[MPlayer-dev-eng] libmpeg2 V0.40b plays jerky/jumpy

Diego Biurrun diego at biurrun.de
Sat Dec 18 17:37:50 CET 2004 

Shachar Raindel writes:
> On Thu, 26 Aug 2004 12:46:31 +0000, Sascha Sommer
> <saschasommer at freenet.de> wrote:
> > On Thursday 26 August 2004 10:43, Diego Biurrun wrote:
> > > Sascha Sommer writes:
> > > > On Thursday 26 August 2004 10:08, Shachar Raindel wrote:
> > > > > It crashes on some slightly corrupted MPEG 2 files, which played fine
> > > > > with the old version. See the file
> > > > > "broken_file_crashes_libmpeg2_040b_worked_fine_in_03.m2v" in the
> > > > > incoming folder of MPlayer's FTP. I have uploaded a complete bug
> > > > > report. Maybe I will have a look on this bug later, as it seems to be
> > > > > some kind of double free or something similar. If it is so, it might
> > > > > be an exploitable bug, which can be activated remotely (think about
> > > > > streaming mpeg2....)
> > > >
> > > > Please try attached patch (still downloading).
> > >
> > > Fixes the crash for me.
> > >
> > 
> > For me, too. Clicked on a wrong 50MB file...
> > Fixed in cvs.
> 
> After hunting this bug, I runned mplayer under valgrind, and found
> another hidden bug in the libmpeg2 code (vd_libmpeg2.c). This bug is
> triggered when libmpeg2 is fed with a large amount of bogus data,
> causing it to to return while we try to feed it from the pending data
> buffer, causing us to realloc the pending data buffer, and than try to
> move the memory inside it, which might cause segmantation fault,
> especially if glibc has freed the area. I attach a patch which should
> fix this bug as well.

Is this patch still relevant?  Or was the problem fixed in the last
round of commits to libmpeg2.

Diego

> --- libmpcodecs/vd_libmpeg2.c	26 Aug 2004 10:34:20 -0000	1.34
> +++ libmpcodecs/vd_libmpeg2.c	29 Aug 2004 20:54:28 -0000
> @@ -202,12 +202,20 @@
>  	    // decoding done:
>  	    if(mpi) printf("AJAJJJJJJJJ2!\n");
>  	    if(info->display_fbuf) {
> -		mpi=info->display_fbuf->id;
> +	      mpi=info->display_fbuf->id;
> +	      // Handle the case that we already have pending data, and yet libmpeg2 had left data in the buffer...
> +	      if((mpeg2dec->buf_start >= mpeg2dec->pending_buffer) && 
> +		 (mpeg2dec->buf_start <= 
> +		  mpeg2dec->pending_buffer+mpeg2dec->pending_length))  {
> +		  mpeg2dec->pending_length = mpeg2dec->buf_end - mpeg2dec->buf_start;
> +		  memmove(mpeg2dec->pending_buffer,mpeg2dec->buf_start,mpeg2dec->pending_length);
> +	      }else {
>  		mpeg2dec->pending_length = mpeg2dec->buf_end - mpeg2dec->buf_start;
>  //		fprintf(stderr, "pending = %d\n", pending);
>  		mpeg2dec->pending_buffer = realloc(mpeg2dec->pending_buffer, mpeg2dec->pending_length);
>  		memcpy(mpeg2dec->pending_buffer, mpeg2dec->buf_start, mpeg2dec->pending_length);
>  		return mpi;
> +	      }
>  	    }
>  	}
>      }

More information about the MPlayer-dev-eng mailing list