Certain The MPlayer Project products are vulnerable to Divide By Zero via the function demux_avi_read_packet of libmpdemux/demux_avi.c. This affects mplyer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2401 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An division by zero is found in fucnction play() which affects mencoder and mplayer The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

> ./mplayer ./testcase  

2.Result:  

MEncoder SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team
success: format: 0  data: 0x0 - 0x2aa8
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1
AddressSanitizer:DEADLYSIGNAL
=================================================================
==32677==ERROR: AddressSanitizer: FPE on unknown address 0x563dfce77dc4 (pc 0x563dfce77dc4 bp 0x60c000000040 sp 0x7ffda83c4650 T0)
    #0 0x563dfce77dc4 in demux\_avi\_read\_packet /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:161:32

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:161:32 in demux\_avi\_read\_packet
==32677==ABORTING

MPlayer SVN-r38374-9 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000048,sig^%08,src^%000002,time^%8657653,execs^%414593,op^%havoc,rep^%2.
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1


MPlayer interrupted by signal 8 in module: demux\_open
- MPlayer crashed by bad usage of CPU/FPU/RAM.
  Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and
  disassembly. Details in DOCS/HTML/en/bugreports\_what.html#bugreports\_crash.
- MPlayer crashed. This shouldn't happen.
  It can be a bug in the MPlayer code \_or\_ in your drivers \_or\_ in your
  gcc version. If you think it's MPlayer's fault, please read
  DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and
  won't help unless you provide this information when reporting a possible bug.

Program received signal SIGFPE, Arithmetic exception.
0x00005637aa590311 in demux\_avi\_read\_packet (demux=0x5637ac1247a0, ds=0x5637ac126050, id=1651978544, len=21, idxpos=<optimized out>, flags=<optimized out>) at libmpdemux/demux\_avi.c:158
158           priv->avi\_audio\_pts=0;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────\[ REGISTERS \]────────────────────────────────────────────────────────────
 RAX  0x14
 RBX  0x16
 RCX  0x0
 RDX  0x0
 RDI  0x5637ac1247a0 —▸ 0x5637aa7a3c20 (demuxer\_desc\_avi) —▸ 0x5637aa754dbc ◂— 'AVI demuxer'
 RSI  0x0
 R8   0x1
 R9   0x1
 R10  0x0
 R11  0x5637aa592800 (demux\_open\_hack\_avi+240) ◂— mov    eax, dword ptr \[rbx + 8\]
 R12  0x5637ac1260f0 —▸ 0x5637ac122480 ◂— 0x1062773130
 R13  0x5637ac1247a0 —▸ 0x5637aa7a3c20 (demuxer\_desc\_avi) —▸ 0x5637aa754dbc ◂— 'AVI demuxer'
 R14  0x62773130
 R15  0x15
 RBP  0x5637ac126050 ◂— 0x0
 RSP  0x7ffc013e54a0 —▸ 0x5637ac126050 ◂— 0x0
 RIP  0x5637aa590311 (demux\_avi\_read\_packet+657) ◂— div    ecx
─────────────────────────────────────────────────────────────\[ DISASM \]──────────────────────────────────────────────────────────────
 ► 0x5637aa590311 <demux\_avi\_read\_packet+657>    div    ecx
    ↓
   0x5637aa590311 <demux\_avi\_read\_packet+657>    div    ecx








──────────────────────────────────────────────────────────\[ SOURCE (CODE) \]──────────────────────────────────────────────────────────
In file: /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c
   153    pts = priv->audio\_block\_no \*
   154      (float)((sh\_audio\_t\*)demux->audio->sh)->audio.dwScale /
   155      (float)((sh\_audio\_t\*)demux->audio->sh)->audio.dwRate;
   156       } else
   157           pts=priv->avi\_audio\_pts; //+priv->pts\_correction;
 ► 158       priv->avi\_audio\_pts=0;
   159       // update blockcount:
   160       priv->audio\_block\_no+=
   161  (len+priv->audio\_block\_size-1)/priv->audio\_block\_size;
   162   } else
   163   if(ds==demux->video){
──────────────────────────────────────────────────────────────\[ STACK \]──────────────────────────────────────────────────────────────
00:0000│ rsp  0x7ffc013e54a0 —▸ 0x5637ac126050 ◂— 0x0
01:0008│      0x7ffc013e54a8 ◂— 0xffffffffffffffff
02:0010│      0x7ffc013e54b0 ◂— 0x1
03:0018│      0x7ffc013e54b8 —▸ 0x5637ac122480 ◂— 0x1062773130
04:0020│      0x7ffc013e54c0 —▸ 0x5637ac1247a0 —▸ 0x5637aa7a3c20 (demuxer\_desc\_avi) —▸ 0x5637aa754dbc ◂— 'AVI demuxer'
05:0028│      0x7ffc013e54c8 ◂— 0x15
06:0030│      0x7ffc013e54d0 —▸ 0x5637ac1260f0 —▸ 0x5637ac122480 ◂— 0x1062773130
07:0038│      0x7ffc013e54d8 ◂— 0xffff00000000
────────────────────────────────────────────────────────────\[ BACKTRACE \]────────────────────────────────────────────────────────────
 ► f 0     5637aa590311 demux\_avi\_read\_packet+657
   f 1     5637aa591962 demux\_avi\_fill\_buffer+1250
   f 2     5637aa584955 ds\_fill\_buffer+341
   f 3     5637aa584955 ds\_fill\_buffer+341
   f 4     5637aa592b1e demux\_open\_hack\_avi+1038
   f 5     5637aa592b1e demux\_open\_hack\_avi+1038
   f 6     5637aa592b1e demux\_open\_hack\_avi+1038
   f 7     5637aa5858f3 demux\_open\_stream+931
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

