Opened 8 years ago

Closed 8 years ago

#2266 closed defect (fixed)

crash with fuzzed file

Reported by: ami_stuff Owned by: beastd
Priority: normal Component: undetermined
Version: unspecified Severity: blocker
Keywords: audio crash fuzz Cc:
Blocked By: Blocking:
Reproduced by developer: yes Analyzed by developer: no

Description

http://www.datafilehost.com/d/f89c0afd

knoppix@Microknoppix:/media/sdb1$ valgrind --leak-check=full mplayer/mplayer -ao null -vo null -speed 90  gsm_fuzz.avi
==6069== Memcheck, a memory error detector
==6069== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==6069== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==6069== Command: mplayer/mplayer -ao null -vo null -speed 90 gsm_fuzz.avi
==6069== 
--6069-- WARNING: Serious error when reading debug info
--6069-- When reading debug info from /usr/lib/i386-linux-gnu/libGL.so.1.2:
--6069-- Can't make sense of .got section mapping
--6069-- WARNING: Serious error when reading debug info
--6069-- When reading debug info from /usr/lib/i386-linux-gnu/libglapi.so.0.0.0:
--6069-- Can't make sense of .got section mapping
MPlayer 1.2-4.7 (C) 2000-2015 MPlayer Team

Playing gsm_fuzz.avi.
libavformat version 56.40.101 (internal)
AVI file format detected.
[aviheader] Video stream found, -vid 0
[aviheader] Audio stream found, -aid 1
VIDEO:  [cvid]  160x120  24bpp  1.000 fps   52.7 kbps ( 6.4 kbyte/s)
Load subtitles in ./
==========================================================================
Opening video decoder: [ffmpeg] FFmpeg's libavcodec codec family
libavcodec version 56.60.100 (internal)
Selected video codec: [ffcvid] vfm: ffmpeg (FFmpeg Cinepak Video)
==========================================================================
==========================================================================
Opening audio decoder: [ffmpeg] FFmpeg/libavcodec audio decoders
AUDIO: 1073763874 Hz, 1 ch, s16le, 29.2 kbit/-0.00% (ratio: 3652->-2147439548)
Selected audio codec: [ffgsmms] afm: ffmpeg (FFmpeg MS GSM)
==========================================================================
AO: [null] 1073763874Hz 1ch s16le (2 bytes per sample)
Starting playback...
Movie-Aspect is undefined - no prescaling applied.
VO: [null] 160x120 => 160x120 RGB 24-bit 
Movie-Aspect is undefined - no prescaling applied.
VO: [null] 160x120 => 160x120 RGB 24-bit 
==6069== Warning: client switching stacks?  SP change: 0xbe8086a0 --> 0x7cf6f680
==6069==          to suppress, use: --max-stackframe=1099534368 or greater
==6069== Invalid write of size 8
==6069==    at 0x3B1275: play (af_lavcresample.c:130)
==6069==    by 0x2E6869: af_play (af.c:584)
==6069==    by 0x2FA3B2: mp_decode_audio (dec_audio.c:412)
==6069==    by 0x27C3DB: main (mplayer.c:2177)
==6069==  Address 0x7cf6f680 is on thread 1's stack
==6069== 
==6069== Can't extend stack to 0x7cf6efa0 during signal delivery for thread 1:
==6069==   no stack segment
==6069== 
==6069== Process terminating with default action of signal 11 (SIGSEGV)
==6069==  Access not within mapped region at address 0x7CF6EFA0
==6069==    at 0x3B1275: play (af_lavcresample.c:130)
==6069==  If you believe this happened as a result of a stack
==6069==  overflow in your program's main thread (unlikely but
==6069==  possible), you can try to increase the size of the
==6069==  main thread stack using the --main-stacksize= flag.
==6069==  The main thread stack size used in this run was 8388608.
==6069== 
==6069== Process terminating with default action of signal 11 (SIGSEGV)
==6069==  Access not within mapped region at address 0x7CF6F67C
==6069==    at 0x4821550: _vgnU_freeres (vg_preloaded.c:58)
==6069==  If you believe this happened as a result of a stack
==6069==  overflow in your program's main thread (unlikely but
==6069==  possible), you can try to increase the size of the
==6069==  main thread stack using the --main-stacksize= flag.
==6069==  The main thread stack size used in this run was 8388608.
==6069== 
==6069== HEAP SUMMARY:
==6069==     in use at exit: 2,122,809 bytes in 2,673 blocks
==6069==   total heap usage: 2,807 allocs, 134 frees, 5,878,174 bytes allocated
==6069== 
==6069== 6 bytes in 1 blocks are definitely lost in loss record 5 of 124
==6069==    at 0x4828308: malloc (vg_replace_malloc.c:263)
==6069==    by 0x4F6987F: strdup (strdup.c:43)
==6069==    by 0x39559B: get_term_charset (getch2.c:317)
==6069==    by 0x4F08E15: (below main) (libc-start.c:244)
==6069== 
==6069== 22 bytes in 1 blocks are definitely lost in loss record 35 of 124
==6069==    at 0x4828308: malloc (vg_replace_malloc.c:263)
==6069==    by 0x4F6987F: strdup (strdup.c:43)
==6069==    by 0x2DC5B5: copy_str (m_option.c:419)
==6069==    by 0x2D97EF: m_config_add_option (m_option.h:518)
==6069==    by 0x2DA200: m_config_register_options (m_config.c:380)
==6069==    by 0x4F08E15: (below main) (libc-start.c:244)
==6069== 
==6069== LEAK SUMMARY:
==6069==    definitely lost: 28 bytes in 2 blocks
==6069==    indirectly lost: 0 bytes in 0 blocks
==6069==      possibly lost: 0 bytes in 0 blocks
==6069==    still reachable: 2,122,781 bytes in 2,671 blocks
==6069==         suppressed: 0 bytes in 0 blocks
==6069== Reachable blocks (those to which a pointer was found) are not shown.
==6069== To see them, rerun with: --leak-check=full --show-reachable=yes
==6069== 
==6069== For counts of detected and suppressed errors, rerun with: -v
==6069== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 121 from 6)
Segmentation fault

