New submission from Reimar Döffinger <[email protected]>:
This was reported as MPlayer bug:
http://bugzilla.mplayerhq.hu/show_bug.cgi?id=1281
The sample is also attached.
There are several issues, but here is the valgrind trace for the first error it
prints:
$ valgrind ./ffmpeg_g -i 199-song0004.mp3 test.wav
==20979== Memcheck, a memory error detector
==20979== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==20979== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for
copyright info
==20979== Command: ../ffmpeg-clean/ffmpeg_g -i 199-song0004.mp3 test.wav
==20979==
FFmpeg version SVN-r25919, Copyright (c) 2000-2010 the FFmpeg developers
built on Dec 7 2010 21:26:04 with gcc 4.4.5
configuration: --enable-gpl
libavutil 50.34. 0 / 50.34. 0
libavcore 0.15. 0 / 0.15. 0
libavcodec 52.99. 0 / 52.99. 0
libavformat 52.88. 0 / 52.88. 0
libavdevice 52. 2. 2 / 52. 2. 2
libavfilter 1.68. 0 / 1.68. 0
libswscale 0.12. 0 / 0.12. 0
[mp3 @ 0x66a7700] max_analyze_duration reached
[mp3 @ 0x66a7700] Estimating duration from bitrate, this may be inaccurate
Input #0, mp3, from '199-song0004.mp3':
Duration: 00:00:20.00, start: 0.000000, bitrate: 320 kb/s
Stream #0.0: Audio: mp3, 44100 Hz, 2 channels, s16, 320 kb/s
Output #0, wav, to 'test.wav':
Metadata:
encoder : Lavf52.88.0
Stream #0.0: Audio: pcm_s16le, 44100 Hz, 2 channels, s16, 1411 kb/s
Stream mapping:
Stream #0.0 -> #0.0
Press [q] to stop encoding
[mp3 @ 0x66bbb80] overread, skip -6 enddists: -3 -3
[mp3 @ 0x66bbb80] overread, skip -5 enddists: -4 -4
[mp3 @ 0x66bbb80] big_values too big
==20979== Invalid read of size 4
==20979== at 0x66D70B: mp_decode_frame (bswap.h:42)
==20979== by 0x66DE91: decode_frame (mpegaudiodec.c:2073)
==20979== by 0x74A90E: avcodec_decode_audio3 (utils.c:671)
==20979== by 0x4327AF: output_packet (ffmpeg.c:1498)
==20979== by 0x434347: T.656 (ffmpeg.c:2620)
==20979== by 0x4352A2: main (ffmpeg.c:4318)
==20979== Address 0x6708e5d is 493 bytes inside a block of size 496 alloc'd
==20979== at 0x4C236B6: memalign (vg_replace_malloc.c:581)
==20979== by 0x4C2370F: posix_memalign (vg_replace_malloc.c:709)
==20979== by 0x90E4F7: av_malloc (mem.c:83)
==20979== by 0x4F31B4: av_dup_packet (avpacket.c:99)
==20979== by 0x4D2B24: av_find_stream_info (utils.c:2307)
==20979== by 0x42E42A: opt_input_file (ffmpeg.c:3191)
==20979== by 0x439483: parse_options (cmdutils.c:204)
==20979== by 0x435251: main (ffmpeg.c:4298)
==20979==
==20979== Invalid read of size 4
==20979== at 0x66D625: mp_decode_frame (bswap.h:42)
==20979== by 0x66DE91: decode_frame (mpegaudiodec.c:2073)
==20979== by 0x74A90E: avcodec_decode_audio3 (utils.c:671)
==20979== by 0x4327AF: output_packet (ffmpeg.c:1498)
==20979== by 0x434347: T.656 (ffmpeg.c:2620)
==20979== by 0x4352A2: main (ffmpeg.c:4318)
==20979== Address 0x6708e60 is 0 bytes after a block of size 496 alloc'd
==20979== at 0x4C236B6: memalign (vg_replace_malloc.c:581)
==20979== by 0x4C2370F: posix_memalign (vg_replace_malloc.c:709)
==20979== by 0x90E4F7: av_malloc (mem.c:83)
==20979== by 0x4F31B4: av_dup_packet (avpacket.c:99)
==20979== by 0x4D2B24: av_find_stream_info (utils.c:2307)
==20979== by 0x42E42A: opt_input_file (ffmpeg.c:3191)
==20979== by 0x439483: parse_options (cmdutils.c:204)
==20979== by 0x435251: main (ffmpeg.c:4298)
==20979==
[mp3 @ 0x66bbb80] Header missing
Error while decoding stream #0.0
File '199-song0004.mp3' not attached - you can download it from
https://roundup.ffmpeg.org/file1214.
----------
files: 199-song0004.mp3
messages: 12911
priority: normal
status: open
substatus: open
title: Out-of-bound reads in MP3 decoder
type: bug
________________________________________________
FFmpeg issue tracker <[email protected]>
<https://roundup.ffmpeg.org/issue2416>
________________________________________________
