmpeg4_decode_init (msmpeg4dec.c:315)
==5906==    by 0x23C55F: mss2_decode_init (mss2.c:788)
==5906==    by 0x84B75F: avcodec_open2 (utils.c:1665)
==5906==    by 0x3B4A4F: init (vd_ffmpeg.c:499)
==5906==    by 0x13F: ???
==5906== 
==5906== Invalid read of size 2
==5906==    at 0x856F7A: vc1_decode_i_blocks (vc1_block.c:673)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x76d19e2 is 290 bytes inside a block of size 8,496 free'd
==5906==    at 0x482750C: free (vg_replace_malloc.c:427)
==5906==    by 0x4F204B3: qsort_r (msort.c:300)
==5906==    by 0x4F205AD: qsort (msort.c:308)
==5906==    by 0x57787A: ff_init_vlc_sparse (bitstream.c:336)
==5906==    by 0x23B03E: ff_msmpeg4_decode_init (msmpeg4dec.c:315)
==5906==    by 0x23C55F: mss2_decode_init (mss2.c:788)
==5906==    by 0x84B75F: avcodec_open2 (utils.c:1665)
==5906==    by 0x3B4A4F: init (vd_ffmpeg.c:499)
==5906==    by 0x13F: ???
==5906== 
==5906== Invalid read of size 2
==5906==    at 0x857482: vc1_decode_i_blocks (vc1_block.c:640)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x76d1a62 is 418 bytes inside a block of size 8,496 free'd
==5906==    at 0x482750C: free (vg_replace_malloc.c:427)
==5906==    by 0x4F204B3: qsort_r (msort.c:300)
==5906==    by 0x4F205AD: qsort (msort.c:308)
==5906==    by 0x57787A: ff_init_vlc_sparse (bitstream.c:336)
==5906==    by 0x23B03E: ff_msmpeg4_decode_init (msmpeg4dec.c:315)
==5906==    by 0x23C55F: mss2_decode_init (mss2.c:788)
==5906==    by 0x84B75F: avcodec_open2 (utils.c:1665)
==5906==    by 0x3B4A4F: init (vd_ffmpeg.c:499)
==5906==    by 0x13F: ???
==5906== 
==5906== Invalid read of size 2
==5906==    at 0x856CA5: vc1_decode_i_blocks (vc1_block.c:343)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x76c8fe6 is not stack'd, malloc'd or (recently) free'd
==5906== 
==5906== Invalid read of size 2
==5906==    at 0x856CB4: vc1_decode_i_blocks (vc1_block.c:344)
==5906==    by 0x861A6B: ff_vc1_decode_blocks (vc1_block.c:2945)
==5906==    by 0x79327A: mss2_decode_frame (mss2.c:418)
==5906==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==5906==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==5906==    by 0x5ADEF47: ???
==5906==  Address 0x76c8fe8 is not stack'd, malloc'd or (recently) free'd
==5906== 

valgrind: m_mallocfree.c:266 (mk_plain_bszB): Assertion 'bszB != 0' failed.
valgrind: This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata.  If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away.  Please try that before reporting this as a bug.

==5906==    at 0x3803D043: report_and_quit (m_libcassert.c:210)
==5906==    by 0x3803D162: vgPlain_assert_fail (m_libcassert.c:284)
==5906==    by 0x380007D6: mk_plain_bszB.part.5 (m_mallocfree.c:266)
==5906==    by 0x38049BB2: unlinkBlock (m_mallocfree.c:1393)
==5906==    by 0x3804A495: vgPlain_arena_malloc (m_mallocfree.c:1566)
==5906==    by 0x380843FB: vgPlain_cli_malloc (replacemalloc_core.c:83)
==5906==    by 0x38016112: vgMemCheck_new_block (mc_malloc_wrappers.c:248)
==5906==    by 0x380162F5: vgMemCheck_malloc (mc_malloc_wrappers.c:285)
==5906==    by 0x38086C4F: vgPlain_scheduler (scheduler.c:1461)
==5906==    by 0x38098C07: run_a_thread_NORETURN (syswrap-linux.c:98)

