[MPlayer-users] segmentation fault in mencoder

Ildar Isaev iisaev at ispras.ru
Tue Mar 23 15:58:27 CET 2010


I have encountered with a bug in mencoder. This is how it may be 
reproduced (i used mencoder built from sources checked out from 
subversion repository).

expl.c (attached) - pseudo streaming server. It accepts the connection 
and then sends exploit data into it. So compile it and run. Then run 
mencoder with options "-o out.avi http://127.0.0.1:8050" to see the 
crash. This is how all the reproducing steps look:

user at machine:/space/iisaev/avalanche2/mplayer/inst/bin$ gcc -Wall expl.c 
-o expl
user at machine:/space/iisaev/avalanche2/mplayer/inst/bin$ ./expl &
[1] 30104
user at machine:/space/iisaev/avalanche2/mplayer/inst/bin$ gdb --args 
./mencoder -o out.avi http://127.0.0.1:8050
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) run
Starting program: /space/iisaev/avalanche2/mplayer/inst/bin/mencoder -o 
out.avi http://127.0.0.1:8050
[Thread debugging using libthread_db enabled]
MEncoder SVN-r30947-4.3.3 (C) 2000-2010 MPlayer Team
Resolving 127.0.0.1 for AF_INET6...
Couldn't resolve name for AF_INET6: 127.0.0.1
Connecting to server 127.0.0.1[127.0.0.1]: 8050...
Malformed answer. No space separator found.
[New Thread 0x405f9b20 (LWP 30107)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x405f9b20 (LWP 30107)]
0x404aa656 in strcasecmp () from /lib/tls/i686/cmov/libc.so.6
(gdb) bt
#0 0x404aa656 in strcasecmp () from /lib/tls/i686/cmov/libc.so.6
#1 0x08213ae9 in http_streaming_start (stream=0x93d1608, 
file_format=0xbffd1754) at stream/http.c:796
#2 0x08214633 in open_s1 (stream=0x93d1608, mode=0, opts=0x0, 
file_format=0xbffd1754) at stream/http.c:945
#3 0x0816c9f5 in open_stream_full (filename=0x93bf380 
"http://127.0.0.1:8050", mode=0, options=0x0, file_format=0xbffd1754)
at stream/stream.c:178
#4 0x0816bae9 in open_stream (filename=0x40590380 
"��X@\200�X@��X@\200�X@��X@`�X@", options=0x0, file_format=0xbffd1754)
at stream/open.c:63
#5 0x080892cb in main (argc=Cannot access memory at address 0x0
) at mencoder.c:713
(gdb) up
#1 0x08213ae9 in http_streaming_start (stream=0x93d1608, 
file_format=0xbffd1754) at stream/http.c:796
796 if( !strcasecmp(http_hdr->protocol, "ICY") ||
(gdb) p http_hdr->protocol
$1 = 0x0

One can see that null pointer dereference occurs at stream/http.c:796 as 
http_hdr->protocol is equal to null.

I hope this letter will help to fix it.

Thanks,
Ildar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: expl.c
Type: text/x-csrc
Size: 9265 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/mplayer-users/attachments/20100323/5a3fd793/attachment.c>


More information about the MPlayer-users mailing list