New submission from nstockma <[EMAIL PROTECTED]>: I am trying to transcode from an .ogg to a .wav format. Valgrind reports an Invalid Read of 4 bytes at an invalid memory location.
The test file can be found inside the .tgz archive at the following link: http://www.metafuzz.com/testcases/325305-91-35847345-Leak_DefinitelyLost.tgz I confirmed that this bug is reproducible on Linux OS, Debian x32 with the latest subversion of ffmpeg, SVN-r14169. I used a 32-bit Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz. To reproduce: wget http://www.metafuzz.com/testcases/325305-91-35847345-Leak_DefinitelyLost.tgz tar xzfv 325305-91-35847345-Leak_DefinitelyLost.tgz valgrind ./ffmpeg_g -i ~/Desktop/91-snippet3.ogg test91.wav (<---- depending on where you've unzipped the .tgz file of course) Note that this bug does not cause a crash so I have not included a gdb backtrace, but please let me know if you would like one anyway. The following is the output from Valgrind: [EMAIL PROTECTED]:~/ffmpeg$ valgrind ./ffmpeg_g -i ~/Desktop/91-snippet3.ogg test91.wav ==12731== Memcheck, a memory error detector. ==12731== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al. ==12731== Using LibVEX rev 1854, a library for dynamic binary translation. ==12731== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP. ==12731== Using valgrind-3.3.1, a dynamic binary instrumentation framework. ==12731== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al. ==12731== For more details, rerun with: -v ==12731== FFmpeg version SVN-r14169, Copyright (c) 2000-2008 Fabrice Bellard, et al. configuration: libavutil version: 49.7.0 libavcodec version: 51.60.0 libavformat version: 52.17.0 libavdevice version: 52.0.0 built on Jul 11 2008 10:50:03, gcc: 4.1.2 20061115 (prerelease) (Debian 4.1.1-21) [ogg @ 0x8441ce0]-74 bytes of comment header remain [ogg @ 0x8441ce0]truncated comment header, 3 comments not found ======================================================================================= ==12731== Invalid read of size 4 ==12731== Stack hash: 137829062 ==12731== at 0x8371AC6: vorbis_decode_init (bitstream.h:659) ==12731== Address 0x41d905f is 271 bytes inside a block of size 272 alloc'd ==12731== Stack hash: 2622533325 ==12731== at 0x401D96E: realloc (vg_replace_malloc.c:429) ==12731== by 0x80C41E7: vorbis_header (oggparsevorbis.c:149) [vorbis @ 0x8458cf0]Third header is not the setup header. [vorbis @ 0x8458cf0]Third header is not the setup header. #(The previous line repeats numerous times, most of which I have omitted.) [vorbis @ 0x8458cf0]Third header is not the setup header. [vorbis @ 0x8458cf0]Third header is not the setup header. [ogg @ 0x8441ce0]Could not find codec parameters (Audio: vorbis, 44100 Hz, stereo, 160 kb/s) [ogg @ 0x8441ce0]Could not find codec parameters (Invalid Codec type -1) /home/user/Desktop/91-snippet3.ogg: could not find codec parameters ==12731== ==12731== ERROR SUMMARY: 141 errors from 1 contexts (suppressed: 18 from 1) ==12731== malloc/free: in use at exit: 9,906,996 bytes in 2,563 blocks. ==12731== malloc/free: 2,995 allocs, 432 frees, 11,096,418 bytes allocated. ==12731== For counts of detected errors, rerun with: -v ==12731== searching for pointers to 2,563 not-freed blocks. ==12731== checked 2,652,924 bytes. ==12731== ==12731== LEAK SUMMARY: ==12731== definitely lost: 9,458,560 bytes in 2,220 blocks. ==12731== possibly lost: 233,216 bytes in 36 blocks. ==12731== still reachable: 215,220 bytes in 307 blocks. ==12731== suppressed: 0 bytes in 0 blocks. ==12731== Rerun with --leak-check=full to see details of leaked memory. I have not attempted to review this bug to determine whether it represents a security risk or not. This bug was found using the Zzuf fuzzer. It was found as part of the SUPERB-TRUST 2008 project ( see http://www.truststc.org/superb/ ) and the metafuzz project ( see http://metafuzz.com/, stack hash 35847345). Let me know if I can provide more information. ---------- messages: 2399 nosy: nstockma priority: normal status: new substatus: new title: bug in Ffmpeg code causes Valgrind to report Invalid Read for Mplayer at vorbis_decode_init (bitstream.h:659) type: bug ______________________________________________________ FFmpeg issue tracker <[EMAIL PROTECTED]> <https://roundup.mplayerhq.hu/roundup/ffmpeg/issue525> ______________________________________________________
