cdrecord-2.01.1-9 kernel-2.6.12-1.1387_FC4 I ripped Bernstein's Peter and the Wolf with cdda2wav using the recommended command in the cdrecord manual page. When I try to burn the disc using the man page record command "cdrecord -v -dao -useinfo -text *.wav" the program seg faults before the recording starts. Just before this, I ripped the disc with grip & cdparanoia (no *.inf files) and was able to burn just fine using the same command. [guest2@winch ~]$ dmesg|grep hdc ide1: BM-DMA at 0xffa8-0xffaf, BIOS settings: hdc:DMA, hdd:pio hdc: PLEXTOR DVDR PX-708A, ATAPI CD/DVD-ROM drive hdc: ATAPI 63X DVD-ROM DVD-R CD-R/RW drive, 2048kB Cache, UDMA(33) I rebuilt the program from SRPM to get debugging information. gdb reported a backtrace... [root@winch cdda]# gdb /usr/src/redhat/BUILD/cdrtools-2.01/cdrecord/OBJ/i686-linux-cc/cdrecord GNU gdb Red Hat Linux (6.3.0.0-1.21rh) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db library "/lib/libthread_db.so.1". (gdb) run -v -dao -useinfo -text *.wav Starting program: /usr/src/redhat/BUILD/cdrtools-2.01/cdrecord/OBJ/i686-linux-cc/cdrecord -v -dao -useinfo -text *.wav Reading symbols from shared object read from target memory...done. Loaded system supplied DSO at 0x159000 Cdrecord-Clone 2.01-dvd (i686-pc-linux-gnu) Copyright (C) 1995-2004 Jörg Schilling Note: This version is an unofficial (modified) version with DVD support Note: and therefore may have bugs that are not present in the original. Note: Please send bug reports or support requests to http://bugzilla.redhat.com/bugzilla Note: The author of cdrecord should not be bothered with problems in this version. TOC Type: 0 = CD-DA scsidev: '/dev/cdrom' devname: '/dev/cdrom' scsibus: -2 target: -2 lun: -2 Linux sg driver version: 3.5.27 Using libscg version 'schily-0.8'. /usr/src/redhat/BUILD/cdrtools-2.01/cdrecord/OBJ/i686-linux-cc/cdrecord: Warning: using inofficial libscg transport code version (schily - Red Hat-scsi-linux-sg.c-1.83-RH '@(#)scsi-linux-sg.c 1.83 04/05/20 Copyright 1997 J. Schilling'). Driveropts: 'burnfree' SCSI buffer size: 64512 atapi: 1 Device type : Removable CD-ROM Version : 0 Response Format: 1 Vendor_info : 'PLEXTOR ' Identifikation : 'DVDR PX-708A ' Revision : '1.06' Device seems to be: Generic mmc2 DVD-R/DVD-RW. Current: 0x0009 Profile: 0x001B Profile: 0x001A Profile: 0x0014 Profile: 0x0013 Profile: 0x0011 Profile: 0x0010 Profile: 0x000A Profile: 0x0009 (current) Profile: 0x0008 Using generic SCSI-3/mmc CD-R/CD-RW driver (mmc_cdr). Driver flags : MMC-3 SWABAUDIO BURNFREE VARIREC FORCESPEED SINGLESESSION HIDECDR Supported modes: TAO PACKET SAO SAO/R96P SAO/R96R RAW/R16 RAW/R96P RAW/R96R Drive buf size : 1190112 = 1162 KB Drive DMA Speed: 29190 kB/s 165x CD 21x DVD FIFO size : 4194304 = 4096 KB pregap1: -1 Program received signal SIGSEGV, Segmentation fault. 0x0805a4b0 in fillpacks (ap=0xbfa0f93c, from=0x9e9efae "ten", len=15, track_no=3, pack_type=129) at cdtext.c:430 430 ap->tsize->pack_count[pack_type & 0x0F]++; (gdb) bt #0 0x0805a4b0 in fillpacks (ap=0xbfa0f93c, from=0x9e9efae "ten", len=15, track_no=3, pack_type=129) at cdtext.c:430 #1 0x0805a669 in packtext (tracks=35, trackp=0xbfa0fb04) at cdtext.c:347 #2 0x08050595 in main (ac=40, av=0xbfa121a4) at cdrecord.c:808 (gdb) print *ap $1 = {tp = 0xbfe207be, p = 0x0, tsize = 0x74697242, seqno = 7234932} (gdb) print *ap->tsize Cannot access memory at address 0x74697242 (gdb) info locals charpos = 30 p = Variable "p" is not available. (gdb) up #1 0x0805a669 in packtext (tracks=35, trackp=0xbfa0fb04) at cdtext.c:347 347 fillpacks(&targ, s, strlen(s)+1, i, 0x80| type); (gdb) info locals maxtrk = 35 s = Variable "s" is not available. (gdb) up #2 0x08050595 in main (ac=40, av=0xbfa121a4) at cdrecord.c:808 808 packtext(tracks, track); (gdb) info locals max_dma = Variable "max_dma" is not available. Using strace on the