Mplayer SVN-r38374-13.0.1 is vulnerable to Memory Leak via vf.c and vf_vo.c.

**#2390 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

vf

Version:

unspecified

Severity:

normal

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Summary of the bug: Found a .viv file for mplayer where asan reports a memory leak.  
How to reproduce:Use the attached file to reproduce this issue (ASAN-recompilation are required)  
version: SVN-r38374-13.0.1  
kernel version:ubuntu 20.04; Linux 5.15.0-46-generic  
complier version:clang 13.0.1-2ubuntu2~20.04.1  

mplayer and ASAN output:  

Player SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team  

Playing /home/ldy/sample/useful/03-KimagureOrangeRoad.viv.  
libavformat version 58.29.100 (external)  
VIVO file format detected.  
VIDEO: \[viv2\] 320x240 24bpp 10.000 fps 0.0 kbps ( 0.0 kbyte/s)  
\[gl\] using extended formats. Use -vo gl:nomanyfmts if playback fails.  
\==========================================================================  
Requested video codec family \[vivo\] (vfm=vfw) not available.  
Enable it at compilation.  
Cannot find codec matching selected -vo and video format 0x32766976.  
\==========================================================================  
Clip info:  

> title: <No Title>  
> author: NV  
> copyright: <No Copyright>  
> encoder: VivoActive VideoNow 3.0 for Windows  

Load subtitles in /home/ldy/sample/useful/  
\==========================================================================  
Requested audio codec family \[vivoaudio\] (afm=acm) not available.  
Enable it at compilation.  
Opening audio decoder: \[ffmpeg\] FFmpeg/libavcodec audio decoders  
libavcodec version 58.54.100 (external)  
Cannot find codec 'siren' in libavcodec...  
ADecoder init failed :(  
ADecoder init failed :(  
Cannot find codec for audio format 0x112.  
Audio: no sound  
Video: no video  

Exiting... (End of file)  

\=================================================================  
\==3993864==ERROR: LeakSanitizer: detected memory leaks  

Direct leak of 576 byte(s) in 1 object(s) allocated from:  

> #0 0x55ac7b1e06dd in malloc (/home/ldy/good\_mplayer/asan\_playr/mplayer+0x33e6dd)  
> #1 0x55ac7b42992e in vf\_open\_plugin /home/ldy/good\_mplayer/mplayer/libmpcodecs/vf.c:478:8  

Indirect leak of 24 byte(s) in 1 object(s) allocated from:  

> #0 0x55ac7b1e0872 in interceptor\_calloc (/home/ldy/good\_mplayer/asan\_playr/mplayer+0x33e872)  
> #1 0x55ac7b50a2cd in vf\_open /home/ldy/good\_mplayer/mplayer/libmpcodecs/vf\_vo.c:215:14  

SUMMARY: AddressSanitizer: 600 byte(s) leaked in 2 allocation(s).

CVE-2022-38600: #2390 (memory leak in vf.c and vf_vo.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Out-of-bounds Read via function read_meta_record() of mplayer/libmpdemux/asfheader.c. This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2393 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: A out-of-bound read is found in fucnction read\_meta\_record() which affects mplayer and mencoder. The attached file can reproduce this issue And this vulnerability can cause the crash of mplayer.  

How to reproduce:  

1.Command: ./mplayer testcase  

2.Result:  

MPlayer SVN-r38374-9 (C) 2000-2022 MPlayer Team                                                                                                                                                                                                                           
Playing libavformat version 58.29.100 (external)                                                                                             
ASF file format detected.                                                                                                            
\[asfheader\] Video stream found, -vid 1                                                                                                                                                                                                                                                                                                                                                                         
MPlayer interrupted by signal 11 in module: demux\_open                                                                               
- MPlayer crashed by bad usage of CPU/FPU/RAM.                                                                                         
Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and                                                                 
disassembly. Details in DOCS/HTML/en/bugreports\_what.html#bugreports\_crash.                                                        
- MPlayer crashed. This shouldn't happen.                                                                                              
It can be a bug in the MPlayer code \_or\_ in your drivers \_or\_ in your                                                                
gcc version. If you think it's MPlayer's fault, please read                                                                          
DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and                                                         
won't help unless you provide this information when reporting a possible bug.

