Opened 7 years ago
Closed 5 years ago
#2359 closed defect (fixed)
Return null pointer in Mplayer-1.4-8’s libmpdemux/demux_pva.c
| Reported by: | Taolaw | Owned by: | Taolaw |
|---|---|---|---|
| Priority: | normal | Component: | demuxer |
| Version: | unspecified | Severity: | blocker |
| Keywords: | bug | Cc: | |
| Blocked By: | Blocking: | ||
| Reproduced by developer: | no | Analyzed by developer: | no |
Description
Summary of the bug: Return null pointer in Mplayer-1.4-8’s libmpdemux/demux_pva.c
How to reproduce:
On line 414 of '''demux_pva.c''', assign the value to the '''dp''' pointer by calling the '''new_demux_packet''' function, but in '''new_demux_packet''' function,when allocation failed , the function will return NULL and finally assign the value to the '''dp''' point. Memory access violation occurs when using the '''dp''' pointer as the lvalue on line 415
demux_pva.c
```
dp=new_demux_packet(current_payload.size);
dp->pts=priv->last_video_pts;
```
demuxer.h
```
else if (len) {
// do not even return a valid packet if allocation failed
free(dp);
return NULL;
```
gdb-peda$ r -ao null -vo null Return-null
Starting program: /root/tmp/crash/picture/mplayer -ao null -vo null Return-null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
MPlayer 1.4-8 (C) 2000-2019 MPlayer Team
Playing Return-null.
libavformat version 58.27.102 (internal)
PVA file format detected.
Opened PVA demuxer...
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0xfffffffc
RCX: 0x555556d05010 --> 0x2000101000602
RDX: 0x0
RSI: 0x1
RDI: 0x3
RBP: 0x7fffffffcd50 --> 0xc ('\x0c')
RSP: 0x7fffffffcd40 --> 0x0
RIP: 0x555555762ef2 (<demux_pva_fill_buffer+1218>: vmovsd QWORD PTR ds:0x8,xmm0)
R8 : 0x3f ('?')
R9 : 0x555556d37630 --> 0x0
R10: 0x0
R11: 0x50 ('P')
R12: 0x555556d35400 --> 0x55555643c4a0 --> 0x555556166c08 ("PVA demuxer")
R13: 0x555556d37630 --> 0x0
R14: 0x555556d37610 --> 0x40788d16bf800000
R15: 0x555556d36d50 --> 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x555555762ee3 <demux_pva_fill_buffer+1203>: call 0x555555634010 <free@plt>
0x555555762ee8 <demux_pva_fill_buffer+1208>: vxorpd xmm0,xmm0,xmm0
0x555555762eec <demux_pva_fill_buffer+1212>: vcvtss2sd xmm0,xmm0,DWORD PTR [r14+0x4]
=> 0x555555762ef2 <demux_pva_fill_buffer+1218>: vmovsd QWORD PTR ds:0x8,xmm0
0x555555762efb <demux_pva_fill_buffer+1227>: ud2
0x555555762efd <demux_pva_fill_buffer+1229>: nop DWORD PTR [rax]
0x555555762f00 <demux_pva_fill_buffer+1232>: cmp BYTE PTR [rsp+0x1d],0x0
0x555555762f05 <demux_pva_fill_buffer+1237>: mov DWORD PTR [r15+0x60],0x0
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcd40 --> 0x0
0008| 0x7fffffffcd48 --> 0x6e0000005b ('[')
0016| 0x7fffffffcd50 --> 0xc ('\x0c')
0024| 0x7fffffffcd58 --> 0x1001fffffffc
0032| 0x7fffffffcd60 --> 0x40788d16
0040| 0x7fffffffcd68 --> 0x555556d36d50 --> 0x0
0048| 0x7fffffffcd70 --> 0x555556d36fd0 --> 0x555556d36d50 --> 0x0
0056| 0x7fffffffcd78 --> 0x555556d36d50 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555762ef2 in demux_pva_fill_buffer (demux=0x555556d35400, ds=<optimized out>)
at libmpdemux/demux_pva.c:415
415 dp->pts=priv->last_video_pts;
gdb-peda$ bt
#0 0x0000555555762ef2 in demux_pva_fill_buffer (demux=0x555556d35400, ds=<optimized out>)
at libmpdemux/demux_pva.c:415
#1 0x00005555557348bd in demux_fill_buffer (ds=0x555556d36d50, demux=0x555556d35400)
at libmpdemux/demuxer.c:749
#2 ds_fill_buffer (ds=ds@entry=0x555556d36d50) at libmpdemux/demuxer.c:749
#3 0x0000555555734d88 in demux_pattern_3 (ds=ds@entry=0x555556d36d50, mem=mem@entry=0x0,
maxlen=maxlen@entry=0xa00000, read=read@entry=0x7fffffffce5c, pattern=pattern@entry=0x100)
at libmpdemux/demuxer.c:827
#4 0x0000555555786c82 in sync_video_packet (ds=ds@entry=0x555556d36d50) at libmpdemux/parse_es.c:46
#5 0x00005555557880f8 in video_read_properties (sh_video=0x555556d36fd0) at libmpdemux/video.c:298
#6 0x00005555556ab8a0 in reinit_video_chain () at mplayer.c:2314
#7 0x000055555569d5b3 in main (argc=<optimized out>, argc@entry=0x6, argv=<optimized out>,
argv@entry=0x7fffffffe088) at mplayer.c:3556
#8 0x00007ffff777d09b in __libc_start_main (main=0x55555569c580 <main>, argc=0x6,
argv=0x7fffffffe088, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffe078) at ../csu/libc-start.c:308
#9 0x00005555556a0c3a in _start () at mplayer.c:2242
Patches should be submitted to the mplayer-dev-eng mailing list and not this bug tracker.
Attachments (1)
Change History (2)
by , 7 years ago
| Attachment: | Return-null added |
|---|
comment:1 by , 5 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Fixed in r38222.