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable
==5906==    at 0x4828308: malloc (vg_replace_malloc.c:263)
==5906==    by 0x506EB63: ??? (in /usr/lib/i386-linux-gnu/libxcb.so.1.1.0)
==5906==    by 0x506C95F: ??? (in /usr/lib/i386-linux-gnu/libxcb.so.1.1.0)
==5906==    by 0x506E0EF: ??? (in /usr/lib/i386-linux-gnu/libxcb.so.1.1.0)
==5906==    by 0x506E3B6: xcb_wait_for_reply (in /usr/lib/i386-linux-gnu/libxcb.so.1.1.0)
==5906==    by 0x4BE0871: _XReply (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==5906==    by 0x4BDBE7A: XSync (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==5906==    by 0x4F08E15: (below main) (libc-start.c:244)


Note: see also the FAQ in the source distribution.
It contains workarounds to several common problems.
In particular, if Valgrind aborted or crashed after
identifying problems in your program, there's a good chance
that fixing those problems will prevent Valgrind aborting or
crashing, especially if it happened in m_mallocfree.c.

If that doesn't help, please report this bug to: www.valgrind.org

In the bug report, send all the above text, the valgrind
version, and what OS and version you are using.  Thanks.

(gdb) r mss2_fuzz.wmv
Starting program: /media/sdb1/mplayer/mplayer mss2_fuzz.wmv
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
MPlayer 1.2-4.7 (C) 2000-2015 MPlayer Team

