.mpg file that crashes VLC

Bug #307754 reported by Martin Olsson
254
Affects Status Importance Assigned to Milestone
vlc (Ubuntu)
New
Undecided
Unassigned

Bug Description

Note that there is a VLC plugin for Firefox which means that this bug could very likely be used to crash browsers (and achieve remote code execution maybe?)

Repro steps:
1. open the .mpg file that is attached to this bug using VLC
2. if VLC does not crash on startup then press play two-three times and the crash will happen

I believe this file is actually corrupt so the expected behavior is an error message saying "corrupt file" or similar. Here is what valgrind says on my pre-release jaunty box (unfortunately I was not able to get full symbols):

==6738== Thread 12:
==6738== Invalid read of size 8
==6738== at 0x50D730B: (within /usr/lib/libvlccore.so.0.0.2)
==6738== by 0x1FFEDBE2: LibavutilCallback (in /usr/lib/vlc/codec/libavcodec_plugin.so)
==6738== by 0x1B029412: av_log (in /usr/lib/libavutil.so.49.12.0)
==6738== by 0x1B452815: ff_mpeg4_decode_picture_header (in /usr/lib/libavcodec.so.52.3.0)
==6738== by 0x1B4DD99B: (within /usr/lib/libavcodec.so.52.3.0)
==6738== by 0x1B2B0630: av_parser_parse (in /usr/lib/libavcodec.so.52.3.0)
==6738== by 0x1AD61833: (within /usr/lib/libavformat.so.52.23.1)
==6738== by 0x1AD62449: av_find_stream_info (in /usr/lib/libavformat.so.52.23.1)
==6738== by 0x1AB3BE15: OpenDemux (in /usr/lib/vlc/demux/libavformat_plugin.so)
==6738== by 0x50C5A44: __module_Need (in /usr/lib/libvlccore.so.0.0.2)
==6738== by 0x5085010: (within /usr/lib/libvlccore.so.0.0.2)
==6738== by 0x508CB99: (within /usr/lib/libvlccore.so.0.0.2)
==6738== Address 0x28 is not stack'd, malloc'd or (recently) free'd
==6738==
==6738== Process terminating with default action of signal 11 (SIGSEGV)
==6738== Access not within mapped region at address 0x28
==6738== at 0x50D730B: (within /usr/lib/libvlccore.so.0.0.2)
==6738== by 0x1FFEDBE2: LibavutilCallback (in /usr/lib/vlc/codec/libavcodec_plugin.so)
==6738== by 0x1B029412: av_log (in /usr/lib/libavutil.so.49.12.0)
==6738== by 0x1B452815: ff_mpeg4_decode_picture_header (in /usr/lib/libavcodec.so.52.3.0)
==6738== by 0x1B4DD99B: (within /usr/lib/libavcodec.so.52.3.0)
==6738== by 0x1B2B0630: av_parser_parse (in /usr/lib/libavcodec.so.52.3.0)
==6738== by 0x1AD61833: (within /usr/lib/libavformat.so.52.23.1)
==6738== by 0x1AD62449: av_find_stream_info (in /usr/lib/libavformat.so.52.23.1)
==6738== by 0x1AB3BE15: OpenDemux (in /usr/lib/vlc/demux/libavformat_plugin.so)
==6738== by 0x50C5A44: __module_Need (in /usr/lib/libvlccore.so.0.0.2)
==6738== by 0x5085010: (within /usr/lib/libvlccore.so.0.0.2)
==6738== by 0x508CB99: (within /usr/lib/libvlccore.so.0.0.2)
==6738==

And where is what valgrind says on my intrepid box:
==7675== Thread 12:
==7675== Invalid read of size 4
==7675== at 0x40FE76B: (within /usr/lib/libvlccore.so.0.0.2)
==7675== Address 0x1c is not stack'd, malloc'd or (recently) free'd
==7675==
==7675== Process terminating with default action of signal 11 (SIGSEGV)
==7675== Access not within mapped region at address 0x1C
==7675== at 0x40FE76B: (within /usr/lib/libvlccore.so.0.0.2)
==7675==

Revision history for this message
Martin Olsson (mnemo) wrote :
Revision history for this message
goto (gotolaunchpad) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. This particular bug has already been reported and is a duplicate of bug 275565 so it is being marked as such. Please look at the other bug report to see if there is any missing information that you can provide, or to see if there is a workaround for the bug. Additionally, any further discussion regarding the bug should occur in the other report. Feel free to continue to report any other bugs you may find.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.