cdrecord session ends with this... _llseek(5, 0, [0], SEEK_SET) = 0 read(5, "#created by cdda2wav 2.01_linux_"..., 4096) = 695 read(5, "", 4096) = 0 _llseek(5, 0, [0], SEEK_SET) = 0 read(5, "#created by cdda2wav 2.01_linux_"..., 4096) = 695 read(5, "", 4096) = 0 _llseek(5, 0, [0], SEEK_SET) = 0 read(5, "#created by cdda2wav 2.01_linux_"..., 4096) = 695 _llseek(5, 695, [695], SEEK_SET) = 0 _llseek(5, 695, [695], SEEK_SET) = 0 _llseek(5, 695, [695], SEEK_SET) = 0 _llseek(5, 695, [695], SEEK_SET) = 0 _llseek(5, 695, [695], SEEK_SET) = 0 _llseek(5, 695, [695], SEEK_SET) = 0 _llseek(5, 695, [695], SEEK_SET) = 0 _llseek(5, 695, [695], SEEK_SET) = 0 rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 nanosleep({2, 0}, {2, 0}) = 0 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++ Selectively removing args from the command line shows that both -useinfo and -text are required for the segfault. The problem repeats every time, and looks the same. All of the *.inf files look well formed and I can provide them if requested. Deleting all the *.inf files avoids the segfault. Deleting the audio.cddb and audio.cdindex does not avoid the segfault. Selectively deleting audio_??.inf files shows that it does not matter much which are present. More than 25 causes the segfault. (My disc has 35 titles) Here is an example... [guest2@winch cdrecord]$ cat ~/cdda/audio_05.inf #created by cdda2wav 2.01_linux_2.6.9-1.906_elsmp_i686_i686 08/15/05 22:07:07 # CDINDEX_DISCID= 'WbcusUp9Bns9KBXqGwhaorCqlCo-' CDDB_DISCID= 0x4e11b723 MCN= ISRC= # Albumperformer= 'Prokofeiv + Saint-Saens + Britten' Performer= 'Prokofeiv + Saint-Saens + Britten' Albumtitle= 'Bernstein Century Children's Classics' Tracktitle= 'Camille Saint-Saens / Le Carnaval des Animaux - 4 - Tortues' Tracknumber= 5 Trackstart= 147232 # track length in sectors (1/75 seconds each), rest samples Tracklength= 10060, 0 Pre-emphasis= no Channels= 2 Copy_permitted= once (copyright protected) Endianess= little # index list Index= 0 Index0= -1 The disc is very good. I recommend it. My kids agree.
> More than 25 causes the segfault... And it's not that the 26nd .inf file is in some way corrupted?
(In reply to comment #1) > > More than 25 causes the segfault... > > And it's not that the 26nd .inf file is in some way corrupted? Nope. All the .inf are pretty similar, and it does not mattch which one is added as the 26th. I suspect it has to do with the long Albumtitle or Tracktitile. Actually, as I look again four of them have a Tracktitle that is like 140 characters long. Unfortunately, I can still make it crash by choosing from the other audio_xx.inf, but it takes 27 files that way. In my testing just now, I did have one crash which printed this line just before the crash... (it is totally reproduceable but only for this specific collection of .inf files) cdrecord: Cannot allocate memory. Cannot malloc CD-Text write buffer. So this begs the question, if I use fewer .inf files so it does not crash, and then I alter one of the .inf files to have a really long Tracktitle, can I make it crash? The answer is yes. I suspect this bug is a security hole.
A security hole for those, who set cdrecord suid... yes.
If you like, you could use Jörg Schillings original cdrecord or cdrecord-pro and notify him , if that segfaults also. RedHat modified his software and he might not listen to us, as he only cares about his original version.
I will work on comment 4.
This report targets the FC3 or FC4 products, which have now been EOL'd. Could you please check that it still applies to a current Fedora release, and either update the target product or close it ? Thanks.
Fedora Core 4 is no longer maintained. Setting status to "INSUFFICIENT_DATA". If you can reproduce this bug in the current Fedora release, please reopen this bug and assign it to the corresponding Fedora version.