CVE-2022-38865: #2401 (A Division by zero occurred in function demux_avi_read_packet of libmpdemux/demux_avi.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Buffer Overflow via function mov_build_index() of libmpdemux/demux_mov.c. This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2395 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction mov\_build\_index () which affects mplayer and mencoder. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mplayer testcase  

2.Result:  

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing 
libavformat version 58.29.100 (external)
libavformat file format detected.
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600\]Version 22 is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.                                                                                                                                                    \[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600\]If you want to help, upload a sample of this file to ftp://upload.ffmpeg.org/incoming/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org)                                                                                                                                                                                 \[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600\]error reading header
LAVF\_header: av\_open\_input\_stream() failed
ISO: File Type Major Brand: Original QuickTime
Quicktime/MOV file format detected.
\[mov\] Video stream found, -vid 0
Warning! pts=-285211648  length=2048
MOV: durmap and chunkmap sample count differ (1 vs 2)
=================================================================
==24664==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000014580 at pc 0x563d661312e5 bp 0x7ffecfcd0050 sp 0x7ffecfcd0048
READ of size 4 at 0x603000014580 thread T0
    #0 0x563d661312e4 in mov\_build\_index /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:302:110
    #1 0x563d661312e4 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1333:6
    #2 0x563d6611c88c in mov\_read\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1961:5

0x603000014580 is located 0 bytes to the right of 32-byte region \[0x603000014560,0x603000014580)
allocated by thread T0 here:
    #0 0x563d65d5a362 in \_\_interceptor\_calloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x343362)
    #1 0x563d661263f0 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1820:25
    #2 0x563d661263f0 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #3 0x563d66123576 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c
    #4 0x563d66123576 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #5 0x563d66123576 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c
    #6 0x563d66123576 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #7 0x563d66123576 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c
    #8 0x563d66123576 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #9 0x563d66124068 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1332:6
    #10 0x563d6611c88c in mov\_read\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1961:5
                                                                                                                                                                                                                                                                                                                                                                                      SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:302:110 in mov\_build\_index                                                                                                                                                                                                                                                      Shadow bytes around the buggy address:
  0x0c067fffa860: 00 fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fffa870: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fffa880: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fffa890: fd fd fa fa fd fd fd fd fa fa 00 00 00 04 fa fa
  0x0c067fffa8a0: 00 00 00 fa fa fa 00 00 00 04 fa fa 00 00 00 00
=>0x0c067fffa8b0:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24664==ABORTING

CVE-2022-38856: #2395 (A heap-buffer-overflow occurred in function mov_build_index() of libmpdemux/demux_mov.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Buffer Overflow via read_avi_header() of libmpdemux/aviheader.c . This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2403 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction read\_avi\_header () which affects mencoder and mplayer The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

> ./mplayer ./testcase  

2.Result:  

MPlayer SVN-r38374-9 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000059,sig^%06,src^%001757,time^%15822098,execs^%776566,op^%havoc,rep^%2.
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1


MPlayer interrupted by signal 11 in module: demux\_open
- MPlayer crashed by bad usage of CPU/FPU/RAM.
  Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and
  disassembly. Details in DOCS/HTML/en/bugreports\_what.html#bugreports\_crash.
- MPlayer crashed. This shouldn't happen.
  It can be a bug in the MPlayer code \_or\_ in your drivers \_or\_ in your
  gcc version. If you think it's MPlayer's fault, please read
  DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and
  won't help unless you provide this information when reporting a possible bug.