3.After debugging with gdb, I found the crash is caused by access to a piece of unmmaped memory:  

Program received signal SIGSEGV, Segmentation fault.
read\_meta\_record (buf\_len=<synthetic pointer>, buf=0x55bc7b4c52a2 <error: Cannot access memory at address 0x55bc7b4c52a2>, dest=<synthetic pointer>) at libmpdemux/asfheader.c:242
242       dest->lang\_list\_index = AV\_RL16(buf);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────\[ REGISTERS \]────────────────────────────────────────────────────────────
 RAX  0x9e000004
 RBX  0x55bbdd4c529e ◂— 0x1000000000001                                                                                                                                                                                                                                                                                                                                                RCX  0x1
 RDX  0x1a
 RDI  0x55bbdd4c5284 ◂— 0xfda811cf5b4df869                                                                                                                                                                                                                                                                                                                                             RSI  0x1a                                                                                                                                                                                                                                                                                                                                                                             R8   0x0
 R9   0x10                                                                                                                                                                                                                                                                                                                                                                             R10  0x0
 R11  0x1ce
 R12  0x55bc7b4c52a2
 R13  0x0
 R14  0x55bbdd4c51d0 ◂— 0x11cfa9478cabdca1
 R15  0x1e1
 RBP  0x62000103
 RSP  0x7fff0e88d9f0 —▸ 0x7fff0e88da00 ◂— 0x55bb000001ce
 RIP  0x55bbdb4dde47 (read\_asf\_header+2935) ◂— movzx  edx, word ptr \[r12 + 4\]
─────────────────────────────────────────────────────────────\[ DISASM \]──────────────────────────────────────────────────────────────
 ► 0x55bbdb4dde47 <read\_asf\_header+2935>    movzx  edx, word ptr \[r12 + 4\]
   0x55bbdb4dde4d <read\_asf\_header+2941>    movzx  r9d, word ptr \[r12\]
   0x55bbdb4dde52 <read\_asf\_header+2946>    movzx  ecx, word ptr \[r12 + 2\]
   0x55bbdb4dde58 <read\_asf\_header+2952>    mov    eax, dword ptr \[r12 + 8\]
   0x55bbdb4dde5d <read\_asf\_header+2957>    mov    esi, edx
   0x55bbdb4dde5f <read\_asf\_header+2959>    lea    rdi, \[r12 + 0xc\]
   0x55bbdb4dde64 <read\_asf\_header+2964>    sub    ebp, edx
   0x55bbdb4dde66 <read\_asf\_header+2966>    js     read\_asf\_header+3128 <read\_asf\_header+3128>
    ↓
   0x55bbdb4ddf08 <read\_asf\_header+3128>    mov    ebx, dword ptr \[rsp + 0x44\]
   0x55bbdb4ddf0c <read\_asf\_header+3132>    mov    rax, qword ptr \[rsp + 0x18\]
   0x55bbdb4ddf11 <read\_asf\_header+3137>    mov    rdi, qword ptr \[rsp + 0x20\]
──────────────────────────────────────────────────────────\[ SOURCE (CODE) \]──────────────────────────────────────────────────────────
In file: /home/jlx/good\_mplayer/mplayer/libmpdemux/asfheader.c
   237 #define CHECKDEC(l, n) if (((l) -= (n)) < 0) return 0
   238 static char\* read\_meta\_record(ASF\_meta\_record\_t\* dest, char\* buf,
   239     int\* buf\_len)
   240 {
   241   CHECKDEC(\*buf\_len, 2 + 2 + 2 + 2 + 4);
 ► 242   dest->lang\_list\_index = AV\_RL16(buf);
   243   dest->stream\_num = AV\_RL16(&buf\[2\]);
   244   dest->name\_length = AV\_RL16(&buf\[4\]);
   245   dest->data\_type = AV\_RL16(&buf\[6\]);
   246   dest->data\_length = AV\_RL32(&buf\[8\]);
   247   buf += 2 + 2 + 2 + 2 + 4;
──────────────────────────────────────────────────────────────\[ STACK \]──────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fff0e88d9f0 —▸ 0x7fff0e88da00 ◂— 0x55bb000001ce
01:0008│      0x7fff0e88d9f8 ◂— 0xfb775cd5000001e1
02:0010│      0x7fff0e88da00 ◂— 0x55bb000001ce
03:0018│      0x7fff0e88da08 —▸ 0x55bbdd4c50f0 ◂— 0x11cf668e75b22630
04:0020│      0x7fff0e88da10 —▸ 0x55bbdd4c53c0 —▸ 0x55bbdd461400 ◂— 0x0
05:0028│      0x7fff0e88da18 —▸ 0x55bbdd4c37a0 —▸ 0x55bbdb712ce0 (demuxer\_desc\_asf) —▸ 0x55bbdb6b3e9e ◂— 'ASF demuxer'
06:0030│      0x7fff0e88da20 ◂— 0x1
07:0038│      0x7fff0e88da28 ◂— 0x55bb00000001
────────────────────────────────────────────────────────────\[ BACKTRACE \]────────────────────────────────────────────────────────────
 ► f 0     55bbdb4dde47 read\_asf\_header+2935
   f 1     55bbdb4dde47 read\_asf\_header+2935
   f 2     55bbdb4dde47 read\_asf\_header+2935
   f 3     55bbdb4e9059 demux\_open\_asf+57
   f 4     55bbdb4e58f3 demux\_open\_stream+931
   f 5     55bbdb4e63e1 demux\_open+753
   f 6     55bbdb414dcb main+4027
   f 7     7f15770a80b3 \_\_libc\_start\_main+243
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> p buf
$2 = 0x55bc7b4c52a2 <error: Cannot access memory at address 0x55bc7b4c52a2>

