Bug 160671
| Summary: | Random Buffer Overflows | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Benjamin Bach <benjaoming> | ||||||
| Component: | grip | Assignee: | Adrian Reber <adrian> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 4 | CC: | gneeki | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | i686 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | grip-3.2.0-6.fc4 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2005-08-04 18:19:42 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Benjamin Bach
2005-06-16 15:04:45 UTC
Does this happen with every CD you try to rip, or does it only occur with certain CDs? Could it be that your harddisk is full and it crashes therefore somewhere? Do you have the debuginfo for grip installed? Have you contacted upstream? As I cannot reprodruce it I am currently only guessing... Yes, it happens with all my CDs drive. HDD isn't full but I'm writing to a FAT32 partition. Maybe that's the problem. I will try to install the debug and get back. *** Bug 165005 has been marked as a duplicate of this bug. *** Why the heck couldn't I find this bug when I searched extensively! Same problem here and my duplicate report bug 165005 contains most of my information. I'm also ripping to a FAT32 partition, but previously (FC3) grip ripped to it fine. Hard disk nowhere near full. To answer Adrian's question on the other bug - just renamed ~/.grip so it's ripping to ogg by default and to ext3: no crash. Changed new config to rip to ogg on FAT32 - no crash. Changed ripper from new default of cdparanoia back to my previous setting of cdda2wav - no crash writing to either filesystem. In short, I've done about 30 rips and encodes varying every variable and think I've found at least one hot-point causing a crash every time: doid3v2 1 (Add ID3v2 tags to encoded files) when writing the mp3 to *either* filesystem (FAT32 or ext3). Turning no_lower_case, no_underscore and allow_high_bits don't make any difference - it crashes with them on or off. I don't have any allow_these_chars set and am using the default UTF-8 settings. And the crash occurs right at the end of the encoding phase, just when the tags will be being written. Or presumably when the .wav is being deleted, but I've disabled this and the crash still occurs. Just to emphasise, the filesystem is irrelevant at least for this crash. The odd thing is that there's nothing special about the problematic tracks, yet the crashes are predictable with it. No foreign language accents in grip, nor do they have when viewed at freedb.org. I don't have the debuginfo package installed (do I have to rebuild the SRPM to get this, or is it in a repository?). Done a lot of debugging on this today so I have to stop for now - maybe Benjamin could try and reproduce this or this provides some more clues to Adrian. If it's relevant: % rpm -q taglib taglib-devel taglib-1.4-1.fc4 taglib-devel-1.4-1.fc4 So for now my workaround: turn off ID3 v2 tagging, and write them with easytag later. Of course there may be other case crashes with this turned off - I'll try to add to this bugzilla if I find them. My hardware (although probably irrelevant): Probing IDE interface ide1... hdc: UJDA755zDVD/CDRW, ATAPI CD/DVD-ROM drive ide1 at 0x170-0x177,0x376 on irq 15 hdc: ATAPI 24X DVD-ROM CD-R/RW drive, 2048kB Cache, UDMA(33) Uniform CD-ROM driver Revision: 3.20 Yes, debuginfo packages are found in the Fedora Extras repository, ./debug sub-directory. A full backtrace -- http://fedoraproject.org/wiki/StackTraces -- would be interesting, since you seem to be able to reproduce this crash. taglib is not used here. libid3 is used, so grip-debuginfo and libid3-debuginfo should be installed at least. Created attachment 117424 [details]
patch for one buffer overflow in id3.c
This is one sprintf buffer overflow in grip's ID3v2 creation.
Thanks Michael - I've applied your patch to the current SRPM and rebuilt it, and it certainly seems to fix the specific ID3 v2 writing overflows above - can't reproduce them for now. I'd suggest leaving this bug open for a while to allow Benjamin and any others to confirm his settings - this may not be the only problem. Will install debuginfos if I get more crashes. Michael, thanks for your help. I will apply the patch and release a new package today. Hmm. Two system hangs (complete, not even responsive to SysRq) using the patched
grip. Syslog messages:
Aug 4 14:57:39 localhost kernel: hdc: DMA timeout retry
Aug 4 14:57:39 localhost kernel: hdc: timeout waiting for DMA
Aug 4 14:57:39 localhost kernel: hdc: status error: status=0x58 { DriveReady
SeekComplete DataRequest }
Aug 4 14:57:39 localhost kernel: ide: failed opcode was: unknown
Aug 4 14:57:39 localhost kernel: hdc: drive not ready for command
Restored the current unpatched Extras grip and no hangs. Feasible that the patch
could cause this?
Back to the original grip, with debuginfo packages installed (I assume you meant
libid3tag):
% rpm -q grip grip-debuginfo libid3tag libid3tag-debuginfo
grip-3.2.0-5.fc4
grip-debuginfo-3.2.0-5.fc4
libid3tag-0.15.1-3.b
libid3tag-debuginfo-0.15.1-3.b
- backtrace attached next.
Created attachment 117460 [details]
Backtrace of ID3 v2 writing buffer overflow
* libid3tag is not used by grip, id3lib is.
* The patch does not cause any hangs. It does not introduce any regression and
does not have any effect onto the kernel/driver level.
> comment=0x8e4b9d8 "", genre=131 '\203', tracknum=5 '\005',
Thanks for the more detailed bracktrace. The "genre" value in there (three
digits wide) confirms that the patch fixes the buffer overflow.
Also found upstream: Grip crashes after one track is ripped but not for all CDs https://sourceforge.net/tracker/index.php?func=detail&aid=1238430&group_id=3714&atid=103714 Also patched in exactly the same way: ID3v2TagFile() insufficient genre buffer size bugfix http://sourceforge.net/tracker/index.php?func=detail&aid=1013980&group_id=3714&atid=303714 Hmm thanks. So my lockups were coincidental, possibly hardware? I can see the sense in your patch, harmless and can't cause a lockup - but experienced two in 3 CDs and never have before, and none again having restored the Extras RPM. Wondering if there's another bug in grip which your fix clears the way for... will report back here if I see more. I was finally able to reproduce this error. The important part is to select 'Indie' as genre and then it crashes. The patch fixes the error for me. I have requested a new build of grip with this patch included and a new version will be available shortly and I will close this bug. If you still have the same problem then just re-open the bug. For kernel hangs you should open another bug. |