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000059,sig^%06,src^%001757,time^%15822098,execs^%776566,op^%havoc,rep^%2.
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
=================================================================
==7938==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002db0 at pc 0x55c64191557c bp 0x7ffcdbc68090 sp 0x7ffcdbc68088
READ of size 4 at 0x602000002db0 thread T0
    #0 0x55c64191557b in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12
    #1 0x55c641948cbe in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #2 0x55c641948cbe in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #3 0x55c641921f37 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #4 0x55c6416232ed in main /home/jlx/good\_mplayer/mplayer/mplayer.c:3383:22
    #5 0x7fa5a6c780b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

0x602000002db0 is located 31 bytes to the right of 1-byte region \[0x602000002d90,0x602000002d91)
allocated by thread T0 here:
    #0 0x55c6415c81cd in malloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x3431cd)
    #1 0x55c64190a934 in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:358:26
    #2 0x55c641948cbe in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #3 0x55c641948cbe in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #4 0x55c641921f37 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #5 0x55c6416232ed in main /home/jlx/good\_mplayer/mplayer/mplayer.c:3383:22
    #6 0x7fa5a6c780b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12 in read\_avi\_header
Shadow bytes around the buggy address:
  0x0c047fff8560: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8570: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8580: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8590: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff85a0: fa fa 00 00 fa fa 00 00 fa fa 06 fa fa fa fd fd
=>0x0c047fff85b0: fa fa 01 fa fa fa\[fa\]fa fa fa fa fa fa fa fa fa
  0x0c047fff85c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7938==ABORTING

MEncoder SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team
success: format: 0  data: 0x0 - 0x2aa3
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
=================================================================
==6848==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000004370 at pc 0x55e9886b95dc bp 0x7fffc79a7df0 sp 0x7fffc79a7de8
READ of size 4 at 0x602000004370 thread T0
    #0 0x55e9886b95db in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12
    #1 0x55e9886ecd1e in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #2 0x55e9886ecd1e in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #3 0x55e9886c5f97 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #4 0x55e9884711f3 in main /home/jlx/good\_mplayer/mplayer/mencoder.c:707:11
    #5 0x7f4b98de10b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

0x602000004370 is located 31 bytes to the right of 1-byte region \[0x602000004350,0x602000004351)
allocated by thread T0 here:
    #0 0x55e98843e43d in malloc (/home/jlx/good\_mplayer/asan\_mplayer/mencoder+0x1a643d)
    #1 0x55e9886ae994 in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:358:26
    #2 0x55e9886ecd1e in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #3 0x55e9886ecd1e in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #4 0x55e9886c5f97 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #5 0x55e9884711f3 in main /home/jlx/good\_mplayer/mplayer/mencoder.c:707:11
    #6 0x7f4b98de10b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12 in read\_avi\_header
Shadow bytes around the buggy address:
  0x0c047fff8810: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8820: fa fa 06 fa fa fa 06 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff8830: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8840: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8850: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff8860: fa fa 00 00 fa fa fd fd fa fa 01 fa fa fa\[fa\]fa
  0x0c047fff8870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff88a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff88b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6848==ABORTING

CVE-2022-38866: #2403 (A heap-buffer-overflow occurred in function read_avi_header() of libmpdemux/aviheader.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Buffer Overflow via the function mp_unescape03() of libmpdemux/mpeg_hdr.c. This affects mencoder SVN-r38374-13.0.1 and mplayer SVN-r38374-13.0.1.

**#2406 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction in mp\_unescape03() which affects mencoder and mplayer. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

> ./mplayer ./testcase  

2.Result:  

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000298,sig^%06,src^%003761,time^%206364090,execs^%10623748,op^%havoc,rep^%8.
libavformat version 58.29.100 (external)
MPEG-PS file format detected.
MPEG: No audio stream found -> no sound.
=================================================================
==22224==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002d91 at pc 0x555555d38dcd bp 0x7fffffffc4a0 sp 0x7fffffffc498                                                                                                                                                                               WRITE of size 1 at 0x602000002d91 thread T0
    #0 0x555555d38dcc in mp\_unescape03 /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:394:13
    #1 0x555555d38dcc in h264\_parse\_sps /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:406:9

0x602000002d91 is located 0 bytes to the right of 1-byte region \[0x602000002d90,0x602000002d91)                                                                                                                                                                                                                         allocated by thread T0 here:
    #0 0x5555558971cd in malloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x3431cd)
    #1 0x555555d34e40 in h264\_parse\_sps /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:404:18                                                                                                                                                                                                                     
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:394:13 in mp\_unescape03                                                                                                                                                                                            Shadow bytes around the buggy address:
  0x0c047fff8560: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8570: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8580: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8590: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff85a0: fa fa 00 00 fa fa 00 00 fa fa 06 fa fa fa fd fd
=>0x0c047fff85b0: fa fa\[01\]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22224==ABORTING