CVE-2022-38851: #2393 (Out-of-bound read in function read_meta_record() of mplayer/libmpdemux/asfheader.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Divide By Zero via the function demux_avi_read_packet of libmpdemux/demux_avi.c. This affects mplyer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2401 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An division by zero is found in fucnction play() which affects mencoder and mplayer The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

> ./mplayer ./testcase  

2.Result:  

MEncoder SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team
success: format: 0  data: 0x0 - 0x2aa8
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1
AddressSanitizer:DEADLYSIGNAL
=================================================================
==32677==ERROR: AddressSanitizer: FPE on unknown address 0x563dfce77dc4 (pc 0x563dfce77dc4 bp 0x60c000000040 sp 0x7ffda83c4650 T0)
    #0 0x563dfce77dc4 in demux\_avi\_read\_packet /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:161:32

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:161:32 in demux\_avi\_read\_packet
==32677==ABORTING

MPlayer SVN-r38374-9 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000048,sig^%08,src^%000002,time^%8657653,execs^%414593,op^%havoc,rep^%2.
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1


MPlayer interrupted by signal 8 in module: demux\_open
- MPlayer crashed by bad usage of CPU/FPU/RAM.
  Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and
  disassembly. Details in DOCS/HTML/en/bugreports\_what.html#bugreports\_crash.
- MPlayer crashed. This shouldn't happen.
  It can be a bug in the MPlayer code \_or\_ in your drivers \_or\_ in your
  gcc version. If you think it's MPlayer's fault, please read
  DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and
  won't help unless you provide this information when reporting a possible bug.

