Opened 5 years ago

Closed 4 years ago

#2359 closed defect (fixed)

Return null pointer in Mplayer-1.4-8’s libmpdemux/demux_pva.c

Reported by: Taolaw Owned by: Taolaw
Priority: normal Component: demuxer
Version: unspecified Severity: blocker
Keywords: bug Cc:
Blocked By: Blocking:
Reproduced by developer: no Analyzed by developer: no

Description

Summary of the bug: Return null pointer in Mplayer-1.4-8’s libmpdemux/demux_pva.c
How to reproduce:

On line 414 of '''demux_pva.c''', assign the value to the '''dp''' pointer by calling the '''new_demux_packet''' function, but in '''new_demux_packet''' function,when allocation failed , the function will return NULL and finally assign the value to the '''dp''' point. Memory access violation occurs when using the '''dp''' pointer as the lvalue on line 415

demux_pva.c
```
    dp=new_demux_packet(current_payload.size);
    dp->pts=priv->last_video_pts;
```

demuxer.h
```
else if (len) {
    // do not even return a valid packet if allocation failed
    free(dp);
    return NULL;
```

gdb-peda$ r -ao null -vo null Return-null 
Starting program: /root/tmp/crash/picture/mplayer -ao null -vo null Return-null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
MPlayer 1.4-8 (C) 2000-2019 MPlayer Team

Playing Return-null.
libavformat version 58.27.102 (internal)
PVA file format detected.
Opened PVA demuxer...

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0xfffffffc 
RCX: 0x555556d05010 --> 0x2000101000602 
RDX: 0x0 
RSI: 0x1 
RDI: 0x3 
RBP: 0x7fffffffcd50 --> 0xc ('\x0c')
RSP: 0x7fffffffcd40 --> 0x0 
RIP: 0x555555762ef2 (<demux_pva_fill_buffer+1218>:	vmovsd QWORD PTR ds:0x8,xmm0)
R8 : 0x3f ('?')
R9 : 0x555556d37630 --> 0x0 
R10: 0x0 
R11: 0x50 ('P')
R12: 0x555556d35400 --> 0x55555643c4a0 --> 0x555556166c08 ("PVA demuxer")
R13: 0x555556d37630 --> 0x0 
R14: 0x555556d37610 --> 0x40788d16bf800000 
R15: 0x555556d36d50 --> 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555555762ee3 <demux_pva_fill_buffer+1203>:	call   0x555555634010 <free@plt>
   0x555555762ee8 <demux_pva_fill_buffer+1208>:	vxorpd xmm0,xmm0,xmm0
   0x555555762eec <demux_pva_fill_buffer+1212>:	vcvtss2sd xmm0,xmm0,DWORD PTR [r14+0x4]
=> 0x555555762ef2 <demux_pva_fill_buffer+1218>:	vmovsd QWORD PTR ds:0x8,xmm0
   0x555555762efb <demux_pva_fill_buffer+1227>:	ud2    
   0x555555762efd <demux_pva_fill_buffer+1229>:	nop    DWORD PTR [rax]
   0x555555762f00 <demux_pva_fill_buffer+1232>:	cmp    BYTE PTR [rsp+0x1d],0x0
   0x555555762f05 <demux_pva_fill_buffer+1237>:	mov    DWORD PTR [r15+0x60],0x0
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcd40 --> 0x0 
0008| 0x7fffffffcd48 --> 0x6e0000005b ('[')
0016| 0x7fffffffcd50 --> 0xc ('\x0c')
0024| 0x7fffffffcd58 --> 0x1001fffffffc 
0032| 0x7fffffffcd60 --> 0x40788d16 
0040| 0x7fffffffcd68 --> 0x555556d36d50 --> 0x0 
0048| 0x7fffffffcd70 --> 0x555556d36fd0 --> 0x555556d36d50 --> 0x0 
0056| 0x7fffffffcd78 --> 0x555556d36d50 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555762ef2 in demux_pva_fill_buffer (demux=0x555556d35400, ds=<optimized out>)
    at libmpdemux/demux_pva.c:415
415						dp->pts=priv->last_video_pts;

gdb-peda$ bt
#0  0x0000555555762ef2 in demux_pva_fill_buffer (demux=0x555556d35400, ds=<optimized out>)
    at libmpdemux/demux_pva.c:415
#1  0x00005555557348bd in demux_fill_buffer (ds=0x555556d36d50, demux=0x555556d35400)
    at libmpdemux/demuxer.c:749
#2  ds_fill_buffer (ds=ds@entry=0x555556d36d50) at libmpdemux/demuxer.c:749
#3  0x0000555555734d88 in demux_pattern_3 (ds=ds@entry=0x555556d36d50, mem=mem@entry=0x0, 
    maxlen=maxlen@entry=0xa00000, read=read@entry=0x7fffffffce5c, pattern=pattern@entry=0x100)
    at libmpdemux/demuxer.c:827
#4  0x0000555555786c82 in sync_video_packet (ds=ds@entry=0x555556d36d50) at libmpdemux/parse_es.c:46
#5  0x00005555557880f8 in video_read_properties (sh_video=0x555556d36fd0) at libmpdemux/video.c:298
#6  0x00005555556ab8a0 in reinit_video_chain () at mplayer.c:2314
#7  0x000055555569d5b3 in main (argc=<optimized out>, argc@entry=0x6, argv=<optimized out>, 
    argv@entry=0x7fffffffe088) at mplayer.c:3556
#8  0x00007ffff777d09b in __libc_start_main (main=0x55555569c580 <main>, argc=0x6, 
    argv=0x7fffffffe088, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7fffffffe078) at ../csu/libc-start.c:308
#9  0x00005555556a0c3a in _start () at mplayer.c:2242


Patches should be submitted to the mplayer-dev-eng mailing list and not this bug tracker.

Attachments (1)

Return-null (14 bytes ) - added by Taolaw 5 years ago.

Download all attachments as: .zip

Change History (2)

by Taolaw, 5 years ago

Attachment: Return-null added

comment:1 by reimar, 4 years ago

Resolution: fixed
Status: newclosed

Fixed in r38222.

Note: See TracTickets for help on using tickets.