[MPlayer-users] [BUG] a realmedia video crashes MPlayer
陆然
hephooey at gmail.com
Thu Aug 17 14:25:02 CEST 2006
Hi,
Finally I have found some time to crash mplayer and dig for the bug, here is
what I got, I've compiled mplayer with --enable-debug and run it with
valgrind, here is some part of the output I think is relevent, (The whole log
is too large, 1.9M, to be attached in the mail).
packet#3410: pos: 0x185e50, len: 1015, id: 1, pts: 41400, flags: 0 rvd:0
packet is video (id: 1)
hdr: 04 (len=1002) subseq: 01 l: 59 DE o: 40 00 seq: D5
blklen=996
block: hdr=0x4, len=6622, offset=0, seqnum=213
packet#3411: pos: 0x186247, len: 1015, id: 1, pts: 41400, flags: 0 rvd:0
packet is video (id: 1)
hdr: 04 (len=1002) subseq: 01 l: 59 DE o: 40 00 seq: D5
blklen=996
block: hdr=0x4, len=6622, offset=0, seqnum=213
we have an incomplete packet (oldseq=213 new=213)
[chunks=1 subseq=1]
warning! assembled.len=6710 offset=0 frag.len=996 total.len=6622
dp_hdr.len=996
packet#3412: pos: 0x18663e, len: 992, id: 1, pts: 41400, flags: 0 rvd:0
packet is video (id: 1)
hdr: 04 (len=979) subseq: 02 l: 59 DE o: 43 E4 seq: D5
blklen=973
block: hdr=0x4, len=6622, offset=996, seqnum=213
we have an incomplete packet (oldseq=213 new=213)
[chunks=2 subseq=2]
warning! assembled.len=6710 offset=996 frag.len=973 total.len=6622
dp_hdr.len=1992
packet#3413: pos: 0x186a1e, len: 322, id: 1, pts: 41400, flags: 0 rvd:0
packet is video (id: 1)
hdr: 04 (len=309) subseq: 03 l: 59 DE o: 47 B1 seq: D5
blklen=303
block: hdr=0x4, len=6622, offset=1969, seqnum=213
we have an incomplete packet (oldseq=213 new=213)
[chunks=3 subseq=3]
warning! assembled.len=6710 offset=1969 frag.len=303 total.len=6622
dp_hdr.len=2965
packet#3414: pos: 0x186b60, len: 1005, id: 1, pts: 41400, flags: 0 rvd:0
packet is video (id: 1)
hdr: 04 (len=992) subseq: 04 l: 59 DE o: 48 E0 seq: D5
blklen=986
block: hdr=0x4, len=6622, offset=2272, seqnum=213
we have an incomplete packet (oldseq=213 new=213)
[chunks=4 subseq=4]
warning! assembled.len=6710 offset=2272 frag.len=986 total.len=6622
dp_hdr.len=3268
packet#3415: pos: 0x186f4d, len: 1001, id: 1, pts: 41400, flags: 0 rvd:0
packet is video (id: 1)
hdr: 04 (len=988) subseq: 05 l: 59 DE o: 4C BA seq: D5
blklen=982
block: hdr=0x4, len=6622, offset=3258, seqnum=213
we have an incomplete packet (oldseq=213 new=213)
[chunks=5 subseq=5]
warning! assembled.len=6710 offset=3258 frag.len=982 total.len=6622
dp_hdr.len=4254
packet#3416: pos: 0x187336, len: 981, id: 1, pts: 41400, flags: 0 rvd:0
packet is video (id: 1)
hdr: 04 (len=968) subseq: 06 l: 59 DE o: 50 90 seq: D5
blklen=962
block: hdr=0x4, len=6622, offset=4240, seqnum=213
we have an incomplete packet (oldseq=213 new=213)
[chunks=6 subseq=6]
warning! assembled.len=6710 offset=4240 frag.len=962 total.len=6622
dp_hdr.len=5236
packet#3417: pos: 0x18770b, len: 966, id: 1, pts: 41400, flags: 0 rvd:0
packet is video (id: 1)
hdr: 04 (len=953) subseq: 07 l: 59 DE o: 54 52 seq: D5
blklen=947
block: hdr=0x4, len=6622, offset=5202, seqnum=213
we have an incomplete packet (oldseq=213 new=213)
[chunks=7 subseq=7]
warning! assembled.len=6710 offset=5202 frag.len=947 total.len=6622
dp_hdr.len=6198
==19371==
==19371== Invalid write of size 1
==19371== at 0x4022CDE: memcpy
(in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==19371== by 0x8173398: demux_real_fill_buffer (stream.h:208)
==19371== by 0x814931A: ds_fill_buffer (demuxer.c:388)
==19371== by 0x81495E8: ds_get_packet_pts (demuxer.c:515)
==19371== by 0x80D5F34: decode_audio (ad_ffmpeg.c:153)
==19371== by 0x80D21AA: decode_audio (dec_audio.c:387)
==19371== by 0x8080EC4: main (mplayer.c:3854)