Program received signal SIGFPE, Arithmetic exception.
0x00005637aa590311 in demux\_avi\_read\_packet (demux=0x5637ac1247a0, ds=0x5637ac126050, id=1651978544, len=21, idxpos=<optimized out>, flags=<optimized out>) at libmpdemux/demux\_avi.c:158
158           priv->avi\_audio\_pts=0;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────\[ REGISTERS \]────────────────────────────────────────────────────────────
 RAX  0x14
 RBX  0x16
 RCX  0x0
 RDX  0x0
 RDI  0x5637ac1247a0 —▸ 0x5637aa7a3c20 (demuxer\_desc\_avi) —▸ 0x5637aa754dbc ◂— 'AVI demuxer'
 RSI  0x0
 R8   0x1
 R9   0x1
 R10  0x0
 R11  0x5637aa592800 (demux\_open\_hack\_avi+240) ◂— mov    eax, dword ptr \[rbx + 8\]
 R12  0x5637ac1260f0 —▸ 0x5637ac122480 ◂— 0x1062773130
 R13  0x5637ac1247a0 —▸ 0x5637aa7a3c20 (demuxer\_desc\_avi) —▸ 0x5637aa754dbc ◂— 'AVI demuxer'
 R14  0x62773130
 R15  0x15
 RBP  0x5637ac126050 ◂— 0x0
 RSP  0x7ffc013e54a0 —▸ 0x5637ac126050 ◂— 0x0
 RIP  0x5637aa590311 (demux\_avi\_read\_packet+657) ◂— div    ecx
─────────────────────────────────────────────────────────────\[ DISASM \]──────────────────────────────────────────────────────────────
 ► 0x5637aa590311 <demux\_avi\_read\_packet+657>    div    ecx
    ↓
   0x5637aa590311 <demux\_avi\_read\_packet+657>    div    ecx








──────────────────────────────────────────────────────────\[ SOURCE (CODE) \]──────────────────────────────────────────────────────────
In file: /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c
   153    pts = priv->audio\_block\_no \*
   154      (float)((sh\_audio\_t\*)demux->audio->sh)->audio.dwScale /
   155      (float)((sh\_audio\_t\*)demux->audio->sh)->audio.dwRate;
   156       } else
   157           pts=priv->avi\_audio\_pts; //+priv->pts\_correction;
 ► 158       priv->avi\_audio\_pts=0;
   159       // update blockcount:
   160       priv->audio\_block\_no+=
   161  (len+priv->audio\_block\_size-1)/priv->audio\_block\_size;
   162   } else
   163   if(ds==demux->video){
──────────────────────────────────────────────────────────────\[ STACK \]──────────────────────────────────────────────────────────────
00:0000│ rsp  0x7ffc013e54a0 —▸ 0x5637ac126050 ◂— 0x0
01:0008│      0x7ffc013e54a8 ◂— 0xffffffffffffffff
02:0010│      0x7ffc013e54b0 ◂— 0x1
03:0018│      0x7ffc013e54b8 —▸ 0x5637ac122480 ◂— 0x1062773130
04:0020│      0x7ffc013e54c0 —▸ 0x5637ac1247a0 —▸ 0x5637aa7a3c20 (demuxer\_desc\_avi) —▸ 0x5637aa754dbc ◂— 'AVI demuxer'
05:0028│      0x7ffc013e54c8 ◂— 0x15
06:0030│      0x7ffc013e54d0 —▸ 0x5637ac1260f0 —▸ 0x5637ac122480 ◂— 0x1062773130
07:0038│      0x7ffc013e54d8 ◂— 0xffff00000000
────────────────────────────────────────────────────────────\[ BACKTRACE \]────────────────────────────────────────────────────────────
 ► f 0     5637aa590311 demux\_avi\_read\_packet+657
   f 1     5637aa591962 demux\_avi\_fill\_buffer+1250
   f 2     5637aa584955 ds\_fill\_buffer+341
   f 3     5637aa584955 ds\_fill\_buffer+341
   f 4     5637aa592b1e demux\_open\_hack\_avi+1038
   f 5     5637aa592b1e demux\_open\_hack\_avi+1038
   f 6     5637aa592b1e demux\_open\_hack\_avi+1038
   f 7     5637aa5858f3 demux\_open\_stream+931
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

CVE-2022-38865: #2401 (A Division by zero occurred in function demux_avi_read_packet of libmpdemux/demux_avi.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Buffer Overflow via function mov_build_index() of libmpdemux/demux_mov.c. This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2395 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction mov\_build\_index () which affects mplayer and mencoder. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mplayer testcase  

2.Result:  

