Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#48 Valgrind reports "use of uninitialized" memory

open
Joe Drew
5
2012-04-02
2012-04-02
Anonymous
No

I was testing a new (to me) fuzzer at work and I arbitrarily decided to use mpg321 as my target. I ran this on the version of mpg321 in Ubuntu 11.04 apt repo as well as the mpg321 trunk and both reported issues.

It is possible that this is an issue in libmad and not mpg321.

% valgrind mpg321 fuzz-10197.mp3
==20400== Memcheck, a memory error detector
==20400== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==20400== Using Valgrind-3.6.1-Debian and LibVEX; rerun with -h for copyright info
==20400== Command: mpg321 fuzz-10197.mp3
==20400==
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2, and 3.
Version 0.2.13-2 (2011/03/27). Written and copyrights by Joe Drew,
now maintained by Nanakos Chrysostomos and others.
Uses code from various people. See 'README' for more!
THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK!
Title : test title Artist : SoundJay.com Sound Effects
Album : test album Year : 1123
Comment : asf Genre : Ambient

Playing MPEG stream from fuzz-10197.mp3 ...
MPEG 1.0 layer III, 128 kbit/s, 44100 Hz mono
==20400== Use of uninitialised value of size 8
==20400== at 0x5269D47: ??? (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x526BD83: mad_layer_III (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x5265721: mad_frame_decode (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x526775B: ??? (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x5267C4D: mad_decoder_run (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x403282: ??? (in /usr/bin/mpg321)
==20400== by 0x592F30C: (below main) (libc-start.c:226)
==20400==
==20400== Use of uninitialised value of size 8
==20400== at 0x5269D35: ??? (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x526BD83: mad_layer_III (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x5265721: mad_frame_decode (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x526775B: ??? (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x5267C4D: mad_decoder_run (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x403282: ??? (in /usr/bin/mpg321)
==20400== by 0x592F30C: (below main) (libc-start.c:226)
==20400==
==20400== Use of uninitialised value of size 8
==20400== at 0x5269D79: ??? (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x526BD83: mad_layer_III (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x5265721: mad_frame_decode (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x526775B: ??? (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x5267C4D: mad_decoder_run (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x403282: ??? (in /usr/bin/mpg321)
==20400== by 0x592F30C: (below main) (libc-start.c:226)
==20400==
==20400== Use of uninitialised value of size 8
==20400== at 0x5268CE4: ??? (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x526A27C: ??? (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x526BD83: mad_layer_III (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x5265721: mad_frame_decode (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x526775B: ??? (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x5267C4D: mad_decoder_run (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x403282: ??? (in /usr/bin/mpg321)
==20400== by 0x592F30C: (below main) (libc-start.c:226)
==20400==
==20400== Use of uninitialised value of size 8
==20400== at 0x5268CE9: ??? (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x526A27C: ??? (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x526BD83: mad_layer_III (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x5265721: mad_frame_decode (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x526775B: ??? (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x5267C4D: mad_decoder_run (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x403282: ??? (in /usr/bin/mpg321)
==20400== by 0x592F30C: (below main) (libc-start.c:226)
==20400==
==20400== Use of uninitialised value of size 8
==20400== at 0x5269D04: ??? (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x526BD83: mad_layer_III (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x5265721: mad_frame_decode (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x526775B: ??? (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x5267C4D: mad_decoder_run (in /usr/lib/libmad.so.0.2.1)
==20400== by 0x403282: ??? (in /usr/bin/mpg321)
==20400== by 0x592F30C: (below main) (libc-start.c:226)
==20400==

[0:00] Decoding of fuzz-10197.mp3 finished.
==20400==
==20400== HEAP SUMMARY:
==20400== in use at exit: 101,002 bytes in 1,486 blocks
==20400== total heap usage: 3,172 allocs, 1,686 frees, 1,532,544 bytes allocated
==20400==
==20400== LEAK SUMMARY:
==20400== definitely lost: 4,384 bytes in 4 blocks
==20400== indirectly lost: 8,207 bytes in 2 blocks
==20400== possibly lost: 42,454 bytes in 1,294 blocks
==20400== still reachable: 45,957 bytes in 186 blocks
==20400== suppressed: 0 bytes in 0 blocks
==20400== Rerun with --leak-check=full to see details of leaked memory
==20400==
==20400== For counts of detected and suppressed errors, rerun with: -v
==20400== Use --track-origins=yes to see where uninitialised values come from
==20400== ERROR SUMMARY: 14 errors from 6 contexts (suppressed: 92 from 8)

Discussion


  • Anonymous
    2012-04-02

    MP3 that causes the issue

     
    Attachments