Playing mss2_fuzz.wmv.
libavformat version 56.40.101 (internal)
ASF file format detected.
[asfheader] Video stream found, -vid 2
VIDEO:  [MSS2]  320x240  24bpp  1000.000 fps  3145.7 kbps (384.0 kbyte/s)
Load subtitles in ./
==========================================================================
Opening video decoder: [ffmpeg] FFmpeg's libavcodec codec family
libavcodec version 56.60.100 (internal)
Selected video codec: [ffmss2] vfm: ffmpeg (FFmpeg MS Screen 2)
==========================================================================
Audio: no sound
Starting playback...
Could not find matching colorspace - retrying with -vf scale...
Opening video filter: [scale]
Movie-Aspect is undefined - no prescaling applied.
[swscaler @ 0x80e5d580]bicubic scaler, from rgb24 to bgra using MMXEXT
[swscaler @ 0x80e5d580]using unscaled rgb24 -> bgra special converter
VO: [x11] 320x240 => 320x240 BGRA 
Movie-Aspect is undefined - no prescaling applied.
VO: [x11] 320x240 => 320x240 BGRA 
New_Face failed. Maybe the font path is wrong.
Please supply the text font file (~/.mplayer/subfont.ttf).
subtitle font: load_sub_face failed.
New_Face failed. Maybe the font path is wrong.
Please supply the text font file (~/.mplayer/subfont.ttf).
subtitle font: load_sub_face failed.
V:   3.0   2/  2 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.1   3/  3 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.1   4/  4 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.2   5/  5 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.2   6/  6 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.2   7/  7 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.3   8/  8 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.3   9/  9 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.4  10/ 10 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.4  11/ 11 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.4  12/ 12 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.5  13/ 13 ??% ??% ??,?% 0 0 
Error while decoding frame!
V:   3.5  14/ 14 61% 22%  0.0% 0 0 
Error while decoding frame!
V:   3.6  15/ 15 56% 20%  0.0% 0 0 
Error while decoding frame!
V:   3.6  16/ 16 52% 19%  0.0% 0 0 
Error while decoding frame!
V:   3.6  17/ 17 49% 18%  0.0% 0 0 
Error while decoding frame!
V:   3.7  18/ 18 46% 17%  0.0% 0 0 
Error while decoding frame!
V:   3.7  19/ 19 44% 16%  0.0% 0 0 
Error while decoding frame!
V:   3.8  20/ 20 41% 15%  0.0% 0 0 
Error while decoding frame!
V:   3.8  21/ 21 39% 14%  0.0% 0 0 
Error while decoding frame!
V:   3.8  22/ 22 37% 13%  0.0% 0 0 
Error while decoding frame!
V:   3.9  23/ 23 36% 13%  0.0% 0 0 
Error while decoding frame!
V:   3.9  24/ 24 34% 12%  0.0% 0 0 
Error while decoding frame!
V:   4.0  25/ 25 33% 12%  0.0% 0 0 
Error while decoding frame!
V:   4.0  26/ 26 31% 11%  0.0% 0 0 
Error while decoding frame!
V:   4.0  27/ 27 30% 11%  0.0% 0 0 
Error while decoding frame!
V:   4.1  28/ 28 29% 10%  0.0% 0 0 
Error while decoding frame!
V:   4.1  29/ 29 28% 10%  0.0% 0 0 
Error while decoding frame!
