Bug#716525: [Mayhem] Bug report on oggvideotools: oggThumb crashes with exit status 139

Petter Reinholdtsen pere at hungry.com
Wed Oct 22 07:40:05 UTC 2014 

I'm able to reproduce this issue.  Note that the stdin input is not
required for the crash.  This is the output from valgrind when the
program crash:

==18469== Memcheck, a memory error detector
==18469== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==18469== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==18469== Command: /usr/bin/oggThumb --E�===A
==18469== 
==18469== Conditional jump or move depends on uninitialised value(s)
==18469==    at 0x4C299DE: __GI_strncmp (mc_replace_strmem.c:535)
==18469==    by 0x662A915: _getopt_internal_r (getopt.c:542)
==18469==    by 0x662B74A: _getopt_internal (getopt.c:1131)
==18469==    by 0x662B832: getopt_long (getopt1.c:66)
==18469==    by 0x427FD9: oggThumbCmd(int, char**) (in /usr/bin/oggThumb)
==18469==    by 0x429160: main (in /usr/bin/oggThumb)
==18469== 
==18469== Invalid read of size 1
==18469==    at 0x4C299D9: __GI_strncmp (mc_replace_strmem.c:535)
==18469==    by 0x662A915: _getopt_internal_r (getopt.c:542)
==18469==    by 0x662B74A: _getopt_internal (getopt.c:1131)
==18469==    by 0x662B832: getopt_long (getopt1.c:66)
==18469==    by 0x427FD9: oggThumbCmd(int, char**) (in /usr/bin/oggThumb)
==18469==    by 0x429160: main (in /usr/bin/oggThumb)
==18469==  Address 0x83f1330 is 0 bytes after a block of size 512 alloc'd
==18469==    at 0x4C286E7: operator new(unsigned long) (vg_replace_malloc.c:287)
==18469==    by 0x42F22B: __gnu_cxx::new_allocator<double>::allocate(unsigned long, void const*) (in /usr/bin/oggThumb)
==18469==    by 0x42D298: std::_Deque_base<double, std::allocator<double> >::_M_allocate_node() (in /usr/bin/oggThumb)
==18469==    by 0x42F5FE: std::_Deque_base<double, std::allocator<double> >::_M_create_nodes(double**, double**) (in /usr/bin/oggThumb)
==18469==    by 0x42DB29: std::_Deque_base<double, std::allocator<double> >::_M_initialize_map(unsigned long) (in /usr/bin/oggThumb)
==18469==    by 0x42B199: std::_Deque_base<double, std::allocator<double> >::_Deque_base() (in /usr/bin/oggThumb)
==18469==    by 0x429A49: std::deque<double, std::allocator<double> >::deque() (in /usr/bin/oggThumb)
==18469==    by 0x427842: oggThumbCmd(int, char**) (in /usr/bin/oggThumb)
==18469==    by 0x429160: main (in /usr/bin/oggThumb)
==18469== 
==18469== Conditional jump or move depends on uninitialised value(s)
==18469==    at 0x662A902: _getopt_internal_r (getopt.c:541)
==18469==    by 0x662B74A: _getopt_internal (getopt.c:1131)
==18469==    by 0x662B832: getopt_long (getopt1.c:66)
==18469==    by 0x427FD9: oggThumbCmd(int, char**) (in /usr/bin/oggThumb)
==18469==    by 0x429160: main (in /usr/bin/oggThumb)
==18469== 
==18469== Use of uninitialised value of size 8
==18469==    at 0x4C299D9: __GI_strncmp (mc_replace_strmem.c:535)
==18469==    by 0x662A915: _getopt_internal_r (getopt.c:542)
==18469==    by 0x662B74A: _getopt_internal (getopt.c:1131)
==18469==    by 0x662B832: getopt_long (getopt1.c:66)
==18469==    by 0x427FD9: oggThumbCmd(int, char**) (in /usr/bin/oggThumb)
==18469==    by 0x429160: main (in /usr/bin/oggThumb)
==18469== 
==18469== 
==18469== Process terminating with default action of signal 11 (SIGSEGV)
==18469==  Access not within mapped region at address 0x700000467
==18469==    at 0x4C299D9: __GI_strncmp (mc_replace_strmem.c:535)
==18469==    by 0x662A915: _getopt_internal_r (getopt.c:542)
==18469==    by 0x662B74A: _getopt_internal (getopt.c:1131)
==18469==    by 0x662B832: getopt_long (getopt1.c:66)
==18469==    by 0x427FD9: oggThumbCmd(int, char**) (in /usr/bin/oggThumb)
==18469==    by 0x429160: main (in /usr/bin/oggThumb)
==18469==  If you believe this happened as a result of a stack
==18469==  overflow in your program's main thread (unlikely but
==18469==  possible), you can try to increase the size of the
==18469==  main thread stack using the --main-stacksize= flag.
==18469==  The main thread stack size used in this run was 8388608.
==18469== 
==18469== HEAP SUMMARY:
==18469==     in use at exit: 1,261 bytes in 7 blocks
==18469==   total heap usage: 7 allocs, 0 frees, 1,261 bytes allocated
==18469== 
==18469== LEAK SUMMARY:
==18469==    definitely lost: 0 bytes in 0 blocks
==18469==    indirectly lost: 0 bytes in 0 blocks
==18469==      possibly lost: 109 bytes in 3 blocks
==18469==    still reachable: 1,152 bytes in 4 blocks
==18469==         suppressed: 0 bytes in 0 blocks
==18469== Rerun with --leak-check=full to see details of leaked memory
==18469== 
==18469== For counts of detected and suppressed errors, rerun with: -v
==18469== Use --track-origins=yes to see where uninitialised values come from
==18469== ERROR SUMMARY: 8 errors from 4 contexts (suppressed: 4 from 4)
./crash.sh: line 16: 18469 Segmentation fault      env -i MALLOC_CHECK_=0 $GDB valgrind /usr/bin/oggThumb "`cat $DIR/argv_1.symb`"

Not quite sure how to fix it.

-- 
Happy hacking
Petter Reinholdtsen

More information about the pkg-xiph-maint mailing list