CVE-2022-38864: #2406 (A heap-buffer-overflow occurred in function mp_unescape03() of libmpdemux/mpeg_hdr.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Buffer Overflow via function asf_init_audio_stream() of libmpdemux/asfheader.c. This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2398 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction asf\_init\_audio\_stream() which affects mplayer and mencoder. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mplayer testcase  

2.Result:  

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing 
libavformat version 58.29.100 (external)
ASF file format detected.
\[asfheader\] Audio stream found, -aid 21
=================================================================
==6235==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000000261 at pc 0x559f0c51f2c2 bp 0x7ffcb2476300 sp 0x7ffcb24762f8
READ of size 1 at 0x615000000261 thread T0
    #0 0x559f0c51f2c1 in asf\_init\_audio\_stream /home/jlx/good\_mplayer/mplayer/libmpdemux/asfheader.c:359:24

0x615000000261 is located 0 bytes to the right of 481-byte region \[0x615000000080,0x615000000261)
allocated by thread T0 here:
    #0 0x559f0c1e01cd in malloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x3431cd)
    #1 0x559f0c51a6e0 in read\_asf\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/asfheader.c:406:9
    #2 0x559f0c549e53 in demux\_open\_asf /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_asf.c:629:10

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/asfheader.c:359:24 in asf\_init\_audio\_stream
Shadow bytes around the buggy address:
  0x0c2a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00\[01\]fa fa fa
  0x0c2a7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6235==ABORTING

CVE-2022-38853: #2398 (A heap-buffer-overflow occurred in function asf_init_audio_stream() of libmpdemux/asfheader.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Buffer Overflow via function mp_getbits() of libmpdemux/mpeg_hdr.c which affects mencoder and mplayer. This affects mecoder SVN-r38374-13.0.1 and mplayer SVN-r38374-13.0.1.

**#2405 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction mp\_getbits() which affects mencoder and mplayer. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

> ./mplayer ./testcase  

2.Result:  

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000297,sig^%06,src^%003761,time^%206342676,execs^%10621452,op^%havoc,rep^%8.
libavformat version 58.29.100 (external)
MPEG-PS file format detected.
MPEG: No audio stream found -> no sound.
=================================================================
==1487==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002d98 at pc 0x555555d3906e bp 0x7fffffffc4a0 sp 0x7fffffffc498
READ of size 1 at 0x602000002d98 thread T0
    #0 0x555555d3906d in mp\_getbits /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:174:12
    #1 0x555555d3906d in read\_golomb /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:296:10
    #2 0x555555d3906d in read\_golomb\_s /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:314:20
    #3 0x555555d3906d in h264\_parse\_sps /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:424:22

0x602000002d98 is located 0 bytes to the right of 8-byte region \[0x602000002d90,0x602000002d98)
allocated by thread T0 here:
    #0 0x5555558971cd in malloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x3431cd)
    #1 0x555555d34e40 in h264\_parse\_sps /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:404:18

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:174:12 in mp\_getbits
Shadow bytes around the buggy address:
  0x0c047fff8560: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8570: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8580: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8590: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff85a0: fa fa 00 00 fa fa 00 00 fa fa 06 fa fa fa fd fd
=>0x0c047fff85b0: fa fa 00\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1487==ABORTING

CVE-2022-38863: #2405 (A heap-buffer-overflow occurred in function mp_getbits() of libmpdemux/mpeg_hdr.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Buffer Overflow via function gen_sh_video () of mplayer/libmpdemux/demux_mov.c. This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: A heap-buffer-overflow read is found in fucnction gen\_sh\_video() which affects mplayer and mencoder. The attached file can reproduce this issue (ASAN-recompilation is needed) And this vulnerability can cause the crash of mplayer.  

How to reproduce:  

Command: ./mplayer testcase  

Result:  

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/testcase\_2.
libavformat version 58.29.100 (external)
libavformat file format detected.
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fa0616d6600\]STSC entry 2 is invalid (first=4 count=14 id=1)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fa0616d6600\]STSC entry 1 is invalid (first=918905090 count=15 id=1)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fa0616d6600\]STSC entry 0 is invalid (first=1 count=109 id=-894264234)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fa0616d6600\]Invalid sample size -16777051
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fa0616d6600\]error reading header
LAVF\_header: av\_open\_input\_stream() failed
Quicktime/MOV file format detected.
MOV: durmap and chunkmap sample count differ (90 vs 654)
MOV: durmap or chunkmap bigger than sample count (654 vs 90)
\[mov\] Video stream found, -vid 0
=================================================================
==12558==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000fbf3 at pc 0x557c16d634c3 bp 0x7fffa25ba210 sp 0x7fffa25ba208
READ of size 1 at 0x60d00000fbf3 thread T0
    #0 0x557c16d634c2 in gen\_sh\_video /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1103:86
    #1 0x557c16d634c2 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1344:3
    #2 0x557c16d4e88c in mov\_read\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1961:5