==19371== Address 0x5B9D8D8 is not stack'd, malloc'd or (recently) free'd
==19371==
==19371== Invalid write of size 1
==19371== at 0x4022CE4: memcpy
(in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==19371== by 0x8173398: demux_real_fill_buffer (stream.h:208)
==19371== by 0x814931A: ds_fill_buffer (demuxer.c:388)
==19371== by 0x81495E8: ds_get_packet_pts (demuxer.c:515)
==19371== by 0x80D5F34: decode_audio (ad_ffmpeg.c:153)
==19371== by 0x80D21AA: decode_audio (dec_audio.c:387)
==19371== by 0x8080EC4: main (mplayer.c:3854)
==19371== Address 0x5B9D8D7 is not stack'd, malloc'd or (recently) free'd
==19371==
==19371== Invalid write of size 1
==19371== at 0x4022CEB: memcpy
(in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==19371== by 0x8173398: demux_real_fill_buffer (stream.h:208)
==19371== by 0x814931A: ds_fill_buffer (demuxer.c:388)
==19371== by 0x81495E8: ds_get_packet_pts (demuxer.c:515)
==19371== by 0x80D5F34: decode_audio (ad_ffmpeg.c:153)
==19371== by 0x80D21AA: decode_audio (dec_audio.c:387)
==19371== by 0x8080EC4: main (mplayer.c:3854)
==19371== Address 0x5B9D8D6 is not stack'd, malloc'd or (recently) free'd
==19371==
==19371== Invalid write of size 1
==19371== at 0x4022CF5: memcpy
(in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==19371== by 0x8173398: demux_real_fill_buffer (stream.h:208)
==19371== by 0x814931A: ds_fill_buffer (demuxer.c:388)
==19371== by 0x81495E8: ds_get_packet_pts (demuxer.c:515)
==19371== by 0x80D5F34: decode_audio (ad_ffmpeg.c:153)
==19371== by 0x80D21AA: decode_audio (dec_audio.c:387)
==19371== by 0x8080EC4: main (mplayer.c:3854)
==19371== Address 0x5B9D8D5 is not stack'd, malloc'd or (recently) free'd
packet#3418: pos: 0x187ad1, len: 492, id: 1, pts: 41400, flags: 0 rvd:0
packet is video (id: 1)
hdr: 84 (len=479) subseq: 08 l: 59 DE o: 41 D9 seq: D5
blklen=473
block: hdr=0x84, len=6622, offset=473, seqnum=213
we have an incomplete packet (oldseq=213 new=213)
[chunks=8 subseq=8]
warning! assembled.len=6710 frag.len=473 total.len=6149
==19371==
==19371== Invalid write of size 1
==19371== at 0x4022CDE: memcpy
(in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==19371== by 0x8172A50: demux_real_fill_buffer (stream.h:208)
==19371== by 0x814931A: ds_fill_buffer (demuxer.c:388)
==19371== by 0x81495E8: ds_get_packet_pts (demuxer.c:515)
==19371== by 0x80D5F34: decode_audio (ad_ffmpeg.c:153)
==19371== by 0x80D21AA: decode_audio (dec_audio.c:387)
==19371== by 0x8080EC4: main (mplayer.c:3854)
==19371== Address 0x5B9DAB1 is not stack'd, malloc'd or (recently) free'd
==19371==
==19371== Invalid write of size 1
==19371== at 0x4022CE4: memcpy
(in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==19371== by 0x8172A50: demux_real_fill_buffer (stream.h:208)
==19371== by 0x814931A: ds_fill_buffer (demuxer.c:388)
==19371== by 0x81495E8: ds_get_packet_pts (demuxer.c:515)
==19371== by 0x80D5F34: decode_audio (ad_ffmpeg.c:153)
==19371== by 0x80D21AA: decode_audio (dec_audio.c:387)
==19371== by 0x8080EC4: main (mplayer.c:3854)
==19371== Address 0x5B9DAB0 is not stack'd, malloc'd or (recently) free'd
==19371==
==19371== Invalid write of size 1
==19371== at 0x4022CEB: memcpy
(in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==19371== by 0x8172A50: demux_real_fill_buffer (stream.h:208)
==19371== by 0x814931A: ds_fill_buffer (demuxer.c:388)
==19371== by 0x81495E8: ds_get_packet_pts (demuxer.c:515)
==19371== by 0x80D5F34: decode_audio (ad_ffmpeg.c:153)
==19371== by 0x80D21AA: decode_audio (dec_audio.c:387)
==19371== by 0x8080EC4: main (mplayer.c:3854)
==19371== Address 0x5B9DAAF is not stack'd, malloc'd or (recently) free'd
==19371==
