vlc crashed with SIGSEGV in fast_memcpy()

Bug #324911 reported by Martin Olsson on 2009-02-03
258
Affects Status Importance Assigned to Milestone
vlc (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: vlc

VLC consistently SIGSEGV's when I play this particular corrupt .mpg file.
This is most likely a security risk (might even be exploitable though the VLC plugin for Firefox).

I have attached the MPG that causes this crash. Please make sure it gets to VLC devs.

ProblemType: Crash
Architecture: amd64
DistroRelease: Ubuntu 9.04
ExecutablePath: /usr/bin/vlc
Package: vlc-nox 0.9.8a-1ubuntu1
ProcCmdline: vlc /home/username/vlc_crash.mpg
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
Signal: 11
SourcePackage: vlc
StacktraceTop:
 fast_memcpy ()
 DecodeVideo ()
 ?? () from /usr/lib/libvlccore.so.0
 ?? () from /usr/lib/libvlccore.so.0
 ?? () from /usr/lib/libvlccore.so.0
Title: vlc crashed with SIGSEGV in fast_memcpy()
Uname: Linux 2.6.28-6-generic x86_64
UserGroups: adm admin cdrom dialout fuse lpadmin plugdev sambashare

Martin Olsson (mnemo) wrote :
Martin Olsson (mnemo) wrote :

Repro steps:
1. download the attached MPG file
2. open it in VLC

StacktraceTop:fast_memcpy (to=0x7f140890e000,
DecodeVideo (p_dec=0x2049ea8,
DecoderDecodeVideo (p_dec=0x2049ea8,
DecoderDecode (p_dec=0x2049ea8,
DecoderThread (p_this=0x2049ea8)

Changed in vlc:
importance: Undecided → Medium
Martin Olsson (mnemo) wrote :

FWIW, running "vlc --codec avcodec vlc_crash.mpg" also triggers the crash.

Martin Olsson (mnemo) wrote :

Running "gdb --args vlc --codec avcodec vlc_crash.mpg" gives me the same stack:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f9aea782950 (LWP 12243)]
0x00007f9b0427d8a5 in fast_memcpy () from /usr/lib/vlc/misc/libmemcpymmxext_plugin.so
(gdb) bt
#0 0x00007f9b0427d8a5 in fast_memcpy () from /usr/lib/vlc/misc/libmemcpymmxext_plugin.so
#1 0x00007f9aea78b88a in DecodeVideo () from /usr/lib/vlc/codec/libavcodec_plugin.so
#2 0x00007f9b05c120de in ?? () from /usr/lib/libvlccore.so.0
#3 0x00007f9b05c12f36 in ?? () from /usr/lib/libvlccore.so.0
#4 0x00007f9b05c13a2b in ?? () from /usr/lib/libvlccore.so.0
#5 0x00007f9b05c5c206 in ?? () from /usr/lib/libvlccore.so.0
#6 0x00007f9b059c23ba in start_thread () from /lib/libpthread.so.0
#7 0x00007f9b0572f0ad in clone () from /lib/libc.so.6
#8 0x0000000000000000 in ?? ()
(gdb) bt full
#0 0x00007f9b0427d8a5 in fast_memcpy () from /usr/lib/vlc/misc/libmemcpymmxext_plugin.so
No symbol table info available.
#1 0x00007f9aea78b88a in DecodeVideo () from /usr/lib/vlc/codec/libavcodec_plugin.so
No symbol table info available.
#2 0x00007f9b05c120de in ?? () from /usr/lib/libvlccore.so.0
No symbol table info available.
#3 0x00007f9b05c12f36 in ?? () from /usr/lib/libvlccore.so.0
No symbol table info available.
#4 0x00007f9b05c13a2b in ?? () from /usr/lib/libvlccore.so.0
No symbol table info available.
#5 0x00007f9b05c5c206 in ?? () from /usr/lib/libvlccore.so.0
No symbol table info available.
#6 0x00007f9b059c23ba in start_thread () from /lib/libpthread.so.0
No symbol table info available.
#7 0x00007f9b0572f0ad in clone () from /lib/libc.so.6
No symbol table info available.
#8 0x0000000000000000 in ?? ()
No symbol table info available.

Note: Ubuntu doesn't seem to have a libvlccore0-dbgsym package in ddebs (maybe because its multiverse? not sure)

Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this bug. Have you reported it upstream?

Martin Olsson (mnemo) wrote :

I mentioned it to xtophe on IRC and he said he'd try to take a look at it tonight. I did not create an upstream bug though because VLC bug tracker doesn't allow new accounts due to spam or whatever. If you are able to create an upstream bug and attach the MPG there, that would be very helpful.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers