== The January 2010 media player debacle == Yes, it’s a debacle again. While some players such as MPlayer had their stability improved, zzuf could again find bugs with most files, especially video codecs. All programs are the latest version in Debian amd64 sid as of 2010/01/14. Each of these bugs was found in less than 2 minutes of zzuf action, meaning that the “robust” cells are even less trustworthy than last time. Audio codecs: || || '''VLC''' || '''MPlayer''' || '''xine''' || '''FFmpeg''' || '''GStreamer''' || '''mpg321''' || '''ogg123''' || || '''MP3''' || robust || '''SIGSEGV''' || '''SIGFPE''' || ? || ? || robust || N/A || || '''Ogg Vorbis''' || ? || robust || '''SIGSEGV''' || ? || robust || N/A || robust || || '''FLAC''' || robust || '''SIGABRT''' || '''SIGFPE''' || ? || robust || N/A || '''SIGSEGV''' || || '''AAC''' || robust || robust || robust || ? || robust || N/A || N/A || || '''AC-3/A52''' || robust || robust || ? || ? || robust || N/A || N/A || || '''Speex''' || ? || '''SIGSEGV''' || robust || ? || robust || N/A || ? || || '''EAC3''' || '''SIGABRT''' || robust || robust || ? || robust || N/A || N/A || Video codecs: || || '''VLC''' || '''MPlayer''' || '''xine''' || '''FFmpeg''' || '''GStreamer''' || '''mpg321''' || '''ogg123''' || || '''MPEG-1''' || '''SIGSEGV''' || robust || '''SIGSEGV''' || ? || robust || N/A || N/A || || '''MPEG-2''' || '''SIGSEGV''' || ? || '''SIGSEGV''' || ? || ? || N/A || N/A || || '''MPEG-4 AVI''' || '''SIGSEGV''' || '''SIGSEGV''' || '''SIGSEGV''' || ? || ? || N/A || N/A || || '''MPEG-4''' || ? || '''SIGSEGV''' || '''SIGSEGV''' || ? || '''SIGSEGV''' || N/A || N/A || || '''Ogg Theora''' || robust || robust || '''SIGSEGV''' || ? || ? || N/A || N/A || || '''WMV''' || '''SIGSEGV''' || '''SIGSEGV''' || '''SIGSEGV''' || ? || '''SIGSEGV''' || N/A || N/A || || '''FLV''' || '''SIGSEGV''' || '''SIGSEGV''' || '''SIGSEGV''' || ? || '''SIGSEGV''' || N/A || N/A || * “?” means zzuf could not properly fuzz the application * “robust” means zzuf could not find a crash in reasonable time == The January 2007 media player debacle == Media players are especially sensitive to stream corruption. In fact, zzuf started its life as a tool to find bugs in the VLC media player software. The following table gives a few examples of crashes (all programs were the latest version in Debian i386 sid as of 2007/01/14). Click on each link to download the file that caused the crash: '''Disclaimer 1''': “robust” does not mean that there is no bug, it just means that zzuf could not find one in reasonable time. '''Disclaimer 2''': segmentation faults reported below are not necessarily bugs in the program itself; for instance, the MPEG-2 crashes are more likely due to a bug in the libmpeg2 library. || || '''VLC''' || '''MPlayer''' || '''xine''' || '''FFmpeg (ffplay)''' || '''GStreamer (gst-launch)''' || '''mpg321''' || '''ogg123''' || || '''MP3''' || robust || '''[/files/zzuf/bugs/lol-mplayer.mp3 SIGSEGV]''' || robust || robust || robust || robust || N/A || || '''Ogg Vorbis''' || robust || '''[/files/zzuf/bugs/lol-mplayer.ogg SIGSEGV]''' || robust || '''[/files/zzuf/bugs/lol-ffplay.ogg SIGSEGV]''' || '''[/files/zzuf/bugs/lol-gstreamer.ogg SIGSEGV]''' || N/A || robust || || '''MPEG-1''' || '''[/files/zzuf/bugs/lol-vlc.mpg SIGSEGV]''' || '''[/files/zzuf/bugs/lol-mplayer.mpg SIGSEGV]''' || '''[/files/zzuf/bugs/lol-xine.mpg