V:   4.2  30/ 30 27% 10%  0.0% 0 0 
Error while decoding frame!
V:   4.2  31/ 31 26%  9%  0.0% 0 0 
Error while decoding frame!
V:   4.2  32/ 32 25%  9%  0.0% 0 0 
Error while decoding frame!
V:   4.3  33/ 33 24%  9%  0.0% 0 0 
Error while decoding frame!
V:   4.3  34/ 34 24%  8%  0.0% 0 0 
Error while decoding frame!
V:   4.4  35/ 35 23%  8%  0.0% 0 0 
Error while decoding frame!
V:   4.4  36/ 36 22%  8%  0.0% 0 0 
Error while decoding frame!
V:   4.4  37/ 37 22%  8%  0.0% 0 0 
Error while decoding frame!
V:   4.5  38/ 38 21%  7%  0.0% 0 0 
Error while decoding frame!
V:   4.5  39/ 39 20%  7%  0.0% 0 0 
Error while decoding frame!
V:   4.6  40/ 40 20%  7%  0.0% 0 0 
Error while decoding frame!
V:   4.6  41/ 41 19%  7%  0.0% 0 0 
Error while decoding frame!
V:   4.6  42/ 42 19%  7%  0.0% 0 0 
Error while decoding frame!
V:   4.7  43/ 43 18%  6%  0.0% 0 0 
Error while decoding frame!
V:   4.7  44/ 44 18%  6%  0.0% 0 0 
Error while decoding frame!
V:   4.8  45/ 45 18%  6%  0.0% 0 0 
Error while decoding frame!
V:   4.8  46/ 46 17%  6%  0.0% 0 0 
Error while decoding frame!
V:   4.8  47/ 47 17%  6%  0.0% 0 0 
Error while decoding frame!
V:   4.9  48/ 48 16%  6%  0.0% 0 0 
Error while decoding frame!
V:   4.9  49/ 49 16%  6%  0.0% 0 0 
Error while decoding frame!
V:   5.0  50/ 50 16%  5%  0.0% 0 0 
Error while decoding frame!
V:   5.0  51/ 51 15%  5%  0.0% 0 0 
Error while decoding frame!
V:   5.0  52/ 52 16%  5%  0.0% 0 0 
Error while decoding frame!
V:   5.1  53/ 53 16%  5%  0.0% 0 0 
Error while decoding frame!
V:   5.1  54/ 54 16%  5%  0.0% 0 0 
Error while decoding frame!
V:   5.2  55/ 55 15%  5%  0.0% 0 0 
Error while decoding frame!
V:   5.2  56/ 56 15%  5%  0.0% 0 0 
Error while decoding frame!
V:   5.2  57/ 57 15%  5%  0.0% 0 0 
Error while decoding frame!
V:   5.3  58/ 58 14%  5%  0.0% 0 0 
Error while decoding frame!
V:   5.3  59/ 59 14%  5%  0.0% 0 0 
Error while decoding frame!
V:   5.4  60/ 60 14%  4%  0.0% 0 0 
Error while decoding frame!
V:   5.4  61/ 61 14%  4%  0.0% 0 0 
Error while decoding frame!
V:   5.4  62/ 62 13%  4%  0.0% 0 0 
Error while decoding frame!
V:   5.5  63/ 63 13%  4%  0.0% 0 0 
Error while decoding frame!
V:   5.5  64/ 64 13%  4%  0.0% 0 0 
Error while decoding frame!
V:   5.6  65/ 65 13%  4%  0.0% 0 0 
Error while decoding frame!
V:   5.6  66/ 66 13%  4%  0.0% 0 0 
Error while decoding frame!
V:   5.6  67/ 67 12%  4%  0.0% 0 0 
Error while decoding frame!
V:   5.7  68/ 68 12%  4%  0.0% 0 0 
Error while decoding frame!
V:   5.7  69/ 69 12%  4%  0.0% 0 0 
Error while decoding frame!
V:   5.8  70/ 70 12%  4%  0.0% 0 0 
Error while decoding frame!
V:   5.8  71/ 71 12%  4%  0.0% 0 0 
Error while decoding frame!
V:   5.8  72/ 72 12%  4%  0.0% 0 0 
Error while decoding frame!
V:   5.9  73/ 73 11%  4%  0.0% 0 0 
Error while decoding frame!
V:   5.9  74/ 74 11%  4%  0.0% 0 0 
Error while decoding frame!
*** glibc detected *** /media/sdb1/mplayer/mplayer: malloc(): smallbin double linked list corrupted: 0x817610b8 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x6f82a)[0xb783e82a]
/lib/i386-linux-gnu/libc.so.6(+0x729a2)[0xb78419a2]
