== The January 2010 media player test == It's time to test those media players again. {{{ #!comment MPlayer: crash @118: zzuf -vq -c -r0.0001:0.02 -s0:10000 -b4- -j15 -D0.5 -t5 -S mplayer -benchmark -vo null -fps 1000 ~/bisou.mp3 robust @250: zzuf -vq -c -r0.0001:0.02 -s0:10000 -b4- -j15 -D0.5 -t5 -S mplayer -benchmark -vo null -fps 1000 ~/bisou.ogg robust @100: zzuf -vq -c -r0.0001:0.02 -s0:10000 -b4- -j5 -D0.5 -S mplayer -benchmark -vo null -fps 1000 ~/kids_tv.mpeg }}} == The January 2007 media player debacle == Media players are especially sensitive to stream corruption. In fact, zzuf started its life as a tool to find bugs in the VLC media player software. The following table gives a few examples of crashes (all programs were the latest version in Debian i386 sid as of 2007/01/14). Click on each link to download the file that caused the crash: '''Disclaimer 1''': “robust” does not mean that there is no bug, it just means that zzuf could not find one in reasonable time. '''Disclaimer 2''': segmentation faults reported below are not necessarily bugs in the program itself; for instance, the MPEG-2 crashes are more likely due to a bug in the libmpeg2 library. || || '''VLC''' || '''MPlayer''' || '''xine''' || '''FFmpeg (ffplay)''' || '''GStreamer (gst-launch)''' || '''mpg321''' || '''ogg123''' || || '''MP3''' || robust || '''[/files/zzuf/bugs/lol-mplayer.mp3 SIGSEGV]''' || robust || robust || robust || robust || N/A || || '''Ogg Vorbis''' || robust || '''[/files/zzuf/bugs/lol-mplayer.ogg SIGSEGV]''' || robust || '''[/files/zzuf/bugs/lol-ffplay.ogg SIGSEGV]''' || '''[/files/zzuf/bugs/lol-gstreamer.ogg SIGSEGV]''' || N/A || robust || || '''MPEG-1''' || '''[/files/zzuf/bugs/lol-vlc.mpg SIGSEGV]''' || '''[/files/zzuf/bugs/lol-mplayer.mpg SIGSEGV]''' || '''[/files/zzuf/bugs/lol-xine.mpg SIGSEGV]''' || '''[/files/zzuf/bugs/lol-ffplay.mpg SIGSEGV]''' || robust || N/A || N/A || || '''MPEG-2''' || '''[/files/zzuf/bugs/lol-vlc.m2v SIGSEGV]''' || '''[/files/zzuf/bugs/lol-mplayer.m2v SIGSEGV]''' || robust || '''[/files/zzuf/bugs/lol-ffplay.m2v SIGSEGV]''' || '''[/files/zzuf/bugs/lol-gstreamer.m2v SIGSEGV]''' || N/A || N/A || || '''MPEG-4 AVI''' || '''[/files/zzuf/bugs/lol-vlc.avi SIGSEGV]''' || '''[/files/zzuf/bugs/lol-mplayer.avi SIGSEGV]''' || '''[/files/zzuf/bugs/lol-xine.avi SIGSEGV]''' || '''[/files/zzuf/bugs/lol-ffplay.avi SIGSEGV]''' || '''[/files/zzuf/bugs/lol-gstreamer.avi deadlock?]''' || N/A || N/A || || '''FLAC''' || robust || '''[/files/zzuf/bugs/lol-mplayer.flac SIGSEGV]''' || robust || '''[/files/zzuf/bugs/lol-ffplay.flac heap corruption]''' || robust || N/A || '''[/files/zzuf/bugs/lol-ogg123.flac SIGFPE]''' || || '''Ogg Theora''' || robust || '''[/files/zzuf/bugs/lol-mplayer.ogm SIGSEGV]''' || robust || '''[/files/zzuf/bugs/lol-ffplay.ogm SIGSEGV]''' || robust || N/A || N/A || || '''WMV''' || '''[/files/zzuf/bugs/lol-vlc.wmv SIGSEGV]''' || '''[/files/zzuf/bugs/lol-mplayer.wmv SIGSEGV]''' || N/A || '''[/files/zzuf/bugs/lol-ffplay.wmv SIGSEGV]''' || robust || N/A || N/A || || '''AAC''' || '''[/files/zzuf/bugs/lol-vlc.aac heap corruption]''' || '''[/files/zzuf/bugs/lol-mplayer.aac SIGSEGV]''' || '''[/files/zzuf/bugs/lol-xine.aac SIGSEGV]''' || N/A || N/A || N/A || N/A || || '''AC-3/A52''' || '''[/files/zzuf/bugs/lol-vlc.ac3 SIGSEGV]''' || robust (I KID YOU NOT) || robust || '''[/files/zzuf/bugs/lol-ffplay.ac3 SIGSEGV]''' || N/A || N/A || N/A || || '''Speex''' || robust || robust || robust || N/A || robust || N/A || robust || == Other bugs == Here is a list of other bugs that were easily found using zzuf, each time in a matter of seconds. * OpenBSD (4.0 GENERIC!#1107 i386) || nm [/files/zzuf/bugs/lol-openbsd-nm lol-openbsd-nm] || SIGSEGV || crash in `strcmp()`, not exploitable || || objdump -T [/files/zzuf/bugs/lol-openbsd-objdump lol-openbsd-objdump] || SIGSEGV || ? || * Linux (Debian 4.0 i386 unstable) || nm [/files/zzuf/bugs/lol-debian-nm lol-debian-nm] || SIGKILL || memory usage exceeded || || identify [/files/zzuf/bugs/fuzz1.xpm fuzz1.xpm] [/files/zzuf/bugs/fuzz2.xpm fuzz2.xpm] [/files/zzuf/bugs/fuzz3.xpm fuzz3.xpm] || SIGSEGV || Memory corruption in !ImageMagick. Security implications look promising. || || antiword [/files/zzuf/bugs/lol-antiword.doc lol-antiword.doc] || SIGSEGV || ? || || firefox [/files/zzuf/bugs/lol-firefox.gif lol-firefox.gif] || !BadAlloc || X11 error || || dvipng [/files/zzuf/bugs/lol-dvipng.dvi lol-dvipng.dvi] || SIGSEGV || Also occurs with `dvi2ps` || || giftopnm [/files/zzuf/bugs/lol-giftopnm.gif lol-giftopnm.gif] || SIGSEGV || ? || * FreeBSD (6.1-RELEASE FreeBSD 6.1-RELEASE !#0: Sun May 7 04:32:43 UTC 2006 root@opus.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386) || nm [/files/zzuf/bugs/lol-freebsd-nm lol-freebsd-nm] || SIGSEGV || ? || * Mac OS X (8.3.1 Darwin Kernel Version 8.3.1: Wed Nov 2 21:12:54 PST 2005; root:xnu-792.7.56.obj~6/RELEASE_I386 i386 i386) || nm [/files/zzuf/bugs/lol-macosx-nm lol-macosx-nm] || SIGSEGV || ? || || otool -I [/files/zzuf/bugs/lol-macosx-otool lol-macosx-otool] || SIGSEGV || ? || * HP-UX B.11.31 U ia64 3426292962 unlimited-user license || nm [/files/zzuf/bugs/lol-hpux-ia64-nm] || SIGSEGV in `nm_elf` || ? ||