Heap Corruption through MP4 files
Hello,
I was trying to figure out the cause of this bug but gave up after a couple days. Here are some backtraces although they happen all over as that is the nature of this bug type. Signs point to an overflow somewhere.
Crash 1:
*** glibc detected *** /home/daybreak/vlc-source/vlc: free(): invalid next size (fast): 0x085da9a8 ***
Crash2:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb35dfb40 (LWP 31973)]
--------------------------------------------------------------------------[regs]
EAX: 08000000 EBX: 00316FF4 ECX: 080C1308 EDX: 00317440 o d I t s z a P c
ESI: 00317440 EDI: 080C1310 EBP: 0000000C ESP: B35DF1E0 EIP: 001EAE30
CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007B
[007B:B35DF1E0]----------------------------------------------------------[stack]
B35DF230 : 34 DB 04 08 56 0B 3C 00 - F4 4F 41 00 F4 4F 41 00 4...V.<..OA..OA.
B35DF220 : 0C 00 00 00 34 DB 04 08 - 01 00 00 00 00 7C 40 B3 ....4........|@.
B35DF210 : 00 00 00 00 00 00 00 00 - E8 5F 0D 08 B0 71 3B 00 ........._...q;.
B35DF200 : 34 DB 04 08 56 0B 3C 00 - F4 4F 41 00 F4 4F 41 00 4...V.<..OA..OA.
B35DF1F0 : 00 00 00 00 00 00 00 00 - E8 5F 0D 08 CB 0A 3C 00 ........._....<.
B35DF1E0 : F4 4F 41 00 38 5C 41 00 - 18 7C 40 B3 F4 4F 41 00 .OA.8\A..|@..OA.
[007B:080C1310]-----------------------------------------------------------[data]
080C1310 : 78 74 31 00 88 42 0C 08 - 08 08 08 08 09 08 08 08 xt1..B..........
080C1320 : 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
080C1330 : 00 00 00 00 00 00 00 10 - 0F 0F 10 10 0F 10 10 10 ................
080C1340 : 10 00 10 10 10 11 11 11 - 11 11 12 10 00 10 10 10 ................
080C1350 : 13 12 11 11 10 10 11 00 - 11 11 11 14 13 12 12 0F ................
080C1360 : 11 11 00 0F 0F 0F 12 12 - 12 12 12 12 10 16 10 10 ................
080C1370 : 10 10 13 12 12 10 10 10 - 00 10 10 10 10 10 10 10 ................
080C1380 : 11 11 11 00 11 11 11 11 - 12 12 12 12 10 10 00 00 ................
[0073:001EAE30]-----------------------------------------------------------[code]
=> 0x1eae30 <malloc+192>: mov edx,DWORD PTR [eax]
0x1eae32 <malloc+194>: jmp 0x1eae07 <malloc+151>
0x1eae34 <malloc+196>: lea esi,[esi+eiz*1+0x0]
0x1eae38 <malloc+200>: lea eax,[ebx+0x44c]
0x1eae3e <malloc+206>: cmp esi,eax
0x1eae40 <malloc+208>: mov DWORD PTR [esp+0x1c],eax
0x1eae44 <malloc+212>: je 0x1eaed8 <malloc+360>
0x1eae4a <malloc+218>: cmp DWORD PTR gs:0xc,0x0
--------------------------------------------------------------------------------
0x001eae30 in malloc () from /lib/i386-linux-gnu/libc.so.6
gdb$ bt
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x001eae30 in malloc () from /lib/i386-linux-gnu/libc.so.6
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x003b71b0 in NewList (i_count=0) at misc/objects.c:775
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) vlc_list_children (obj=0xb3407c18) at misc/objects.c:538
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x003651fe in ObjectKillChildrens (p_input=0x80d5fe8, p_obj=0xb3407c18) at input/input.c:301
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x00365218 in ObjectKillChildrens (p_input=0x80d5fe8, p_obj=<optimized out>) at input/input.c:303
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x0036737c in input_Stop (p_input=0x80d5fe8, b_abort=false) at input/input.c:245
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x0033f9cc in LoopInput (p_playlist=0x81b04d8) at playlist/thread.c:459
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) Thread (data=0x81b04d8) at playlist/thread.c:514
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x00157d4c in start_thread () from /lib/i386-linux-gnu/libpthread.so.0
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x0025fd3e in clone () from /lib/i386-linux-gnu/libc.so.6
Crash3:
*** glibc detected *** /home/daybreak/vlc-source/vlc: free(): invalid pointer: 0x080c1490 ***
gdb$ bt
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x00132416 in __kernel_vsyscall ()
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x0019f1df in raise () from /lib/i386-linux-gnu/libc.so.6
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x001a2825 in abort () from /lib/i386-linux-gnu/libc.so.6
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x001dc39a in ?? () from /lib/i386-linux-gnu/libc.so.6
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x001e6ee2 in ?? () from /lib/i386-linux-gnu/libc.so.6
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x003b7288 in vlc_list_release (p_list=0x80c1490) at misc/objects.c:687
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x00365224 in ObjectKillChildrens (p_input=0x80d6080, p_obj=<optimized out>) at input/input.c:304
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x00365218 in ObjectKillChildrens (p_input=0x80d6080, p_obj=<optimized out>) at input/input.c:303
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x0036737c in input_Stop (p_input=0x80d6080, b_abort=false) at input/input.c:245
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x0033f9cc in LoopInput (p_playlist=0x81b04d8) at playlist/thread.c:459
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) Thread (data=0x81b04d8) at playlist/thread.c:514
[#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x00157d4c in start_thread () from /lib/i386-linux-gnu/libpthread.so.0
[#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x0025fd3e in clone () from /lib/i386-linux-gnu/libc.so.6
Valgrind does not like DecodeVideo (video.c:590) before it dies. Messed up values being passed to avcodec_decode_video2? Either play the file a few times or open up a different file after this one in the same run to trigger the crash.
Sample is at http://w.rdtsc.net/179583test-001.mp4test99.mp4.gz
Edited by Rémi Denis-Courmont