[MPlayer-dev-eng] [PATCH] segfault fix when parsing fuzzed ogg files

Pierre Lombard p_l at gmx.fr
Sun Jul 8 22:46:25 CEST 2007 

Hi,

I've just stumbled upon a few files at :
  http://sam.zoy.org/zzuf/

Every segfault reported there seems fixed in mplayer SVN but the 3
following cases cause problems here :

 => http://sam.zoy.org/zzuf/lol-mplayer.ogg
Segfaults - patch attached.

 => http://sam.zoy.org/zzuf/lol-mplayer.wmv
Does not segfault but mplayer gets stuck eating 100% CPU.

 => http://sam.zoy.org/zzuf/lol-mplayer.aac
Segfaults - null pointer use (see attached log).

Regards,
-- 
Pierre Lombard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20070708-tremor.diff
Type: text/x-diff
Size: 434 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/mplayer-dev-eng/attachments/20070708/2b013364/attachment.diff>
-------------- next part --------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1224632624 (LWP 1571)]
0x0854275d in ifilter_bank (fb=0x896e010, window_sequence=0 '\0', window_shape=0 '\0', window_shape_prev=0 '\0', 
    freq_in=0xbfd30f10, time_out=0x0, overlap=0x0, object_type=2 '\002', frame_len=1024) at filtbank.c:221
221                 time_out[i]   = overlap[i]   + MUL_F(transf_buf[i],window_long_prev[i]);
(gdb) bt
#0  0x0854275d in ifilter_bank (fb=0x896e010, window_sequence=0 '\0', window_shape=0 '\0', window_shape_prev=0 '\0', 
    freq_in=0xbfd30f10, time_out=0x0, overlap=0x0, object_type=2 '\002', frame_len=1024) at filtbank.c:221
#1  0x0855fed1 in reconstruct_single_channel (hDecoder=0x897ffd8, ics=0xbfd32754, sce=0xbfd3274e, spec_data=0xbfd31f4e)
    at specrec.c:928
#2  0x0854e196 in decode_sce_lfe (hDecoder=0x897ffd8, hInfo=0x87ace20, ld=0xbfd37990, id_syn_ele=3 '\003') at syntax.c:596
#3  0x0854e3b5 in raw_data_block (hDecoder=0x897ffd8, hInfo=0x87ace20, ld=0xbfd37990, pce=0x8980645, drc=0x89808b0)
    at syntax.c:445
#4  0x08541401 in aac_frame_decode (hDecoder=0x897ffd8, hInfo=0x87ace20, 
    buffer=0x897edd0 "##\2000\237#\n######\2010#,\224\034\005\214\202a#HH\022\030\235^{#W{\222#U7######\211#'G#f##W\234###\217?\223\203#K?T,#\9\227##235##9\232\177Uwpo\225##N\004z#221#B##\231\a\022###cZE#\035\f7#220o+/#6\024~#\224#\224\034\r\234#\235##"##\231\205E#D####X#q##216####u#hl#5e\224\223#$c###231\231#k\235\213b#..., buffer_size=4196, 
    sample_buffer2=0x0, sample_buffer_size=0) at decoder.c:817
#5  0x0816e01d in decode_audio (sh=0x897ed10, buf=0x899da50 "~\005~\005####[#########w#<#<###U", minlen=4096, 
    maxlen=114688) at ad_faad.c:233
#6  0x08133e4f in decode_audio (sh_audio=0x897ed10, buf=0x8983fa0 "~\005~\005####[#########w#<#<###U", 
    minlen=4096, maxlen=<value optimized out>) at dec_audio.c:389
#7  0x080c5600 in main (argc=2, argv=0xbfd39c84) at mplayer.c:1789

More information about the MPlayer-dev-eng mailing list