cueconvert crashes when converting .toc to .cue
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cuetools (Ubuntu) |
Fix Released
|
Undecided
|
Stephan Rügamer |
Bug Description
With cuetools 1.3.1-4ubuntu1, running the command "cueconvert cd.toc cd.cue" (with the attached cd.toc file) results in a core dump:
*** buffer overflow detected ***: cueconvert terminated
======= Backtrace: =========
/lib/tls/
/lib/tls/
/lib/tls/
/lib/tls/
/lib/tls/
/lib/tls/
/lib/tls/
cueconvert[
cueconvert[
cueconvert[
cueconvert[
cueconvert[
cueconvert[
cueconvert[
/lib/tls/
cueconvert[
======= Memory map: ========
08048000-08056000 r-xp 00000000 fc:00 11368 /usr/bin/cueconvert
08056000-08057000 r--p 0000d000 fc:00 11368 /usr/bin/cueconvert
08057000-08058000 rw-p 0000e000 fc:00 11368 /usr/bin/cueconvert
08c61000-08c82000 rw-p 08c61000 00:00 0 [heap]
b7d81000-b7d8e000 r-xp 00000000 08:02 146602 /lib/libgcc_s.so.1
b7d8e000-b7d8f000 r--p 0000c000 08:02 146602 /lib/libgcc_s.so.1
b7d8f000-b7d90000 rw-p 0000d000 08:02 146602 /lib/libgcc_s.so.1
b7dab000-b7dac000 rw-p b7dab000 00:00 0
b7dac000-b7f08000 r-xp 00000000 08:02 146654 /lib/tls/
b7f08000-b7f09000 ---p 0015c000 08:02 146654 /lib/tls/
b7f09000-b7f0b000 r--p 0015c000 08:02 146654 /lib/tls/
b7f0b000-b7f0c000 rw-p 0015e000 08:02 146654 /lib/tls/
b7f0c000-b7f0f000 rw-p b7f0c000 00:00 0
b7f1a000-b7f2c000 rw-p b7f1a000 00:00 0
b7f2c000-b7f48000 r-xp 00000000 08:02 146637 /lib/ld-2.9.so
b7f48000-b7f49000 r--p 0001b000 08:02 146637 /lib/ld-2.9.so
b7f49000-b7f4a000 rw-p 0001c000 08:02 146637 /lib/ld-2.9.so
bfa35000-bfa4a000 rw-p bffeb000 00:00 0 [stack]
Abort
Exit 134
After some digging, it turns out that the problem was a buffer whose size was tool small to include the null character at the end. A sprintf() of a string of size 9 into a 9 bytes buffer: sprintf(msf, "%02d:%02d:%02d", minutes, seconds, frames);
The attached patch fixes the problem by increasing the size of the msf char array to 10 character (so it can also hold the null character at the end of the string). Please apply.