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing 
libavformat version 58.29.100 (external)
libavformat file format detected.
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600\]Version 22 is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.                                                                                                                                                    \[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600\]If you want to help, upload a sample of this file to ftp://upload.ffmpeg.org/incoming/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org)                                                                                                                                                                                 \[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600\]error reading header
LAVF\_header: av\_open\_input\_stream() failed
ISO: File Type Major Brand: Original QuickTime
Quicktime/MOV file format detected.
\[mov\] Video stream found, -vid 0
Warning! pts=-285211648  length=2048
MOV: durmap and chunkmap sample count differ (1 vs 2)
=================================================================
==24664==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000014580 at pc 0x563d661312e5 bp 0x7ffecfcd0050 sp 0x7ffecfcd0048
READ of size 4 at 0x603000014580 thread T0
    #0 0x563d661312e4 in mov\_build\_index /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:302:110
    #1 0x563d661312e4 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1333:6
    #2 0x563d6611c88c in mov\_read\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1961:5

0x603000014580 is located 0 bytes to the right of 32-byte region \[0x603000014560,0x603000014580)
allocated by thread T0 here:
    #0 0x563d65d5a362 in \_\_interceptor\_calloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x343362)
    #1 0x563d661263f0 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1820:25
    #2 0x563d661263f0 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #3 0x563d66123576 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c
    #4 0x563d66123576 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #5 0x563d66123576 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c
    #6 0x563d66123576 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #7 0x563d66123576 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c
    #8 0x563d66123576 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #9 0x563d66124068 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1332:6
    #10 0x563d6611c88c in mov\_read\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1961:5
                                                                                                                                                                                                                                                                                                                                                                                      SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:302:110 in mov\_build\_index                                                                                                                                                                                                                                                      Shadow bytes around the buggy address:
  0x0c067fffa860: 00 fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fffa870: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fffa880: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fffa890: fd fd fa fa fd fd fd fd fa fa 00 00 00 04 fa fa
  0x0c067fffa8a0: 00 00 00 fa fa fa 00 00 00 04 fa fa 00 00 00 00
=>0x0c067fffa8b0:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24664==ABORTING

CVE-2022-38856: #2395 (A heap-buffer-overflow occurred in function mov_build_index() of libmpdemux/demux_mov.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Buffer Overflow via read_avi_header() of libmpdemux/aviheader.c . This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2403 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction read\_avi\_header () which affects mencoder and mplayer The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

> ./mplayer ./testcase  

2.Result:  

MPlayer SVN-r38374-9 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000059,sig^%06,src^%001757,time^%15822098,execs^%776566,op^%havoc,rep^%2.
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1


MPlayer interrupted by signal 11 in module: demux\_open
- MPlayer crashed by bad usage of CPU/FPU/RAM.
  Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and
  disassembly. Details in DOCS/HTML/en/bugreports\_what.html#bugreports\_crash.
- MPlayer crashed. This shouldn't happen.
  It can be a bug in the MPlayer code \_or\_ in your drivers \_or\_ in your
  gcc version. If you think it's MPlayer's fault, please read
  DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and
  won't help unless you provide this information when reporting a possible bug.

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000059,sig^%06,src^%001757,time^%15822098,execs^%776566,op^%havoc,rep^%2.
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
=================================================================
==7938==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002db0 at pc 0x55c64191557c bp 0x7ffcdbc68090 sp 0x7ffcdbc68088
READ of size 4 at 0x602000002db0 thread T0
    #0 0x55c64191557b in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12
    #1 0x55c641948cbe in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #2 0x55c641948cbe in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #3 0x55c641921f37 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #4 0x55c6416232ed in main /home/jlx/good\_mplayer/mplayer/mplayer.c:3383:22
    #5 0x7fa5a6c780b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

0x602000002db0 is located 31 bytes to the right of 1-byte region \[0x602000002d90,0x602000002d91)
allocated by thread T0 here:
    #0 0x55c6415c81cd in malloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x3431cd)
    #1 0x55c64190a934 in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:358:26
    #2 0x55c641948cbe in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #3 0x55c641948cbe in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #4 0x55c641921f37 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #5 0x55c6416232ed in main /home/jlx/good\_mplayer/mplayer/mplayer.c:3383:22
    #6 0x7fa5a6c780b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12 in read\_avi\_header
Shadow bytes around the buggy address:
  0x0c047fff8560: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8570: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8580: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8590: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff85a0: fa fa 00 00 fa fa 00 00 fa fa 06 fa fa fa fd fd
=>0x0c047fff85b0: fa fa 01 fa fa fa\[fa\]fa fa fa fa fa fa fa fa fa
  0x0c047fff85c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7938==ABORTING