Address 0x60d00000fbf3 is a wild pointer inside of access range of size 0x000000000001.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1103:86 in gen\_sh\_video
Shadow bytes around the buggy address:
  0x0c1a7fff9f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1a7fff9f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa\[fa\]fa
  0x0c1a7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12558==ABORTING

Crash result:  

MPlayer SVN-r38374-9 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000002,sig^%06,src^%000761,time^%3561338,execs^%127552,op^%havoc,rep^%4.
libavformat version 58.29.100 (external)
libavformat file format detected.
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fe319f34600\]STSC entry 2 is invalid (first=4 count=14 id=1)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fe319f34600\]STSC entry 1 is invalid (first=918905090 count=15 id=1)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fe319f34600\]STSC entry 0 is invalid (first=1 count=109 id=-894264234)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fe319f34600\]Invalid sample size -16777051
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fe319f34600\]error reading header
LAVF\_header: av\_open\_input\_stream() failed
Quicktime/MOV file format detected.
MOV: durmap and chunkmap sample count differ (90 vs 654)
MOV: durmap or chunkmap bigger than sample count (654 vs 90)
\[mov\] Video stream found, -vid 0


MPlayer interrupted by signal 11 in module: demux\_open
- MPlayer crashed by bad usage of CPU/FPU/RAM.
  Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and
  disassembly. Details in DOCS/HTML/en/bugreports\_what.html#bugreports\_crash.
- MPlayer crashed. This shouldn't happen.
  It can be a bug in the MPlayer code \_or\_ in your drivers \_or\_ in your
  gcc version. If you think it's MPlayer's fault, please read
  DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and
  won't help unless you provide this information when reporting a possible bug.

CVE-2022-38855: #2392 (A heap-buffer-overflow occurred in function gen_sh_video () of mplayer/libmpdemux/demux_mov.c) – MPlayer

**#2396 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction mov\_build\_index () which affects mplayer and mencoder. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mplayer testcase  

2.Result:  

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing 
libavformat version 58.29.100 (external)
libavformat file format detected.
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600\]Version 22 is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.                                                                                                                                                    \[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600\]If you want to help, upload a sample of this file to ftp://upload.ffmpeg.org/incoming/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org)                                                                                                                                                                                 \[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600\]error reading header
LAVF\_header: av\_open\_input\_stream() failed
ISO: File Type Major Brand: Original QuickTime
Quicktime/MOV file format detected.
\[mov\] Video stream found, -vid 0
Warning! pts=-285211648  length=2048
MOV: durmap and chunkmap sample count differ (1 vs 2)
=================================================================
==24664==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000014580 at pc 0x563d661312e5 bp 0x7ffecfcd0050 sp 0x7ffecfcd0048
READ of size 4 at 0x603000014580 thread T0
    #0 0x563d661312e4 in mov\_build\_index /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:302:110
    #1 0x563d661312e4 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1333:6
    #2 0x563d6611c88c in mov\_read\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1961:5

0x603000014580 is located 0 bytes to the right of 32-byte region \[0x603000014560,0x603000014580)
allocated by thread T0 here:
    #0 0x563d65d5a362 in \_\_interceptor\_calloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x343362)
    #1 0x563d661263f0 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1820:25
    #2 0x563d661263f0 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #3 0x563d66123576 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c
    #4 0x563d66123576 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #5 0x563d66123576 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c
    #6 0x563d66123576 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #7 0x563d66123576 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c
    #8 0x563d66123576 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #9 0x563d66124068 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1332:6
    #10 0x563d6611c88c in mov\_read\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1961:5
                                                                                                                                                                                                                                                                                                                                                                                      SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:302:110 in mov\_build\_index                                                                                                                                                                                                                                                      Shadow bytes around the buggy address:
  0x0c067fffa860: 00 fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fffa870: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fffa880: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fffa890: fd fd fa fa fd fd fd fd fa fa 00 00 00 04 fa fa
  0x0c067fffa8a0: 00 00 00 fa fa fa 00 00 00 04 fa fa 00 00 00 00
=>0x0c067fffa8b0:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24664==ABORTING

CVE-2022-38858: #2396 (A heap-buffer-overflow occurred in function mov_build_index() of libmpdemux/demux_mov.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Divide By Zero via function demux_open_avi() of libmpdemux/demux_avi.c which affects mencoder. This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2402 closed defect (duplicate)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An division by zero is found in fucnction demux\_open\_avi () which affects mencoder and mplayer. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

> ./mplayer ./testcase  

2.Result:  

MPlayer SVN-r38374-9 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000056,sig^%08,src^%001688,time^%14273883,execs^%697532,op^%havoc,rep^%2.
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1
AVI: No audio stream found -> no sound.


