The January 2010 media player debacle

Macro Image(fail2.png,right,border=0,margin=5px) failed
Invalid macro argument margin=5px
Yes, it’s a debacle again. While some players such as MPlayer had their stability improved, others such as Xine plummeted. zzuf could again find bugs with most files, especially video codecs. All programs are the latest version in Debian amd64 sid as of 2010/01/14.

Each of these bugs was found in less than 2 minutes of zzuf action, meaning that the “robust” cells are even less trustworthy than last time.

  • “?” means zzuf could not properly fuzz the application
  • “robust” means zzuf could not find a crash in reasonable time

Note: while these files cause the media players to crash, the code responsible for the crash is often found in the codec libraries, especially FFmpeg’s libavcodec. They’re the software requiring attention. However, none of the files below actually crash ffplay; this may be an indication that libavcodec might be used incorrectly.

Audio codecs

VLC MPlayer xine FFmpeg GStreamer mpg321 ogg123
MP3 robust SIGSEGV SIGFPE ? ? robust N/A
Ogg Vorbis ? robust SIGFPE ? robust N/A robust
FLAC robust SIGABRT SIGFPE ? robust N/A SIGFPE
AAC robust robust robust ? robust N/A N/A
AC-3/A52 robust robust ? ? robust N/A N/A
Speex ? SIGSEGV robust ? robust N/A ?
EAC3 ? robust robust ? robust N/A N/A

Video codecs

VLC MPlayer xine FFmpeg GStreamer
MPEG-1 SIGSEGV robust SIGSEGV ? robust
MPEG-2 SIGSEGV ? SIGSEGV ? ?
MPEG-4 AVI SIGSEGV SIGSEGV SIGSEGV ? ?
MPEG-4 ? SIGSEGV SIGSEGV ? SIGSEGV
Ogg Theora robust SIGSEGV SIGSEGV ? ?
WMV SIGSEGV SIGSEGV SIGSEGV ? SIGSEGV
FLV SIGSEGV SIGSEGV SIGSEGV ? SIGSEGV

Testing protocol

The zzuf commands used to find bugs were rather straightforward. A few flags are recurrent:

  • -r0.0001:0.02 to try several fuzzing ratios
  • -s0:10000 to stop after 10000 tries
  • -b8- to skip the first 8 bytes and ensure that the file format is not misinterpreted

MPlayer is very easy to test, thanks to its -benchmark flag:

% zzuf -vq -c -r0.0001:0.02 -s0:10000 -b8- -j8 -T5 -S mplayer -benchmark \
           -ao pcm:file=/dev/null -vo md5sum:outfile=/dev/null filename

VLC doesn’t provide a benchmark flag, forcing us to spawn a lot more parallel processes using -j, so that the test goes a bit faster:

% zzuf -vq -c -r0.0001:0.02 -s0:10000 -b8- -j80 vlc -I dummy \
           -A dummy -V dummy filename vlc://quit

GStreamer is as easy to test as MPlayer:

% zzuf -vq -I'orig.*' -r0.0001:0.02 -s0:10000 -b8- -j5 -S gst-launch-0.10 \
           filesrc location=filename '!' decodebin '!' fakesink

I could not find a benchmark mode for xine, so I tested it using the libcaca output:

% CACA_DRIVER=raw zzuf -vq -c -r0.0001:0.02 -s0:10000 -b8- -j15 -S cacaxine -A none -q filename

Finally, mpg321 and ogg123 don’t have a benchmark mode either. We increase the -j value as well:

% zzuf -vq -c -r0.0001:0.02 -s0:10000 -b8- -j10 mpg321 filename
% zzuf -vq -c -r0.0001:0.02 -s0:10000 -b8- -j10 ogg123 -d null filename

The January 2007 media player debacle

Macro Image(u-fail.png,right,width=240px,border=0,margin=5px) failed
Invalid macro argument margin=5px
Media players are especially sensitive to stream corruption. In fact, zzuf started its life as a tool to find bugs in the VLC media player software. The following table gives a few examples of crashes (all programs were the latest version in Debian i386 sid as of 2007/01/14). Click on each link to download the file that caused the crash:

Disclaimer 1: “robust” does not mean that there is no bug, it just means that zzuf could not find one in reasonable time.

Disclaimer 2: segmentation faults reported below are not necessarily bugs in the program itself; for instance, the MPEG-2 crashes are more likely due to a bug in the libmpeg2 library.

VLC MPlayer xine FFmpeg GStreamer mpg321 ogg123
MP3 robust SIGSEGV robust robust robust robust N/A
Ogg Vorbis robust SIGSEGV robust SIGSEGV SIGSEGV N/A robust
MPEG-1 SIGSEGV SIGSEGV SIGSEGV SIGSEGV robust N/A N/A
MPEG-2 SIGSEGV SIGSEGV robust SIGSEGV SIGSEGV N/A N/A
MPEG-4 AVI SIGSEGV SIGSEGV SIGSEGV SIGSEGV deadlock? N/A N/A
FLAC robust SIGSEGV robust heap corruption robust N/A SIGFPE
Ogg Theora robust SIGSEGV robust SIGSEGV robust N/A N/A
WMV SIGSEGV SIGSEGV N/A SIGSEGV robust N/A N/A
AAC heap corruption SIGSEGV SIGSEGV N/A N/A N/A N/A
AC-3/A52 SIGSEGV ROBUST!!! robust SIGSEGV N/A N/A N/A
Speex robust robust robust N/A robust N/A robust

Other bugs

Macro Image(roflmao.png,right,border=0,margin=5px) failed
Invalid macro argument margin=5px
Here is a list of other bugs that were easily found using zzuf, each time in a matter of seconds.

  • OpenBSD (4.0 GENERIC#1107 i386)
nm lol-openbsd-nm SIGSEGV crash in strcmp(), not exploitable
objdump -T lol-openbsd-objdump SIGSEGV ?
  • Linux (Debian 4.0 i386 unstable)
nm lol-debian-nm SIGKILL memory usage exceeded
identify fuzz1.xpm fuzz2.xpm fuzz3.xpm SIGSEGV Memory corruption in ImageMagick. Security implications look promising.
antiword lol-antiword.doc SIGSEGV ?
firefox lol-firefox.gif BadAlloc X11 error
dvipng lol-dvipng.dvi SIGSEGV Also occurs with dvi2ps
giftopnm lol-giftopnm.gif SIGSEGV ?
nm lol-freebsd-nm SIGSEGV ?
  • Mac OS X (8.3.1 Darwin Kernel Version 8.3.1: Wed Nov 2 21:12:54 PST 2005; root:xnu-792.7.56.obj~6/RELEASE_I386 i386 i386)
nm lol-macosx-nm SIGSEGV ?
otool -I lol-macosx-otool SIGSEGV ?
  • HP-UX B.11.31 U ia64 3426292962 unlimited-user license
nm files/zzuf/bugs/lol-hpux-ia64-nm SIGSEGV in nm_elf ?
Last modified 14 years ago Last modified on 01/31/2010 04:45:24 PM

Attachments (75)