MEncoder SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team
success: format: 0  data: 0x0 - 0x2aa3
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
=================================================================
==6848==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000004370 at pc 0x55e9886b95dc bp 0x7fffc79a7df0 sp 0x7fffc79a7de8
READ of size 4 at 0x602000004370 thread T0
    #0 0x55e9886b95db in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12
    #1 0x55e9886ecd1e in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #2 0x55e9886ecd1e in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #3 0x55e9886c5f97 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #4 0x55e9884711f3 in main /home/jlx/good\_mplayer/mplayer/mencoder.c:707:11
    #5 0x7f4b98de10b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

0x602000004370 is located 31 bytes to the right of 1-byte region \[0x602000004350,0x602000004351)
allocated by thread T0 here:
    #0 0x55e98843e43d in malloc (/home/jlx/good\_mplayer/asan\_mplayer/mencoder+0x1a643d)
    #1 0x55e9886ae994 in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:358:26
    #2 0x55e9886ecd1e in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #3 0x55e9886ecd1e in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #4 0x55e9886c5f97 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #5 0x55e9884711f3 in main /home/jlx/good\_mplayer/mplayer/mencoder.c:707:11
    #6 0x7f4b98de10b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12 in read\_avi\_header
Shadow bytes around the buggy address:
  0x0c047fff8810: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8820: fa fa 06 fa fa fa 06 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff8830: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8840: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8850: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff8860: fa fa 00 00 fa fa fd fd fa fa 01 fa fa fa\[fa\]fa
  0x0c047fff8870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff88a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff88b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6848==ABORTING

CVE-2022-38866: #2403 (A heap-buffer-overflow occurred in function read_avi_header() of libmpdemux/aviheader.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Buffer Overflow via the function mp_unescape03() of libmpdemux/mpeg_hdr.c. This affects mencoder SVN-r38374-13.0.1 and mplayer SVN-r38374-13.0.1.

**#2406 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction in mp\_unescape03() which affects mencoder and mplayer. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

> ./mplayer ./testcase  

2.Result:  

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000298,sig^%06,src^%003761,time^%206364090,execs^%10623748,op^%havoc,rep^%8.
libavformat version 58.29.100 (external)
MPEG-PS file format detected.
MPEG: No audio stream found -> no sound.
=================================================================
==22224==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002d91 at pc 0x555555d38dcd bp 0x7fffffffc4a0 sp 0x7fffffffc498                                                                                                                                                                               WRITE of size 1 at 0x602000002d91 thread T0
    #0 0x555555d38dcc in mp\_unescape03 /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:394:13
    #1 0x555555d38dcc in h264\_parse\_sps /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:406:9

0x602000002d91 is located 0 bytes to the right of 1-byte region \[0x602000002d90,0x602000002d91)                                                                                                                                                                                                                         allocated by thread T0 here:
    #0 0x5555558971cd in malloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x3431cd)
    #1 0x555555d34e40 in h264\_parse\_sps /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:404:18                                                                                                                                                                                                                     
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:394:13 in mp\_unescape03                                                                                                                                                                                            Shadow bytes around the buggy address:
  0x0c047fff8560: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8570: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8580: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8590: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff85a0: fa fa 00 00 fa fa 00 00 fa fa 06 fa fa fa fd fd
=>0x0c047fff85b0: fa fa\[01\]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22224==ABORTING

CVE-2022-38864: #2406 (A heap-buffer-overflow occurred in function mp_unescape03() of libmpdemux/mpeg_hdr.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Buffer Overflow via function asf_init_audio_stream() of libmpdemux/asfheader.c. This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2398 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction asf\_init\_audio\_stream() which affects mplayer and mencoder. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mplayer testcase  

2.Result:  

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing 
libavformat version 58.29.100 (external)
ASF file format detected.
\[asfheader\] Audio stream found, -aid 21
=================================================================
==6235==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000000261 at pc 0x559f0c51f2c2 bp 0x7ffcb2476300 sp 0x7ffcb24762f8
READ of size 1 at 0x615000000261 thread T0
    #0 0x559f0c51f2c1 in asf\_init\_audio\_stream /home/jlx/good\_mplayer/mplayer/libmpdemux/asfheader.c:359:24