==19371== Invalid write of size 1
==19371== at 0x4022CF5: memcpy
(in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==19371== by 0x8172A50: demux_real_fill_buffer (stream.h:208)
==19371== by 0x814931A: ds_fill_buffer (demuxer.c:388)
==19371== by 0x81495E8: ds_get_packet_pts (demuxer.c:515)
==19371== by 0x80D5F34: decode_audio (ad_ffmpeg.c:153)
==19371== by 0x80D21AA: decode_audio (dec_audio.c:387)
==19371== by 0x8080EC4: main (mplayer.c:3854)
==19371== Address 0x5B9DAAE is not stack'd, malloc'd or (recently) free'd
==19371==
==19371== Invalid write of size 1
==19371== at 0x4022D14: memcpy
(in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==19371== by 0x8172A50: demux_real_fill_buffer (stream.h:208)
==19371== by 0x814931A: ds_fill_buffer (demuxer.c:388)
==19371== by 0x81495E8: ds_get_packet_pts (demuxer.c:515)
==19371== by 0x80D5F34: decode_audio (ad_ffmpeg.c:153)
==19371== by 0x80D21AA: decode_audio (dec_audio.c:387)
==19371== by 0x8080EC4: main (mplayer.c:3854)
==19371== Address 0x5B9D8D9 is not stack'd, malloc'd or (recently) free'd
==19371==
==19371== Invalid read of size 1
==19371== at 0x8172AB2: demux_real_fill_buffer (demux_real.c:958)
==19371== by 0x814931A: ds_fill_buffer (demuxer.c:388)
==19371== by 0x81495E8: ds_get_packet_pts (demuxer.c:515)
==19371== by 0x80D5F34: decode_audio (ad_ffmpeg.c:153)
==19371== by 0x80D21AA: decode_audio (dec_audio.c:387)
==19371== by 0x8080EC4: main (mplayer.c:3854)
==19371== Address 0x5B9D8D9 is not stack'd, malloc'd or (recently) free'd
fragment (473 bytes) appended, 0 bytes left
TS: base=0000A000
TS: 0000A1B8 -> 0000A133 (01B8) 0 0E 10 6E 1B 34
DEMUX: Append packet to d_video, len=6710 pts=41.267 pos=1597008 [packs:
A=0 V=1020]
packet#3419: pos: 0x187cbd, len: 887, id: 1, pts: 41401, flags: 2 rvd:0
packet is video (id: 1)
hdr: 01 (len=874) subseq: 81 l: 48 89 o: 40 00 seq: D6
blklen=868
block: hdr=0x1, len=2185, offset=0, seqnum=214
--19371-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) -
exiting
--19371-- si_code=1; Faulting address: 0xCF60B357; sp: 0x63162DF8
valgrind: the 'impossible' happened:
Killed by fatal signal
==19371== at 0xB001ABD0: (within /usr/lib/valgrind/x86-linux/memcheck)
==19371== by 0xB001B3C1: (within /usr/lib/valgrind/x86-linux/memcheck)
==19371== by 0xB0001FCB: (within /usr/lib/valgrind/x86-linux/memcheck)
==19371== by 0xB00359D3: (within /usr/lib/valgrind/x86-linux/memcheck)
==19371== by 0xB0053BC7: (within /usr/lib/valgrind/x86-linux/memcheck)
sched status:
running_tid=1
Thread 1: status = VgTs_Runnable
==19371== at 0x40213E1: malloc
(in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==19371== by 0x8171BFF: demux_real_fill_buffer (demuxer.h:221)
==19371== by 0x814931A: ds_fill_buffer (demuxer.c:388)
==19371== by 0x81495E8: ds_get_packet_pts (demuxer.c:515)
==19371== by 0x80D5F34: decode_audio (ad_ffmpeg.c:153)
==19371== by 0x80D21AA: decode_audio (dec_audio.c:387)
==19371== by 0x8080EC4: main (mplayer.c:3854)
It looks like when assembling fragment, mplayer first got a 996 bytes
subpacket, put it in the buffer, then there came another 996 bytes subpacket
claiming that it should be put in the buffer with offset 0, thus overwrite
the first packet. MPlayer chose to ignore this and append it after the first
packet. As the result, the buffer overflowed and mplayer crashed.
There are two folds of this bug, first mplayer should have some sanity check
to prevent the overflow, second, I don't know which is better: completely
trusting the data from the file or trying to correct possible error, like the
0 offset.
--
Best Regards,
LR
More information about the MPlayer-users
mailing list