/lib/i386-linux-gnu/libc.so.6(__libc_malloc+0x5c)[0xb78432dc]
/usr/lib/i386-linux-gnu/libxcb.so.1(+0xbb64)[0xb7796b64]
======= Memory map: ========
80000000-80f4c000 r-xp 00000000 08:11 2419       /media/sdb1/mplayer/mplayer
80f4c000-80f70000 rw-p 00f4c000 08:11 2419       /media/sdb1/mplayer/mplayer
80f70000-81825000 rw-p 00000000 00:00 0          [heap]
b5800000-b5821000 rw-p 00000000 00:00 0 
b5821000-b5900000 ---p 00000000 00:00 0 
b5986000-b5b08000 rw-p 00000000 00:00 0 
b5b7e000-b5c03000 rw-p 00000000 00:00 0 
b5c03000-b5c4e000 rw-s 00000000 00:04 294918     /SYSV00000000 (deleted)
b5c4e000-b5cce000 rwxp 00000000 00:00 0 
b5cce000-b5cf4000 r-xp 00000000 08:02 10058      /lib/i386-linux-gnu/libexpat.so.1.6.0
b5cf4000-b5cf5000 ---p 00026000 08:02 10058      /lib/i386-linux-gnu/libexpat.so.1.6.0
b5cf5000-b5cf7000 r--p 00026000 08:02 10058      /lib/i386-linux-gnu/libexpat.so.1.6.0
b5cf7000-b5cf8000 rw-p 00028000 08:02 10058      /lib/i386-linux-gnu/libexpat.so.1.6.0
b5cf8000-b5d00000 r-xp 00000000 08:02 24456      /usr/lib/i386-linux-gnu/libffi.so.5.0.10
b5d00000-b5d01000 rw-p 00008000 08:02 24456      /usr/lib/i386-linux-gnu/libffi.so.5.0.10
b5d01000-b5d09000 r-xp 00000000 08:02 24369      /usr/lib/i386-linux-gnu/libXrender.so.1.3.0
b5d09000-b5d0a000 rw-p 00008000 08:02 24369      /usr/lib/i386-linux-gnu/libXrender.so.1.3.0
b5d0a000-b5d13000 r-xp 00000000 08:02 24356      /usr/lib/i386-linux-gnu/libXcursor.so.1.0.2
b5d13000-b5d14000 rw-p 00009000 08:02 24356      /usr/lib/i386-linux-gnu/libXcursor.so.1.0.2
b5d14000-b6a86000 r-xp 00000000 08:02 25244      /usr/lib/i386-linux-gnu/dri/swrast_dri.so
b6a86000-b6ace000 rw-p 00d71000 08:02 25244      /usr/lib/i386-linux-gnu/dri/swrast_dri.so
b6ace000-b6db4000 rw-p 00000000 00:00 0 
b6db4000-b6dda000 r--p 00000000 08:02 20948      /usr/lib/locale/C.UTF-8/LC_CTYPE
b6dda000-b6ddb000 rw-p 00000000 00:00 0 
b6ddb000-b6de2000 r--s 00000000 08:02 22578      /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache
b6de2000-b6de3000 r--p 00839000 08:02 29404      /usr/lib/locale/locale-archive
b6de3000-b6f02000 r--p 00508000 08:02 29404      /usr/lib/locale/locale-archive
b6f02000-b7102000 r--p 00000000 08:02 29404      /usr/lib/locale/locale-archive
b7102000-b7107000 rw-p 00000000 00:00 0 
b7107000-b7118000 r-xp 00000000 08:02 22606      /lib/i386-linux-gnu/libresolv-2.13.so
b7118000-b7119000 r--p 00010000 08:02 22606      /lib/i386-linux-gnu/libresolv-2.13.so
b7119000-b711a000 rw-p 00011000 08:02 22606      /lib/i386-linux-gnu/libresolv-2.13.so
b711a000-b711c000 rw-p 00000000 00:00 0 
b711c000-b7122000 r-xp 00000000 08:02 24762      /usr/lib/i386-linux-gnu/libogg.so.0.8.0
b7122000-b7123000 rw-p 00005000 08:02 24762      /usr/lib/i386-linux-gnu/libogg.so.0.8.0
b7123000-b714d000 r-xp 00000000 08:02 24868      /usr/lib/i386-linux-gnu/libvorbis.so.0.4.5
b714d000-b714e000 r--p 00029000 08:02 24868      /usr/lib/i386-linux-gnu/libvorbis.so.0.4.5
b714e000-b714f000 rw-p 0002a000 08:02 24868      /usr/lib/i386-linux-gnu/libvorbis.so.0.4.5