0x615000000261 is located 0 bytes to the right of 481-byte region \[0x615000000080,0x615000000261)
allocated by thread T0 here:
    #0 0x559f0c1e01cd in malloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x3431cd)
    #1 0x559f0c51a6e0 in read\_asf\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/asfheader.c:406:9
    #2 0x559f0c549e53 in demux\_open\_asf /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_asf.c:629:10

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/asfheader.c:359:24 in asf\_init\_audio\_stream
Shadow bytes around the buggy address:
  0x0c2a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00\[01\]fa fa fa
  0x0c2a7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6235==ABORTING

CVE-2022-38853: #2398 (A heap-buffer-overflow occurred in function asf_init_audio_stream() of libmpdemux/asfheader.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Buffer Overflow via function mp_getbits() of libmpdemux/mpeg_hdr.c which affects mencoder and mplayer. This affects mecoder SVN-r38374-13.0.1 and mplayer SVN-r38374-13.0.1.

**#2405 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction mp\_getbits() which affects mencoder and mplayer. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

> ./mplayer ./testcase  

2.Result:  

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000297,sig^%06,src^%003761,time^%206342676,execs^%10621452,op^%havoc,rep^%8.
libavformat version 58.29.100 (external)
MPEG-PS file format detected.
MPEG: No audio stream found -> no sound.
=================================================================
==1487==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002d98 at pc 0x555555d3906e bp 0x7fffffffc4a0 sp 0x7fffffffc498
READ of size 1 at 0x602000002d98 thread T0
    #0 0x555555d3906d in mp\_getbits /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:174:12
    #1 0x555555d3906d in read\_golomb /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:296:10
    #2 0x555555d3906d in read\_golomb\_s /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:314:20
    #3 0x555555d3906d in h264\_parse\_sps /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:424:22

0x602000002d98 is located 0 bytes to the right of 8-byte region \[0x602000002d90,0x602000002d98)
allocated by thread T0 here:
    #0 0x5555558971cd in malloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x3431cd)
    #1 0x555555d34e40 in h264\_parse\_sps /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:404:18

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:174:12 in mp\_getbits
Shadow bytes around the buggy address:
  0x0c047fff8560: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8570: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8580: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8590: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff85a0: fa fa 00 00 fa fa 00 00 fa fa 06 fa fa fa fd fd
=>0x0c047fff85b0: fa fa 00\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1487==ABORTING

CVE-2022-38863: #2405 (A heap-buffer-overflow occurred in function mp_getbits() of libmpdemux/mpeg_hdr.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Buffer Overflow via function gen_sh_video () of mplayer/libmpdemux/demux_mov.c. This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: A heap-buffer-overflow read is found in fucnction gen\_sh\_video() which affects mplayer and mencoder. The attached file can reproduce this issue (ASAN-recompilation is needed) And this vulnerability can cause the crash of mplayer.  

How to reproduce:  

Command: ./mplayer testcase  

Result:  

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/testcase\_2.
libavformat version 58.29.100 (external)
libavformat file format detected.
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fa0616d6600\]STSC entry 2 is invalid (first=4 count=14 id=1)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fa0616d6600\]STSC entry 1 is invalid (first=918905090 count=15 id=1)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fa0616d6600\]STSC entry 0 is invalid (first=1 count=109 id=-894264234)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fa0616d6600\]Invalid sample size -16777051
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fa0616d6600\]error reading header
LAVF\_header: av\_open\_input\_stream() failed
Quicktime/MOV file format detected.
MOV: durmap and chunkmap sample count differ (90 vs 654)
MOV: durmap or chunkmap bigger than sample count (654 vs 90)
\[mov\] Video stream found, -vid 0
=================================================================
==12558==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000fbf3 at pc 0x557c16d634c3 bp 0x7fffa25ba210 sp 0x7fffa25ba208
READ of size 1 at 0x60d00000fbf3 thread T0
    #0 0x557c16d634c2 in gen\_sh\_video /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1103:86
    #1 0x557c16d634c2 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1344:3
    #2 0x557c16d4e88c in mov\_read\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1961:5