MPlayer interrupted by signal 8 in module: demux\_open
- MPlayer crashed by bad usage of CPU/FPU/RAM.
  Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and
  disassembly. Details in DOCS/HTML/en/bugreports\_what.html#bugreports\_crash.
- MPlayer crashed. This shouldn't happen.
  It can be a bug in the MPlayer code \_or\_ in your drivers \_or\_ in your
  gcc version. If you think it's MPlayer's fault, please read
  DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and
  won't help unless you provide this information when reporting a possible bug.

MEncoder SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team
success: format: 0  data: 0x0 - 0x2ab4
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1
AVI: No audio stream found -> no sound.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==19160==ERROR: AddressSanitizer: FPE on unknown address 0x55eacc77d2e7 (pc 0x55eacc77d2e7 bp 0x000000000004 sp 0x7ffce604b120 T0)
    #0 0x55eacc77d2e7 in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:571:42
    #1 0x55eacc77d2e7 in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:571:42 in demux\_open\_avi
==19160==ABORTING

Breakpoint 3, demux\_open\_avi (demuxer=<optimized out>) at libmpdemux/demux\_avi.c:571
571             asamples+=(len+priv->audio\_block\_size-1)/priv->audio\_block\_size;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────\[ REGISTERS \]────────────────────────────────────────────────────────────────────────
 RAX  0x4
 RBX  0x55904d5f8d00 —▸ 0x55904d5f9410 ◂— 0xe1e1e1e1e1e1
 RCX  0x2fb
 RDX  0x4
 RDI  0x0
 RSI  0x55904d5f9440 ◂— 0x1062773130
 R8   0x1
 R9   0x0
 R10  0x55904d5f9470 ◂— 0x0
 R11  0x0
 R12  0x55904d5f73b0 —▸ 0x55904bcf5ec0 (demuxer\_desc\_avi) —▸ 0x55904bccffcc ◂— 'AVI demuxer'
 R13  0x55904d5f8c60 ◂— 0x0
 R14  0x55904d5f8d80 —▸ 0x55904d593400 ◂— 0x2fb00000000
 R15  0x0
 RBP  0x4
 RSP  0x7fff5a391720 —▸ 0x55904d593400 ◂— 0x2fb00000000
 RIP  0x55904bb55aa7 (demux\_open\_hack\_avi+1351) ◂— lea    eax, \[rax + r9 - 1\]
─────────────────────────────────────────────────────────────────────────\[ DISASM \]─────────────────────────────────────────────────────────────────────────
 ► 0x55904bb55aa7 <demux\_open\_hack\_avi+1351>    lea    eax, \[rax + r9 - 1\]
   0x55904bb55aac <demux\_open\_hack\_avi+1356>    xor    edx, edx
   0x55904bb55aae <demux\_open\_hack\_avi+1358>    div    r9d
    ↓
   0x55904bb55aae <demux\_open\_hack\_avi+1358>    div    r9d






─────────────────────────────────────────────────────────────────────\[ SOURCE (CODE) \]──────────────────────────────────────────────────────────────────────
In file: /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c
   566         vsize+=len;
   567         ++vsamples;
   568       }
   569       else if(d\_audio->id == id) {
   570         asize+=len;
 ► 571  asamples+=(len+priv->audio\_block\_size-1)/priv->audio\_block\_size;
   572       }
   573     }
   574     mp\_msg(MSGT\_DEMUX, MSGL\_V,
   575            "AVI video size=%"PRId64" (%zu) audio size=%"PRId64" (%zu)\\n",
   576            vsize, vsamples, asize, asamples);
─────────────────────────────────────────────────────────────────────────\[ STACK \]──────────────────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fff5a391720 —▸ 0x55904d593400 ◂— 0x2fb00000000
01:0008│      0x7fff5a391728 —▸ 0x55904d5f9430 ◂— 0x1062773130
02:0010│      0x7fff5a391730 —▸ 0x55904d5f8c60 ◂— 0x0
03:0018│      0x7fff5a391738 ◂— 0xffffffff
04:0020│      0x7fff5a391740 ◂— 0x62773130ffffffff
05:0028│      0x7fff5a391748 ◂— 0x588a634aec56d900
06:0030│      0x7fff5a391750 ◂— 0xffffffff
07:0038│      0x7fff5a391758 —▸ 0x55904bcf5ec0 (demuxer\_desc\_avi) —▸ 0x55904bccffcc ◂— 'AVI demuxer'
───────────────────────────────────────────────────────────────────────\[ BACKTRACE \]────────────────────────────────────────────────────────────────────────
 ► f 0     55904bb55aa7 demux\_open\_hack\_avi+1351
   f 1     55904bb55aa7 demux\_open\_hack\_avi+1351
   f 2     55904bb48743 demux\_open\_stream+931
   f 3     55904bb49231 demux\_open+753
   f 4     55904bac0642 main+1042
   f 5     7f7b8118c0b3 \_\_libc\_start\_main+243
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