SIGSEGV]''' || '''[/files/zzuf/bugs/lol-ffplay.mpg SIGSEGV]''' || robust || N/A || N/A || || '''MPEG-2''' || '''[/files/zzuf/bugs/lol-vlc.m2v SIGSEGV]''' || '''[/files/zzuf/bugs/lol-mplayer.m2v SIGSEGV]''' || robust || '''[/files/zzuf/bugs/lol-ffplay.m2v SIGSEGV]''' || '''[/files/zzuf/bugs/lol-gstreamer.m2v SIGSEGV]''' || N/A || N/A || || '''MPEG-4 AVI''' || '''[/files/zzuf/bugs/lol-vlc.avi SIGSEGV]''' || '''[/files/zzuf/bugs/lol-mplayer.avi SIGSEGV]''' || '''[/files/zzuf/bugs/lol-xine.avi SIGSEGV]''' || '''[/files/zzuf/bugs/lol-ffplay.avi SIGSEGV]''' || '''[/files/zzuf/bugs/lol-gstreamer.avi deadlock?]''' || N/A || N/A || || '''FLAC''' || robust || '''[/files/zzuf/bugs/lol-mplayer.flac SIGSEGV]''' || robust || '''[/files/zzuf/bugs/lol-ffplay.flac heap corruption]''' || robust || N/A || '''[/files/zzuf/bugs/lol-ogg123.flac SIGFPE]''' || || '''Ogg Theora''' || robust || '''[/files/zzuf/bugs/lol-mplayer.ogm SIGSEGV]''' || robust || '''[/files/zzuf/bugs/lol-ffplay.ogm SIGSEGV]''' || robust || N/A || N/A || || '''WMV''' || '''[/files/zzuf/bugs/lol-vlc.wmv SIGSEGV]''' || '''[/files/zzuf/bugs/lol-mplayer.wmv SIGSEGV]''' || N/A || '''[/files/zzuf/bugs/lol-ffplay.wmv SIGSEGV]''' || robust || N/A || N/A || || '''AAC''' || '''[/files/zzuf/bugs/lol-vlc.aac heap corruption]''' || '''[/files/zzuf/bugs/lol-mplayer.aac SIGSEGV]''' || '''[/files/zzuf/bugs/lol-xine.aac SIGSEGV]''' || N/A || N/A || N/A || N/A || || '''AC-3/A52''' || '''[/files/zzuf/bugs/lol-vlc.ac3 SIGSEGV]''' || robust (I KID YOU NOT) || robust || '''[/files/zzuf/bugs/lol-ffplay.ac3 SIGSEGV]''' || N/A || N/A || N/A || || '''Speex''' || robust || robust || robust || N/A || robust || N/A || robust || == Other bugs == Here is a list of other bugs that were easily found using zzuf, each time in a matter of seconds. * OpenBSD (4.0 GENERIC!#1107 i386) || nm [/files/zzuf/bugs/lol-openbsd-nm lol-openbsd-nm] || SIGSEGV || crash in `strcmp()`, not exploitable || || objdump -T [/files/zzuf/bugs/lol-openbsd-objdump lol-openbsd-objdump] || SIGSEGV || ? || * Linux (Debian 4.0 i386 unstable) || nm [/files/zzuf/bugs/lol-debian-nm lol-debian-nm] || SIGKILL || memory usage exceeded || || identify [/files/zzuf/bugs/fuzz1.xpm fuzz1.xpm] [/files/zzuf/bugs/fuzz2.xpm fuzz2.xpm] [/files/zzuf/bugs/fuzz3.xpm fuzz3.xpm] || SIGSEGV || Memory corruption in !ImageMagick. Security implications look promising. || || antiword [/files/zzuf/bugs/lol-antiword.doc lol-antiword.doc] || SIGSEGV || ? || || firefox [/files/zzuf/bugs/lol-firefox.gif lol-firefox.gif] || !BadAlloc || X11 error || || dvipng [/files/zzuf/bugs/lol-dvipng.dvi lol-dvipng.dvi] || SIGSEGV || Also occurs with `dvi2ps` || || giftopnm [/files/zzuf/bugs/lol-giftopnm.gif lol-giftopnm.gif] || SIGSEGV || ? || * FreeBSD (6.1-RELEASE FreeBSD 6.1-RELEASE !#0: Sun May 7 04:32:43 UTC 2006 root@opus.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386) || nm [/files/zzuf/bugs/lol-freebsd-nm lol-freebsd-nm] || SIGSEGV || ? || * Mac OS X (8.3.1 Darwin Kernel Version 8.3.1: Wed Nov 2 21:12:54 PST 2005; root:xnu-792.7.56.obj~6/RELEASE_I386 i386 i386) || nm [/files/zzuf/bugs/lol-macosx-nm lol-macosx-nm] || SIGSEGV || ? || || otool -I [/files/zzuf/bugs/lol-macosx-otool lol-macosx-otool] || SIGSEGV || ? || * HP-UX B.11.31 U ia64 3426292962 unlimited-user license || nm [/files/zzuf/bugs/lol-hpux-ia64-nm] || SIGSEGV in `nm_elf` || ? ||