Ubuntu
vlc package

vlc crashed with SIGSEGV in fast_memcpy()

Bug #324911 reported by Martin Olsson on 2009-02-03

This bug report is a duplicate of: Bug #275565: vlc crashed with SIGSEGV in LibavutilCallback(). Edit Remove

258

Affects		Status	Importance	Assigned to	Milestone
	vlc (Ubuntu)	New	Medium	Unassigned

Bug Description

Binary package hint: vlc

VLC consistently SIGSEGV's when I play this particular corrupt .mpg file.
This is most likely a security risk (might even be exploitable though the VLC plugin for Firefox).

I have attached the MPG that causes this crash. Please make sure it gets to VLC devs.

ProblemType: Crash
Architecture: amd64
DistroRelease: Ubuntu 9.04
ExecutablePath: /usr/bin/vlc
Package: vlc-nox 0.9.8a-1ubuntu1
ProcCmdline: vlc /home/username/vlc_crash.mpg
ProcEnviron:
LANG=en_US.UTF-8
SHELL=/bin/bash
Signal: 11
SourcePackage: vlc
StacktraceTop:
fast_memcpy ()
DecodeVideo ()
?? () from /usr/lib/libvlccore.so.0
?? () from /usr/lib/libvlccore.so.0
?? () from /usr/lib/libvlccore.so.0
Title: vlc crashed with SIGSEGV in fast_memcpy()
Uname: Linux 2.6.28-6-generic x86_64
UserGroups: adm admin cdrom dialout fuse lpadmin plugdev sambashare

Tags:

Revision history for this message

Martin Olsson (mnemo) wrote on 2009-02-03:

#1

corrupt mpg file that crashes VLC 0.9.8a Edit (1.0 MiB, video/mpeg)
Dependencies.txt Edit (2.6 KiB, text/plain; charset="utf-8")
Disassembly.txt Edit (941 bytes, text/plain; charset="utf-8")
ProcMaps.txt Edit (72.8 KiB, text/plain; charset="utf-8")
ProcStatus.txt Edit (771 bytes, text/plain; charset="utf-8")
Registers.txt Edit (1014 bytes, text/plain; charset="utf-8")
Stacktrace.txt Edit (584 bytes, text/plain; charset="utf-8")
ThreadStacktrace.txt Edit (7.9 KiB, text/plain; charset="utf-8")

Revision history for this message

Martin Olsson (mnemo) wrote on 2009-02-03:

#2

Repro steps:
1. download the attached MPG file
2. open it in VLC

Revision history for this message

Apport retracing service (apport) wrote on 2009-02-03: Symbolic stack trace

#3

Stacktrace.txt (retraced) Edit (1.2 KiB, text/plain)

StacktraceTop:fast_memcpy (to=0x7f140890e000,
DecodeVideo (p_dec=0x2049ea8,
DecoderDecodeVideo (p_dec=0x2049ea8,
DecoderDecode (p_dec=0x2049ea8,
DecoderThread (p_this=0x2049ea8)

Revision history for this message

Apport retracing service (apport) wrote on 2009-02-03: Symbolic threaded stack trace

#4

ThreadStacktrace.txt (retraced) Edit (18.1 KiB, text/plain)

Changed in vlc:
importance:	Undecided → Medium

Revision history for this message

Martin Olsson (mnemo) wrote on 2009-02-05:

#5

FWIW, running "vlc --codec avcodec vlc_crash.mpg" also triggers the crash.

Revision history for this message

Martin Olsson (mnemo) wrote on 2009-02-05:

#6

Running "gdb --args vlc --codec avcodec vlc_crash.mpg" gives me the same stack:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f9aea782950 (LWP 12243)]
0x00007f9b0427d8a5 in fast_memcpy () from /usr/lib/vlc/misc/libmemcpymmxext_plugin.so
(gdb) bt
#0 0x00007f9b0427d8a5 in fast_memcpy () from /usr/lib/vlc/misc/libmemcpymmxext_plugin.so
#1 0x00007f9aea78b88a in DecodeVideo () from /usr/lib/vlc/codec/libavcodec_plugin.so
#2 0x00007f9b05c120de in ?? () from /usr/lib/libvlccore.so.0
#3 0x00007f9b05c12f36 in ?? () from /usr/lib/libvlccore.so.0
#4 0x00007f9b05c13a2b in ?? () from /usr/lib/libvlccore.so.0
#5 0x00007f9b05c5c206 in ?? () from /usr/lib/libvlccore.so.0
#6 0x00007f9b059c23ba in start_thread () from /lib/libpthread.so.0
#7 0x00007f9b0572f0ad in clone () from /lib/libc.so.6
#8 0x0000000000000000 in ?? ()
(gdb) bt full
#0 0x00007f9b0427d8a5 in fast_memcpy () from /usr/lib/vlc/misc/libmemcpymmxext_plugin.so
No symbol table info available.
#1 0x00007f9aea78b88a in DecodeVideo () from /usr/lib/vlc/codec/libavcodec_plugin.so
No symbol table info available.
#2 0x00007f9b05c120de in ?? () from /usr/lib/libvlccore.so.0
No symbol table info available.
#3 0x00007f9b05c12f36 in ?? () from /usr/lib/libvlccore.so.0
No symbol table info available.
#4 0x00007f9b05c13a2b in ?? () from /usr/lib/libvlccore.so.0
No symbol table info available.
#5 0x00007f9b05c5c206 in ?? () from /usr/lib/libvlccore.so.0
No symbol table info available.
#6 0x00007f9b059c23ba in start_thread () from /lib/libpthread.so.0
No symbol table info available.
#7 0x00007f9b0572f0ad in clone () from /lib/libc.so.6
No symbol table info available.
#8 0x0000000000000000 in ?? ()
No symbol table info available.

Note: Ubuntu doesn't seem to have a libvlccore0-dbgsym package in ddebs (maybe because its multiverse? not sure)

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2009-02-05:

#7

Thanks for reporting this bug. Have you reported it upstream?

Revision history for this message

Martin Olsson (mnemo) wrote on 2009-02-05:

#8

I mentioned it to xtophe on IRC and he said he'd try to take a look at it tonight. I did not create an upstream bug though because VLC bug tracker doesn't allow new accounts due to spam or whatever. If you are able to create an upstream bug and attach the MPG there, that would be very helpful.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicate of bug #275565 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.