CVE-2022-38860: #2402 (A Division by zero occurred in function demux_open_avi() of libmpdemux/demux_avi.c) – MPlayer

The MPlayer Project mplayer SVN-r38374-13.0.1 is vulnerable to memory corruption via function free_mp_image() of libmpcodecs/mp_image.c.

**#2407 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: I found a heap memory corruption crash when I tried to fuzz the mencoder.  

\[ … \]
1 duplicate frame(s)!                                                                                                                                                                                                                     Pos:   0.0s      3f (100%)  0.00fps Trem:   0min   0mb  A-V:0.000 \[0:0\]
Movie-Aspect is undefined - no prescaling applied.
Writing header...                                                                                                                                                                                                                         ODML: Aspect information not (yet?) available or unspecified, not writing vprp header.                                                                                                                                                    Writing header...
ODML: Aspect information not (yet?) available or unspecified, not writing vprp header.                                                                                                                                                    Writing header...
ODML: Aspect information not (yet?) available or unspecified, not writing vprp header.                                                                                                                                                    Writing header...                                                                                                                                                                                                                         ODML: Aspect information not (yet?) available or unspecified, not writing vprp header.                                                                                                                                                    Pos:   0.0s      4f (100%)  0.00fps Trem:   0min   0mb  A-V:0.000 \[0:0\]

Skipping frame!                                                                                                                                                                                                                           Pos:   0.0s      5f (100%)  0.00fps Trem:   0min   0mb  A-V:0.000 \[0:0\]
                                                                                                                                                                                                                                          Flushing video frames.
Writing index...                                                                                                                                                                                                                          Writing header...                                                                                                                                                                                                                         ODML: Aspect information not (yet?) available or unspecified, not writing vprp header.

Video stream: 743743.500 kbit/s  (92967937 B/s)  size: 16892 bytes  0.000 secs  5 frames                                                                                                                                                  double free or corruption (out)
Aborted         

But when I try to debug this crash to figure out the reason I find the free function’s argument is not a heap address. The pointer points to a block of memory which is full of 0x80.  

Breakpoint 1, free\_mp\_image (mpi=0x60e000000120) at libmpcodecs/mp\_image.c:271
271             av\_free(mpi->planes\[0\]);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────────────\[ REGISTERS \]───────────────────────────────────────────────────────────────────────────────────────
 RAX  0x2b00
 RBX  0xc1c00000024 ◂— 0x0
 RCX  0x7fffed1ff800 ◂— 0xbfbebfbebebebebe
 RDX  0x1
 RDI  0x60e000000120 —▸ 0x40000c30f ◂— 0x0
 RSI  0x7fffee7f90e0 ◂— 0x0
 R8   0xd8
 R9   0x7fffee489708 —▸ 0x555555857598 (uninit\_video+216) ◂— mov    qword ptr \[rip + 0xf57d5d\], 0
 R10  0x7fffffffcd20 —▸ 0x555555857598 (uninit\_video+216) ◂— mov    qword ptr \[rip + 0xf57d5d\], 0
 R11  0x20
 R12  0x0
 R13  0xffffffffad5 ◂— 0x0
 R14  0x555555ec7fa0 (\_\_afl\_area\_ptr) —▸ 0x7fffed1ff800 ◂— 0xbfbebfbebebebebe
 R15  0x60e000000120 —▸ 0x40000c30f ◂— 0x0
 RBP  0x7fffffffdda0 ◂— 0x0
 RSP  0x7fffffffd5e0 —▸ 0x616000000380 —▸ 0x555555e1c380 (vf\_info\_expand) —▸ 0x555555d82360 (str) ◂— 'expanding & osd'                                                                                                                                                                                                                                                                 RIP  0x55555585ec3b (free\_mp\_image+107) ◂— lea    rdi, \[r15 + 0x30\]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────\[ DISASM \]────────────────────────────────────────────────────────────────────────────────────────────────────────────────                                                                                                                                             ► 0x55555585ec3b <free\_mp\_image+107>    lea    rdi, \[r15 + 0x30\]
   0x55555585ec3f <free\_mp\_image+111>    mov    rax, rdi
   0x55555585ec42 <free\_mp\_image+114>    shr    rax, 3
   0x55555585ec46 <free\_mp\_image+118>    cmp    byte ptr \[rax + 0x7fff8000\], 0
   0x55555585ec4d <free\_mp\_image+125>    jne    free\_mp\_image+294 <free\_mp\_image+294>

