libtunepimp, version 0.4.2
I reported this to Debian, it might be interesting for you too.
Bug reproduction:
Start tp_tagger (from packet libtunepimp-bin), add some MP3 or Ogg files and notice that the lookup process is stuck at "TRM Lookup". If you start tp_tagger from gdb, the lookup thread is reported to crash with a segmentation fault in LookupTRM::lookup(), the location can be found out using a libtunepimp.so.3.0.0 with debugging information not stripped, it is line 170.
Analysis:
lib/lookuptools.cpp:
At line 163, buffer temp is used as a buffer with 256 bytes. However, there is no buffer temp with 256 bytes in the innermost scope. The buffer temp used is defined in line 56 and has only 100 bytes. Thus when more than 100 bytes result data are read, temp is overflown and the thread can crash (if it does may depend on compiler optimization, linkage, ..., in my system it does).
Patch:
The following patch provides a sufficiently sized temp buffer. It also fixes some other buffer length violations (one byte more is used than available).
diff -ru libtunepimp-0.4.2.orig/lib/lookuptools.cpp libtunepimp-0.4.2/lib/lookuptools.cpp
--- libtunepimp-0.4.2.orig/lib/lookuptools.cpp 2006-01-28 21:35:42.000000000 +0100
+++ libtunepimp-0.4.2/lib/lookuptools.cpp 2006-06-04 20:09:51.000000000 +0200
@@ -51,7 +51,7 @@
musicbrainz_t o;
char *args[7];
int ret, trackNum;
- char error[255], data[255], trackURI[256],
+ char error[256], data[256], trackURI[256],
artistURI[256], albumURI[256];
char temp[100], duration[100], status[100];
@@ -159,6 +159,7 @@
// Select the first release date
if (mb_Select1(o, MBS_SelectReleaseDate, j))
{
+ char temp[256];
// Pull back the release date and release country
if (mb_GetResultData(o, MBE_ReleaseGetDate, temp, 256))
{
@@ -211,7 +212,7 @@
musicbrainz_t o;
char *args[3];
int ret;
- char error[255], data[255];
+ char error[256], data[256];
// -----------------------------------------------------------------------------------------
// NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE
@@ -299,7 +300,7 @@
{
musicbrainz_t o;
int ret;
- char error[255];
+ char error[256];
if (user.empty() || passwd.empty())
{
** end of patch **
And now for something completely different:
It would be better to check for taglib 1.4 than 1.4.0 in configure, or taglib with version "1.4" will not be used. The following patch should solve this:
** begin of patch **
#!diff
diff -ru libtunepimp-0.4.2.orig/configure libtunepimp-0.4.2/configure
--- libtunepimp-0.4.2.orig/configure 2006-06-04 23:47:52.000000000 +0200
+++ libtunepimp-0.4.2/configure 2006-06-02 19:30:24.000000000 +0200
@@ -19556,9 +19556,9 @@
echo "*** Or see http://developer.kde.org/~wheeler/taglib.html"
else
TAGLIB_VERSION=`$TAGLIB_CONFIG --version`
- echo "$as_me:$LINENO: checking for taglib >= 1.4.0" >&5
-echo $ECHO_N "checking for taglib >= 1.4.0... $ECHO_C" >&6
- VERSION_CHECK=`expr $TAGLIB_VERSION \>\= 1.4.0`
+ echo "$as_me:$LINENO: checking for taglib >= 1.4" >&5
+echo $ECHO_N "checking for taglib >= 1.4... $ECHO_C" >&6
+ VERSION_CHECK=`expr $TAGLIB_VERSION \>\= 1.4`
if test "$VERSION_CHECK" = "1" ; then
echo "$as_me:$LINENO: result: yes" >&5
echo "${ECHO_T}yes" >&6
diff -ru libtunepimp-0.4.2.orig/configure.in libtunepimp-0.4.2/configure.in
--- libtunepimp-0.4.2.orig/configure.in 2006-06-04 23:47:52.000000000 +0200
+++ libtunepimp-0.4.2/configure.in 2006-06-04 23:45:25.000000000 +0200
@@ -77,7 +77,7 @@
AC_CHECK_HEADERS(iconv.h)
dnl Check for TagLib 1.4
-AC_CHECK_TAGLIB(1.4.0,
+AC_CHECK_TAGLIB(1.4,
[TP_PLUGINS="$TP_PLUGINS mpc wma"
AC_DEFINE(HAVE_TAGLIB,1,[TagLib Support])],
[AC_MSG_RESULT([no])