(gdb) r -speed 90 -ao null -vo null gsm_fuzz.avi
Starting program: /media/sdb1/mplayer/mplayer -speed 90 -ao null -vo null gsm_fuzz.avi
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
MPlayer 1.2-4.7 (C) 2000-2015 MPlayer Team

Playing gsm_fuzz.avi.
libavformat version 56.40.101 (internal)
AVI file format detected.
[aviheader] Video stream found, -vid 0
[aviheader] Audio stream found, -aid 1
VIDEO:  [cvid]  160x120  24bpp  1.000 fps   52.7 kbps ( 6.4 kbyte/s)
Load subtitles in ./
==========================================================================
Opening video decoder: [ffmpeg] FFmpeg's libavcodec codec family
libavcodec version 56.60.100 (internal)
Selected video codec: [ffcvid] vfm: ffmpeg (FFmpeg Cinepak Video)
==========================================================================
==========================================================================
Opening audio decoder: [ffmpeg] FFmpeg/libavcodec audio decoders
AUDIO: 1073763874 Hz, 1 ch, s16le, 29.2 kbit/-0.00% (ratio: 3652->-2147439548)
Selected audio codec: [ffgsmms] afm: ffmpeg (FFmpeg MS GSM)
==========================================================================
AO: [null] 1073763874Hz 1ch s16le (2 bytes per sample)
Starting playback...

Program received signal SIGSEGV, Segmentation fault.
0x802a9275 in play (af=0x8166c410, data=0xbfffe858)
    at libaf/af_lavcresample.c:130
130	  if(AF_OK != RESIZE_LOCAL_BUFFER(af,data))
(gdb) bt
#0  0x802a9275 in play (af=0x8166c410, data=0xbfffe858)
    at libaf/af_lavcresample.c:130
#1  0x801de86a in af_play (s=0x8166c0c0, data=<optimized out>, 
    data@entry=0xbfffe858) at libaf/af.c:584
#2  0x801f23b3 in filter_n_bytes (len=1024, sh=0x81663948)
    at libmpcodecs/dec_audio.c:412
#3  mp_decode_audio (sh_audio=sh_audio@entry=0x81663948, 
    minlen=minlen@entry=131072) at libmpcodecs/dec_audio.c:482
#4  0x801743dc in fill_audio_out_buffers () at mplayer.c:2177
#5  main (argc=8, argv=0xbffffa24) at mplayer.c:3779
(gdb)

Change History (1)

comment:1 by rxt, 8 years ago

Keywords: audio crash fuzz added
Reproduced by developer: set
Resolution: fixed
Status: newclosed

Reproduced on acelp and gsm with svn (at the date of report) and 1.2

Both are already fixed in svn HEAD and in 1.2 branch with the latest commits made to fix other fuzzed files.

I was never able to reproduce a crash with the alac file.

Note: See TracTickets for help on using tickets.