b714f000-b72b5000 r-xp 00000000 08:02 24869      /usr/lib/i386-linux-gnu/libvorbisenc.so.2.0.8
b72b5000-b72c6000 r--p 00165000 08:02 24869      /usr/lib/i386-linux-gnu/libvorbisenc.so.2.0.8
b72c6000-b72c7000 rw-p 00176000 08:02 24869      /usr/lib/i386-linux-gnu/libvorbisenc.so.2.0.8
b72c7000-b7315000 r-xp 00000000 08:02 24338      /usr/lib/i386-linux-gnu/libFLAC.so.8.2.0
b7315000-b7316000 r--p 0004d000 08:02 24338      /usr/lib/i386-linux-gnu/libFLAC.so.8.2.0
b7316000-b7317000 rw-p 0004e000 08:02 24338      /usr/lib/i386-linux-gnu/libFLAC.so.8.2.0
b7317000-b7318000 rw-p 00000000 00:00 0 
b7318000-b732b000 r-xp 00000000 08:02 22591      /lib/i386-linux-gnu/libnsl-2.13.so
b732b000-b732c000 r--p 00012000 08:02 22591      /lib/i386-linux-gnu/libnsl-2.13.so
b732c000-b732d000 rw-p 00013000 08:02 22591      /lib/i386-linux-gnu/libnsl-2.13.so
b732d000-b732f000 rw-p 00000000 00:00 0 
b732f000-b733d000 r-xp 00000000 08:02 24362      /usr/lib/i386-linux-gnu/libXi.so.6.1.0
b733d000-b733e000 rw-p 0000d000 08:02 24362      /usr/lib/i386-linux-gnu/libXi.so.6.1.0
b733e000-b7342000 r-xp 00000000 08:02 10154      /lib/i386-linux-gnu/libuuid.so.1.3.0
b7342000-b7343000 r--p 00003000 08:02 10154      /lib/i386-linux-gnu/libuuid.so.1.3.0
b7343000-b7344000 rw-p 00004000 08:02 10154      /lib/i386-linux-gnu/libuuid.so.1.3.0
b7344000-b7348000 r-xp 00000000 08:02 10043      /lib/i386-linux-gnu/libattr.so.1.1.0
b7348000-b7349000 r--p 00003000 08:02 10043      /lib/i386-linux-gnu/libattr.so.1.1.0
b7349000-b734a000 rw-p 00004000 08:02 10043      /lib/i386-linux-gnu/libattr.so.1.1.0
b734a000-b734f000 r-xp 00000000 08:02 24386      /usr/lib/i386-linux-gnu/libasyncns.so.0.3.1
b734f000-b7350000 rw-p 00004000 08:02 24386      /usr/lib/i386-linux-gnu/libasyncns.so.0.3.1
b7350000-b7351000 rw-p 00000000 00:00 0 
b7351000-b73be000 r-xp 00000000 08:02 24817      /usr/lib/i386-linux-gnu/libsndfile.so.1.0.25
b73be000-b73c0000 r--p 0006c000 08:02 24817      /usr/lib/i386-linux-gnu/libsndfile.so.1.0.25
b73c0000-b73c1000 rw-p 0006e000 08:02 24817      /usr/lib/i386-linux-gnu/libsndfile.so.1.0.25
b73c1000-b73c5000 rw-p 00000000 00:00 0 
b73c5000-b73cd000 r-xp 00000000 08:02 10155      /lib/i386-linux-gnu/libwrap.so.0.7.6
b73cd000-b73ce000 r--p 00007000 08:02 10155      /lib/i386-linux-gnu/libwrap.so.0.7.6
b73ce000-b73cf000 rw-p 00008000 08:02 10155      /lib/i386-linux-gnu/libwrap.so.0.7.6
b73cf000-b73d4000 r-xp 00000000 08:02 24372      /usr/lib/i386-linux-gnu/libXtst.so.6.1.0
b73d4000-b73d5000 rw-p 00004000 08:02 24372      /usr/lib/i386-linux-gnu/libXtst.so.6.1.0
b73d5000-b73dc000 r-xp 00000000 08:02 24347      /usr/lib/i386-linux-gnu/libSM.so.6.0.1
b73dc000-b73dd000 rw-p 00006000 08:02 24347      /usr/lib/i386-linux-gnu/libSM.so.6.0.1
b73dd000-b73f3000 r-xp 00000000 08:02 24343      /usr/lib/i386-linux-gnu/libICE.so.6.3.0
b73f3000-b73f5000 rw-p 00015000 08:02 24343      /usr/lib/i386-linux-gnu/libICE.so.6.3.0
b73f5000-b73f7000 rw-p 00000000 00:00 0 