   0x55555585ec53 <free\_mp\_image+131>    mov    rdi, qword ptr \[r15 + 0x30\]
   0x55555585ec57 <free\_mp\_image+135>    call   av\_free@plt <av\_free@plt>

   0x55555585ec5c <free\_mp\_image+140>    mov    al, byte ptr \[rbx + 0x7fff8000\]
   0x55555585ec62 <free\_mp\_image+146>    test   al, al
   0x55555585ec64 <free\_mp\_image+148>    jne    free\_mp\_image+269 <free\_mp\_image+269>
                                                                                                                                                                                                                                                                                                                                                                                         0x55555585ec66 <free\_mp\_image+150>    test   byte ptr \[r15 + 1\], 8                                                                                                                                                                                                                                                                                                                 ────────────────────────────────────────────────────────────────────────────────────────────────────────────\[ SOURCE (CODE) \]─────────────────────────────────────────────────────────────────────────────────────────────────────────────                                                                                                                                            In file: /home/jlx/good\_mplayer/asan\_mplayer/libmpcodecs/mp\_image.c                                                                                                                                                                                                                                                                                                                      266
   267 void free\_mp\_image(mp\_image\_t\* mpi){
   268     if(!mpi) return;
   269     if(mpi->flags&MP\_IMGFLAG\_ALLOCATED){
   270         /\* because we allocate the whole image at once \*/
 ► 271         av\_free(mpi->planes\[0\]);
   272         if (mpi->flags & MP\_IMGFLAG\_RGB\_PALETTE)
   273             av\_free(mpi->planes\[1\]);
   274     }
   275     free(mpi);
   276 }
────────────────────────────────────────────────────────────────────────────────────────────────────────────────\[ STACK \]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────                                                                                                                                            00:0000│ rsp  0x7fffffffd5e0 —▸ 0x616000000380 —▸ 0x555555e1c380 (vf\_info\_expand) —▸ 0x555555d82360 (str) ◂— 'expanding & osd'                                                                                                                                                                                                                                                        01:0008│      0x7fffffffd5e8 —▸ 0x555555ec7fa0 (\_\_afl\_area\_ptr) —▸ 0x7fffed1ff800 ◂— 0xbfbebfbebebebebe
02:0010│      0x7fffffffd5f0 —▸ 0x616000000080 —▸ 0x555555e0b5c0 (ve\_info\_lavc) —▸ 0x555555c7b640 (str) ◂— 'libavcodec encoder'                                                                                                                                                                                                                                                       03:0018│      0x7fffffffd5f8 —▸ 0x55555587b998 (vf\_uninit\_filter\_chain+200) ◂— lea    rdi, \[rbx + 0x68\]
04:0020│      0x7fffffffd600 —▸ 0x61a000001130 —▸ 0x616000000380 —▸ 0x555555e1c380 (vf\_info\_expand) —▸ 0x555555d82360 (str) ◂— ...                                                                                                                                                                                                                                                    05:0028│      0x7fffffffd608 —▸ 0x61a000000c94 ◂— 0x1
06:0030│      0x7fffffffd610 —▸ 0xc3400000192 ◂— 0x0
07:0038│      0x7fffffffd618 —▸ 0x5555558575c6 (uninit\_video+262) ◂— call   0x555555af5820
──────────────────────────────────────────────────────────────────────────────────────────────────────────────\[ BACKTRACE \]───────────────────────────────────────────────────────────────────────────────────────────────────────────────                                                                                                                                             ► f 0     55555585ec3b free\_mp\_image+107
   f 1     55555587b998 vf\_uninit\_filter\_chain+200
   f 2     55555587b998 vf\_uninit\_filter\_chain+200
   f 3     5555558575c6 uninit\_video+262
   f 4     555555737d1b main+47819
   f 5     7ffff55070b3 \_\_libc\_start\_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────                                                                                                                                            pwndbg> p mpi->planes\[0\]
$4 = (unsigned char \*) 0x7fffeb6cb040 '\\200' <repeats 200 times>...
pwndbg> vmmap 0x7fffeb6cb040
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    0x7fffeb490000     0x7fffebf19000 rw-p   a89000 0       +0x23b040

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase

Tag

#ibm