Bug#370390: libtunepimp3: Crash in TRM lookup

Sun, 04 Jun 2006 16:22:51 -0700 

Package: libtunepimp3
Version: 0.4.2-3
Severity: normal
Tags: patch
Note: I run Debian stable, but built libtunepimp3 on a Ubuntu dapper system as 
this comes closer to Debian testing than Debian stable. libtunepimp3 is not
part of dapper (it still uses libtunepimp2), I needed it to port my project
"Kid3" to the new libtunepimp.

Bug reproduction:
Start tp_tagger (from packet libtunepimp-bin), add some MP3 or Ogg files and 
notice that the lookup process is stuck at "TRM Lookup". If you start
tp_tagger from gdb, the lookup thread is reported to crash with a segmentation 
fault in LookupTRM::lookup(), the location can be found out using a
libtunepimp.so.3.0.0 with debugging information not stripped, it is line
170.

Analysis:
lib/lookuptools.cpp:
At line 163, buffer temp is used as a buffer with 256 bytes. However, there is no buffer temp with 256 bytes in the innermost scope. The buffer temp used is 
defined in line 56 and has only 100 bytes. Thus when more than 100 bytes
result data are read, temp is overflown and the thread can crash (if it does 
may depend on compiler optimization, linkage, ..., in my system it does).

Patch:
The following patch provides a sufficiently sized temp buffer. It also fixes 
some other buffer length violations (one byte more is used than available).

** begin of patch **
diff -ru libtunepimp-0.4.2.orig/lib/lookuptools.cpp libtunepimp-0.4.2/lib/lookuptools.cpp --- libtunepimp-0.4.2.orig/lib/lookuptools.cpp 2006-01-28 21:35:42.000000000 +0100 +++ libtunepimp-0.4.2/lib/lookuptools.cpp 2006-06-04 20:09:51.000000000 +0200 
@@ -51,7 +51,7 @@
     musicbrainz_t  o;
     char          *args[7];
     int            ret, trackNum;
-    char           error[255], data[255], trackURI[256],
+    char           error[256], data[256], trackURI[256],
                    artistURI[256], albumURI[256];
     char           temp[100], duration[100], status[100];

@@ -159,6 +159,7 @@
             // Select the first release date
             if (mb_Select1(o, MBS_SelectReleaseDate, j))
             {
+                char temp[256];
                 // Pull back the release date and release country
                 if (mb_GetResultData(o, MBE_ReleaseGetDate, temp, 256))
                 {
@@ -211,7 +212,7 @@
     musicbrainz_t  o;
     char          *args[3];
     int            ret;
-    char           error[255], data[255];
+    char           error[256], data[256];
// ----------------------------------------------------------------------------------------- // NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE 
@@ -299,7 +300,7 @@
 {
     musicbrainz_t  o;
     int            ret;
-    char           error[255];
+    char           error[256];

     if (user.empty() || passwd.empty())
     {
** end of patch **


And now for something completely different:
It would be better to check for taglib 1.4 than 1.4.0 in configure, or taglib 
with version "1.4" will not be used. The following patch should solve this:

** begin of patch **
diff -ru libtunepimp-0.4.2.orig/configure libtunepimp-0.4.2/configure
--- libtunepimp-0.4.2.orig/configure    2006-06-04 23:47:52.000000000 +0200
+++ libtunepimp-0.4.2/configure 2006-06-02 19:30:24.000000000 +0200
@@ -19556,9 +19556,9 @@
     echo "*** Or see http://developer.kde.org/~wheeler/taglib.html";
   else
     TAGLIB_VERSION=`$TAGLIB_CONFIG --version`
-    echo "$as_me:$LINENO: checking for taglib >= 1.4.0" >&5
-echo $ECHO_N "checking for taglib >= 1.4.0... $ECHO_C" >&6
-        VERSION_CHECK=`expr $TAGLIB_VERSION \>\= 1.4.0`
+    echo "$as_me:$LINENO: checking for taglib >= 1.4" >&5
+echo $ECHO_N "checking for taglib >= 1.4... $ECHO_C" >&6
+        VERSION_CHECK=`expr $TAGLIB_VERSION \>\= 1.4`
         if test "$VERSION_CHECK" = "1" ; then
             echo "$as_me:$LINENO: result: yes" >&5
 echo "${ECHO_T}yes" >&6
diff -ru libtunepimp-0.4.2.orig/configure.in libtunepimp-0.4.2/configure.in
--- libtunepimp-0.4.2.orig/configure.in 2006-06-04 23:47:52.000000000 +0200
+++ libtunepimp-0.4.2/configure.in      2006-06-04 23:45:25.000000000 +0200
@@ -77,7 +77,7 @@
 AC_CHECK_HEADERS(iconv.h)

 dnl Check for TagLib 1.4
-AC_CHECK_TAGLIB(1.4.0,
+AC_CHECK_TAGLIB(1.4,
                 [TP_PLUGINS="$TP_PLUGINS mpc wma"
                 AC_DEFINE(HAVE_TAGLIB,1,[TagLib Support])],
                [AC_MSG_RESULT([no])
** end of patch **

-- System Information:
Debian Release: testing/unstable
  APT prefers dapper-updates
APT policy: (500, 'dapper-updates'), (500, 'dapper-security'), (500, 'dapper') 
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-23-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages libtunepimp3 depends on:
ii libc6 2.3.6-0ubuntu20 GNU C Library: Shared libraries an 
ii  libgcc1                 1:4.0.3-1ubuntu5 GCC support library
ii libmusicbrainz4c2a 2.1.2-2ubuntu3 Second generation incarnation of t ii libstdc++6 4.0.3-1ubuntu5 The GNU Standard C++ Library v3 
ii  zlib1g                  1:1.2.3-6ubuntu4 compression library - runtime

libtunepimp3 recommends no packages.



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to