b73f7000-b73fc000 r-xp 00000000 08:02 24358      /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b73fc000-b73fd000 rw-p 00004000 08:02 24358      /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b73fd000-b73ff000 r-xp 00000000 08:02 24352      /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b73ff000-b7400000 rw-p 00001000 08:02 24352      /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b7400000-b7404000 r-xp 00000000 08:02 10049      /lib/i386-linux-gnu/libcap.so.2.22
b7404000-b7405000 rw-p 00003000 08:02 10049      /lib/i386-linux-gnu/libcap.so.2.22
b7405000-b744f000 r-xp 00000000 08:02 42883      /lib/i386-linux-gnu/libdbus-1.so.3.7.2
b744f000-b7450000 r--p 00049000 08:02 42883      /lib/i386-linux-gnu/libdbus-1.so.3.7.2
b7450000-b7451000 rw-p 0004a000 08:02 42883      /lib/i386-linux-gnu/libdbus-1.so.3.7.2
b7451000-b7452000 rw-p 00000000 00:00 0 
b7452000-b74b8000 r-xp 00000000 08:02 42210      /usr/lib/i386-linux-gnu/pulseaudio/libpulsecommon-2.0.so
b74b8000-b74b9000 r--p 00065000 08:02 42210      /usr/lib/i386-linux-gnu/pulseaudio/libpulsecommon-2.0.so
b74b9000-b74ba000 rw-p 00066000 08:02 42210      /usr/lib/i386-linux-gnu/pulseaudio/libpulsecommon-2.0.so
b74ba000-b74c2000 r-xp 00000000 08:02 35620      /lib/i386-linux-gnu/libjson.so.0.1.0
b74c2000-b74c3000 r--p 00007000 08:02 35620      /lib/i386-linux-gnu/libjson.so.0.1.0
b74c3000-b74c4000 rw-p 00008000 08:02 35620      /lib/i386-linux-gnu/libjson.so.0.1.0
b74c4000-b74e0000 r-xp 00000000 08:02 10061      /lib/i386-linux-gnu/libgcc_s.so.1
b74e0000-b74e1000 rw-p 0001b000 08:02 10061      /lib/i386-linux-gnu/libgcc_s.so.1
b74e1000-b75c1000 r-xp 00000000 08:02 24828      /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17
b75c1000-b75c5000 r--p 000e0000 08:02 24828      /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17
b75c5000-b75c6000 rw-p 000e4000 08:02 24828      /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17
b75c6000-b75cd000 rw-p 00000000 00:00 0 
b75cd000-b75d8000 r-xp 00000000 08:02 24439      /usr/lib/i386-linux-gnu/libdrm.so.2.4.0
b75d8000-b75d9000 r--p 0000a000 08:02 24439      /usr/lib/i386-linux-gnu/libdrm.so.2.4.0
b75d9000-b75da000 rw-p 0000b000 08:02 24439      /usr/lib/i386-linux-gnu/libdrm.so.2.4.0
b75da000-b75db000 rw-p 00000000 00:00 0 
b75db000-b75df000 r-xp 00000000 08:02 24375      /usr/lib/i386-linux-gnu/libXxf86vm.so.1.0.0
b75df000-b75e0000 r--p 00003000 08:02 24375      /usr/lib/i386-linux-gnu/libXxf86vm.so.1.0.0
b75e0000-b75e1000 rw-p 00004000 08:02 24375      /usr/lib/i386-linux-gnu/libXxf86vm.so.1.0.0
b75e1000-b75f8000 r-xp 00000000 08:02 24878      /usr/lib/i386-linux-gnu/libxcb-glx.so.0.0.0
b75f8000-b75f9000 r--p 00017000 08:02 24878      /usr/lib/i386-linux-gnu/libxcb-glx.so.0.0.0
b75f9000-b75fa000 rw-p 00018000 08:02 24878      /usr/lib/i386-linux-gnu/libxcb-glx.so.0.0.0
b75fa000-b75fb000 r-xp 00000000 08:02 24349      /usr/lib/i386-linux-gnu/libX11-xcb.so.1.0.0
b75fb000-b75fc000 rw-p 00000000 08:02 24349      /usr/lib/i386-linux-gnu/libX11-xcb.so.1.0.0
b75fc000-b7601000 r-xp 00000000 08:02 24360      /usr/lib/i386-linux-gnu/libXfixes.so.3.1.0
