[MPlayer-dev-eng] libmpeg2 V0.40b plays jerky/jumpy
Shachar Raindel
shacharr at gmail.com
Sun Aug 29 23:04:57 CEST 2004
On Thu, 26 Aug 2004 12:46:31 +0000, Sascha Sommer
<saschasommer at freenet.de> wrote:
> On Thursday 26 August 2004 10:43, Diego Biurrun wrote:
> > Sascha Sommer writes:
> > > On Thursday 26 August 2004 10:08, Shachar Raindel wrote:
> > > > It crashes on some slightly corrupted MPEG 2 files, which played fine
> > > > with the old version. See the file
> > > > "broken_file_crashes_libmpeg2_040b_worked_fine_in_03.m2v" in the
> > > > incoming folder of MPlayer's FTP. I have uploaded a complete bug
> > > > report. Maybe I will have a look on this bug later, as it seems to be
> > > > some kind of double free or something similar. If it is so, it might
> > > > be an exploitable bug, which can be activated remotely (think about
> > > > streaming mpeg2....)
> > >
> > > Please try attached patch (still downloading).
> >
> > Fixes the crash for me.
> >
>
> For me, too. Clicked on a wrong 50MB file...
> Fixed in cvs.
After hunting this bug, I runned mplayer under valgrind, and found
another hidden bug in the libmpeg2 code (vd_libmpeg2.c). This bug is
triggered when libmpeg2 is fed with a large amount of bogus data,
causing it to to return while we try to feed it from the pending data
buffer, causing us to realloc the pending data buffer, and than try to
move the memory inside it, which might cause segmantation fault,
especially if glibc has freed the area. I attach a patch which should
fix this bug as well.
Cheers,
Shachar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libmpeg2-fix2.diff
Type: text/x-patch
Size: 1296 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/mplayer-dev-eng/attachments/20040830/b378114b/attachment.bin>
More information about the MPlayer-dev-eng
mailing list