The January 2010 media player debacle

Macro Image(fail2.png,right,border=0,margin=5px) failed

Invalid macro argument margin=5px

Yes, it’s a debacle again. While some players such as MPlayer had their stability improved, others such as Xine plummeted. zzuf could again find bugs with most files, especially video codecs. All programs are the latest version in Debian amd64 sid as of 2010/01/14.

Each of these bugs was found in less than 2 minutes of zzuf action, meaning that the “robust” cells are even less trustworthy than last time.

• “?” means zzuf could not properly fuzz the application
• “robust” means zzuf could not find a crash in reasonable time

Note: while these files cause the media players to crash, the code responsible for the crash is often found in the codec libraries, especially FFmpeg’s libavcodec. They’re the software requiring attention. However, none of the files below actually crash ffplay; this may be an indication that libavcodec might be used incorrectly.

Audio codecs

	VLC	MPlayer	xine	FFmpeg	GStreamer	mpg321	ogg123
MP3	robust	SIGSEGV	SIGFPE	?	?	robust	N/A
Ogg Vorbis	?	robust	SIGFPE	?	robust	N/A	robust
FLAC	robust	SIGABRT	SIGFPE	?	robust	N/A	SIGFPE
AAC	robust	robust	robust	?	robust	N/A	N/A
AC-3/A52	robust	robust	?	?	robust	N/A	N/A
Speex	?	SIGSEGV	robust	?	robust	N/A	?
EAC3	?	robust	robust	?	robust	N/A	N/A

Video codecs

	VLC	MPlayer	xine	FFmpeg	GStreamer
MPEG-1	SIGSEGV	robust	SIGSEGV	?	robust
MPEG-2	SIGSEGV	?	SIGSEGV	?	?
MPEG-4 AVI	SIGSEGV	SIGSEGV	SIGSEGV	?	?
MPEG-4	?	SIGSEGV	SIGSEGV	?	SIGSEGV
Ogg Theora	robust	SIGSEGV	SIGSEGV	?	?
WMV	SIGSEGV	SIGSEGV	SIGSEGV	?	SIGSEGV
FLV	SIGSEGV	SIGSEGV	SIGSEGV	?	SIGSEGV

Testing protocol

The zzuf commands used to find bugs were rather straightforward. A few flags are recurrent:

• -r0.0001:0.02 to try several fuzzing ratios
• -s0:10000 to stop after 10000 tries
• -b8- to skip the first 8 bytes and ensure that the file format is not misinterpreted

MPlayer is very easy to test, thanks to its -benchmark flag:

% zzuf -vq -c -r0.0001:0.02 -s0:10000 -b8- -j8 -T5 -S mplayer -benchmark \
           -ao pcm:file=/dev/null -vo md5sum:outfile=/dev/null filename

VLC doesn’t provide a benchmark flag, forcing us to spawn a lot more parallel processes using -j, so that the test goes a bit faster:

% zzuf -vq -c -r0.0001:0.02 -s0:10000 -b8- -j80 vlc -I dummy \
           -A dummy -V dummy filename vlc://quit

GStreamer is as easy to test as MPlayer:

% zzuf -vq -I'orig.*' -r0.0001:0.02 -s0:10000 -b8- -j5 -S gst-launch-0.10 \
           filesrc location=filename '!' decodebin '!' fakesink

I could not find a benchmark mode for xine, so I tested it using the libcaca output:

% CACA_DRIVER=raw zzuf -vq -c -r0.0001:0.02 -s0:10000 -b8- -j15 -S cacaxine -A none -q filename

Finally, mpg321 and ogg123 don’t have a benchmark mode either. We increase the -j value as well:

% zzuf -vq -c -r0.0001:0.02 -s0:10000 -b8- -j10 mpg321 filename
% zzuf -vq -c -r0.0001:0.02 -s0:10000 -b8- -j10 ogg123 -d null filename

The January 2007 media player debacle

Macro Image(u-fail.png,right,width=240px,border=0,margin=5px) failed

Invalid macro argument margin=5px

Media players are especially sensitive to stream corruption. In fact, zzuf started its life as a tool to find bugs in the VLC media player software. The following table gives a few examples of crashes (all programs were the latest version in Debian i386 sid as of 2007/01/14). Click on each link to download the file that caused the crash:

Disclaimer 1: “robust” does not mean that there is no bug, it just means that zzuf could not find one in reasonable time.

Disclaimer 2: segmentation faults reported below are not necessarily bugs in the program itself; for instance, the MPEG-2 crashes are more likely due to a bug in the libmpeg2 library.

	VLC	MPlayer	xine	FFmpeg	GStreamer	mpg321	ogg123
MP3	robust	SIGSEGV	robust	robust	robust	robust	N/A
Ogg Vorbis	robust	SIGSEGV	robust	SIGSEGV	SIGSEGV	N/A	robust
MPEG-1	SIGSEGV	SIGSEGV	SIGSEGV	SIGSEGV	robust	N/A	N/A
MPEG-2	SIGSEGV	SIGSEGV	robust	SIGSEGV	SIGSEGV	N/A	N/A
MPEG-4 AVI	SIGSEGV	SIGSEGV	SIGSEGV	SIGSEGV	deadlock?	N/A	N/A
FLAC	robust	SIGSEGV	robust	heap corruption	robust	N/A	SIGFPE
Ogg Theora	robust	SIGSEGV	robust	SIGSEGV	robust	N/A	N/A
WMV	SIGSEGV	SIGSEGV	N/A	SIGSEGV	robust	N/A	N/A
AAC	heap corruption	SIGSEGV	SIGSEGV	N/A	N/A	N/A	N/A
AC-3/A52	SIGSEGV	ROBUST!!!	robust	SIGSEGV	N/A	N/A	N/A
Speex	robust	robust	robust	N/A	robust	N/A	robust

Other bugs

Macro Image(roflmao.png,right,border=0,margin=5px) failed

Invalid macro argument margin=5px

Here is a list of other bugs that were easily found using zzuf, each time in a matter of seconds.

• OpenBSD (4.0 GENERIC#1107 i386)

nm lol-openbsd-nm	SIGSEGV	crash in strcmp(), not exploitable
objdump -T lol-openbsd-objdump	SIGSEGV	?

• Linux (Debian 4.0 i386 unstable)

nm lol-debian-nm	SIGKILL	memory usage exceeded
identify fuzz1.xpm fuzz2.xpm fuzz3.xpm	SIGSEGV	Memory corruption in ImageMagick. Security implications look promising.
antiword lol-antiword.doc	SIGSEGV	?
firefox lol-firefox.gif	BadAlloc	X11 error
dvipng lol-dvipng.dvi	SIGSEGV	Also occurs with dvi2ps
giftopnm lol-giftopnm.gif	SIGSEGV	?

• FreeBSD (6.1-RELEASE FreeBSD 6.1-RELEASE #0: Sun May 7 04:32:43 UTC 2006 ​root@opus.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386)

nm lol-freebsd-nm

SIGSEGV

?

• Mac OS X (8.3.1 Darwin Kernel Version 8.3.1: Wed Nov 2 21:12:54 PST 2005; root:xnu-792.7.56.obj~6/RELEASE_I386 i386 i386)

nm lol-macosx-nm	SIGSEGV	?
otool -I lol-macosx-otool	SIGSEGV	?

• HP-UX B.11.31 U ia64 3426292962 unlimited-user license

nm files/zzuf/bugs/lol-hpux-ia64-nm

SIGSEGV in nm_elf

?