b7601000-b7602000 rw-p 00004000 08:02 24360      /usr/lib/i386-linux-gnu/libXfixes.so.3.1.0
b7602000-b7604000 r-xp 00000000 08:02 24357      /usr/lib/i386-linux-gnu/libXdamage.so.1.1.0
b7604000-b7605000 rw-p 00001000 08:02 24357      /usr/lib/i386-linux-gnu/libXdamage.so.1.1.0
b7605000-b7606000 rw-p 00000000 00:00 0 
b7606000-b7615000 r-xp 00000000 08:02 33548      /usr/lib/i386-linux-gnu/libglapi.so.0.0.0
b7615000-b761c000 rwxp 0000e000 08:02 33548      /usr/lib/i386-linux-gnu/libglapi.so.0.0.0
b761c000-b761e000 r-xp 00000000 08:02 24846      /usr/lib/i386-linux-gnu/libts-0.0.so.0.1.1
b761e000-b761f000 rw-p 00001000 08:02 24846      /usr/lib/i386-linux-gnu/libts-0.0.so.0.1.1
b761f000-b7622000 r-xp 00000000 08:02 42124      /usr/lib/i386-linux-gnu/libpulse-simple.so.0.0.3
b7622000-b7623000 r--p 00002000 08:02 42124      /usr/lib/i386-linux-gnu/libpulse-simple.so.0.0.3
Program received signal SIGABRT, Aborted.
0xb77f9387 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64	../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0xb77f9387 in *__GI_raise (sig=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0xb77fc772 in *__GI_abort () at abort.c:92
#2  0xb783472d in __libc_message (do_abort=2, 
    fmt=0xb78fde10 "*** glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#3  0xb783e82a in malloc_printerr (action=<optimized out>, 
    str=0x6 <Address 0x6 out of bounds>, ptr=0x817610b8) at malloc.c:6312
#4  0xb78419a2 in _int_malloc (av=<optimized out>, bytes=<optimized out>)
    at malloc.c:4337
#5  0xb78432dc in *__GI___libc_malloc (bytes=8) at malloc.c:3660
#6  0xb7796b64 in ?? () from /usr/lib/i386-linux-gnu/libxcb.so.1
#7  0xb7794960 in ?? () from /usr/lib/i386-linux-gnu/libxcb.so.1
#8  0xb77960f0 in ?? () from /usr/lib/i386-linux-gnu/libxcb.so.1
#9  0xb77963b7 in xcb_wait_for_reply ()
   from /usr/lib/i386-linux-gnu/libxcb.so.1
#10 0xb7b70872 in _XReply () from /usr/lib/i386-linux-gnu/libX11.so.6
#11 0xb7b6be7b in XSync () from /usr/lib/i386-linux-gnu/libX11.so.6
#12 0x801cb9aa in flip_page () at libvo/vo_x11.c:447
#13 0x80175db8 in main (argc=2, argv=0xbffffa44) at mplayer.c:3879
(gdb)

Change History (3)

comment:1 by rxt, 8 years ago

Reproduced by developer:	set
Status:	new → open

Reproduced with svn HEAD and 1.2 (both release and branch)

comment:2 by reimar, 8 years ago

While I am not able to reproduce in FFmpeg, I am fairly sure this is a FFmpeg bug.
ff_mss12_decode_init sets coded_height while not setting height.
ff_mpv_decode_init then copies coded_height into MpegEncContext height.
This is then used by init_context_frame to allocate the data structures.
However the wmv9rects are validated/based on avctx->height, not avctx->coded_height.
Thus the decode_wmv9 function will try to decode a larger video that we allocated data structures for.

comment:3 by reimar, 8 years ago

Resolution:	→ invalid
Status:	open → closed

Patch sent to FFmpeg, but closing here as not a FFmpeg issue.
My FFmpeg patch is tested to fix the crash.

Note: See TracTickets for help on using tickets.

Download in other formats: