cueconvert crashes when converting .toc to .cue

Bug #392372 reported by Christian Hudon
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cuetools (Ubuntu)
Fix Released
Undecided
Stephan Rügamer

Bug Description

With cuetools 1.3.1-4ubuntu1, running the command "cueconvert cd.toc cd.cue" (with the attached cd.toc file) results in a core dump:

*** buffer overflow detected ***: cueconvert terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7ea9da8]
/lib/tls/i686/cmov/libc.so.6[0xb7ea7eb0]
/lib/tls/i686/cmov/libc.so.6[0xb7ea75a8]
/lib/tls/i686/cmov/libc.so.6(_IO_default_xsputn+0xc8)[0xb7e19bb8]
/lib/tls/i686/cmov/libc.so.6(_IO_vfprintf+0xf4c)[0xb7dec77c]
/lib/tls/i686/cmov/libc.so.6(__vsprintf_chk+0xa4)[0xb7ea7654]
/lib/tls/i686/cmov/libc.so.6(__sprintf_chk+0x2d)[0xb7ea759d]
cueconvert[0x804f9bf]
cueconvert[0x80491d1]
cueconvert[0x804941f]
cueconvert[0x804982f]
cueconvert[0x8049034]
cueconvert[0x8048bac]
cueconvert[0x8048e98]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7dc2775]
cueconvert[0x8048ad1]
======= Memory map: ========
08048000-08056000 r-xp 00000000 fc:00 11368 /usr/bin/cueconvert
08056000-08057000 r--p 0000d000 fc:00 11368 /usr/bin/cueconvert
08057000-08058000 rw-p 0000e000 fc:00 11368 /usr/bin/cueconvert
08c61000-08c82000 rw-p 08c61000 00:00 0 [heap]
b7d81000-b7d8e000 r-xp 00000000 08:02 146602 /lib/libgcc_s.so.1
b7d8e000-b7d8f000 r--p 0000c000 08:02 146602 /lib/libgcc_s.so.1
b7d8f000-b7d90000 rw-p 0000d000 08:02 146602 /lib/libgcc_s.so.1
b7dab000-b7dac000 rw-p b7dab000 00:00 0
b7dac000-b7f08000 r-xp 00000000 08:02 146654 /lib/tls/i686/cmov/libc-2.9.so
b7f08000-b7f09000 ---p 0015c000 08:02 146654 /lib/tls/i686/cmov/libc-2.9.so
b7f09000-b7f0b000 r--p 0015c000 08:02 146654 /lib/tls/i686/cmov/libc-2.9.so
b7f0b000-b7f0c000 rw-p 0015e000 08:02 146654 /lib/tls/i686/cmov/libc-2.9.so
b7f0c000-b7f0f000 rw-p b7f0c000 00:00 0
b7f1a000-b7f2c000 rw-p b7f1a000 00:00 0
b7f2c000-b7f48000 r-xp 00000000 08:02 146637 /lib/ld-2.9.so
b7f48000-b7f49000 r--p 0001b000 08:02 146637 /lib/ld-2.9.so
b7f49000-b7f4a000 rw-p 0001c000 08:02 146637 /lib/ld-2.9.so
bfa35000-bfa4a000 rw-p bffeb000 00:00 0 [stack]
Abort
Exit 134

Related branches

Revision history for this message
Christian Hudon (chrish) wrote :
Revision history for this message
Christian Hudon (chrish) wrote :

After some digging, it turns out that the problem was a buffer whose size was tool small to include the null character at the end. A sprintf() of a string of size 9 into a 9 bytes buffer: sprintf(msf, "%02d:%02d:%02d", minutes, seconds, frames);

The attached patch fixes the problem by increasing the size of the msf char array to 10 character (so it can also hold the null character at the end of the string). Please apply.

Revision history for this message
Stephan Rügamer (sruegamer) wrote :

working on it

Changed in cuetools (Ubuntu):
assignee: nobody → Stephan Hermann (shermann)
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cuetools - 1.3.1-7ubuntu1

---------------
cuetools (1.3.1-7ubuntu1) lucid; urgency=low

  * debian/patches/10-buffer-overflow-fix.dpatch: (LP: #392372)
    + it turns out that the problem was a buffer whose size was
      too small to include the null character at the end.
      A sprintf() of a string of size 9 into a 9 bytes buffer:
      sprintf(msf, "%02d:%02d:%02d", minutes, seconds, frames);
    Thx Christian Hudon <email address hidden> for the patch
 -- Stephan Hermann <email address hidden> Tue, 16 Feb 2010 16:14:53 +0000

Changed in cuetools (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.