Address 0x60d00000fbf3 is a wild pointer inside of access range of size 0x000000000001.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1103:86 in gen\_sh\_video
Shadow bytes around the buggy address:
  0x0c1a7fff9f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1a7fff9f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa\[fa\]fa
  0x0c1a7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12558==ABORTING

Crash result:  

MPlayer SVN-r38374-9 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000002,sig^%06,src^%000761,time^%3561338,execs^%127552,op^%havoc,rep^%4.
libavformat version 58.29.100 (external)
libavformat file format detected.
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fe319f34600\]STSC entry 2 is invalid (first=4 count=14 id=1)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fe319f34600\]STSC entry 1 is invalid (first=918905090 count=15 id=1)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fe319f34600\]STSC entry 0 is invalid (first=1 count=109 id=-894264234)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fe319f34600\]Invalid sample size -16777051
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fe319f34600\]error reading header
LAVF\_header: av\_open\_input\_stream() failed
Quicktime/MOV file format detected.
MOV: durmap and chunkmap sample count differ (90 vs 654)
MOV: durmap or chunkmap bigger than sample count (654 vs 90)
\[mov\] Video stream found, -vid 0


MPlayer interrupted by signal 11 in module: demux\_open
- MPlayer crashed by bad usage of CPU/FPU/RAM.
  Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and
  disassembly. Details in DOCS/HTML/en/bugreports\_what.html#bugreports\_crash.
- MPlayer crashed. This shouldn't happen.
  It can be a bug in the MPlayer code \_or\_ in your drivers \_or\_ in your
  gcc version. If you think it's MPlayer's fault, please read
  DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and
  won't help unless you provide this information when reporting a possible bug.

CVE-2022-38855: #2392 (A heap-buffer-overflow occurred in function gen_sh_video () of mplayer/libmpdemux/demux_mov.c) – MPlayer

**#2396 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction mov\_build\_index () which affects mplayer and mencoder. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mplayer testcase  

2.Result:  

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing 
libavformat version 58.29.100 (external)
libavformat file format detected.
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600\]Version 22 is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.                                                                                                                                                    \[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600\]If you want to help, upload a sample of this file to ftp://upload.ffmpeg.org/incoming/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org)                                                                                                                                                                                 \[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600\]error reading header
LAVF\_header: av\_open\_input\_stream() failed
ISO: File Type Major Brand: Original QuickTime
Quicktime/MOV file format detected.
\[mov\] Video stream found, -vid 0
Warning! pts=-285211648  length=2048
MOV: durmap and chunkmap sample count differ (1 vs 2)
=================================================================
==24664==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000014580 at pc 0x563d661312e5 bp 0x7ffecfcd0050 sp 0x7ffecfcd0048
READ of size 4 at 0x603000014580 thread T0
    #0 0x563d661312e4 in mov\_build\_index /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:302:110
    #1 0x563d661312e4 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1333:6
    #2 0x563d6611c88c in mov\_read\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1961:5

0x603000014580 is located 0 bytes to the right of 32-byte region \[0x603000014560,0x603000014580)
allocated by thread T0 here:
    #0 0x563d65d5a362 in \_\_interceptor\_calloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x343362)
    #1 0x563d661263f0 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1820:25
    #2 0x563d661263f0 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #3 0x563d66123576 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c
    #4 0x563d66123576 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #5 0x563d66123576 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c
    #6 0x563d66123576 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #7 0x563d66123576 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c
    #8 0x563d66123576 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #9 0x563d66124068 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1332:6
    #10 0x563d6611c88c in mov\_read\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1961:5
                                                                                                                                                                                                                                                                                                                                                                                      SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:302:110 in mov\_build\_index                                                                                                                                                                                                                                                      Shadow bytes around the buggy address:
  0x0c067fffa860: 00 fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fffa870: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fffa880: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fffa890: fd fd fa fa fd fd fd fd fa fa 00 00 00 04 fa fa
  0x0c067fffa8a0: 00 00 00 fa fa fa 00 00 00 04 fa fa 00 00 00 00
=>0x0c067fffa8b0:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24664==ABORTING

Tag

#ibm