Bug 485688 - buffer overflow detected in cueconvert
buffer overflow detected in cueconvert
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: cuetools (Show other bugs)
10
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Paul P Komkoff Jr
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-16 06:03 EST by Timon
Modified: 2009-07-19 06:14 EDT (History)
2 users (show)

See Also:
Fixed In Version: 1.4.0-0.4.svn305.fc11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-19 06:06:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
cue file to convert (2.83 KB, text/plain)
2009-02-16 06:03 EST, Timon
no flags Details

  None (edit)
Description Timon 2009-02-16 06:03:30 EST
Created attachment 332021 [details]
cue file to convert

cueconvert -i cue -o toc Misc/cue.CUE toc.toc

*** buffer overflow detected ***: cueconvert terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x48)[0x432938]
/lib/libc.so.6[0x430a30]
/lib/libc.so.6[0x430118]
/lib/libc.so.6(_IO_default_xsputn+0xc8)[0x3a2958]
/lib/libc.so.6(_IO_vfprintf+0xf4c)[0x37555c]
/lib/libc.so.6(__vsprintf_chk+0xa7)[0x4301c7]
/lib/libc.so.6(__sprintf_chk+0x2d)[0x43010d]
/usr/lib/libcuefile.so.0(time_frame_to_mmssff+0x70)[0x50b900]
/usr/lib/libcuefile.so.0(toc_print_track+0x368)[0x50c6f8]
/usr/lib/libcuefile.so.0(toc_print+0xd6)[0x50caf6]
/usr/lib/libcuefile.so.0(cf_print+0xb3)[0x50ba53]
cueconvert[0x26e7ee]
cueconvert(main+0x2e0)[0x26ec20]
/lib/libc.so.6(__libc_start_main+0xe5)[0x34b6e5]
cueconvert[0x26e6d1]
======= Memory map: ========
00167000-00168000 r-xp 00167000 00:00 0          [vdso]
0026e000-00270000 r-xp 00000000 fd:00 57565017   /usr/bin/cueconvert
00270000-00271000 rw-p 00001000 fd:00 57565017   /usr/bin/cueconvert
00335000-004a3000 r-xp 00000000 fd:00 48431241   /lib/libc-2.9.so
004a3000-004a5000 r--p 0016e000 fd:00 48431241   /lib/libc-2.9.so
004a5000-004a6000 rw-p 00170000 fd:00 48431241   /lib/libc-2.9.so
004a6000-004a9000 rw-p 004a6000 00:00 0 
00508000-0051a000 r-xp 00000000 fd:00 57565026   /usr/lib/libcuefile.so.0.0.0
0051a000-0051b000 rw-p 00011000 fd:00 57565026   /usr/lib/libcuefile.so.0.0.0
006bb000-006db000 r-xp 00000000 fd:00 48431208   /lib/ld-2.9.so
006dc000-006dd000 r--p 00020000 fd:00 48431208   /lib/ld-2.9.so
006dd000-006de000 rw-p 00021000 fd:00 48431208   /lib/ld-2.9.so
00ed7000-00ee4000 r-xp 00000000 fd:00 48434509   /lib/libgcc_s-4.3.2-20081105.so.1
00ee4000-00ee5000 rw-p 0000c000 fd:00 48434509   /lib/libgcc_s-4.3.2-20081105.so.1
01a51000-01a72000 rw-p 01a51000 00:00 0          [heap]
b8045000-b8047000 rw-p b8045000 00:00 0 
b8065000-b8066000 rw-p b8065000 00:00 0 
bf850000-bf865000 rw-p bffeb000 00:00 0          [stack]
Аварийный останов
Comment 1 Jon Dufresne 2009-02-16 12:18:43 EST
Thank you for taking the time to report this bug. This bug report lacks a complete stack trace. Next time please make sure you have debuginfo packages installed and see http://fedoraproject.org/wiki/StackTraces for more information about getting a useful stack trace.

I have tested your test case and can confirm the error. Below is a full stack trace. With a full stack trace and reproducible test case I am marking this assigned.

Program received signal SIGABRT, Aborted.
0x00b31416 in __kernel_vsyscall ()
(gdb) bt
#0  0x00b31416 in __kernel_vsyscall ()
#1  0x0043f460 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0x00440e28 in abort () at abort.c:88
#3  0x0047cfed in __libc_message (do_abort=2, 
    fmt=0x55611c "*** %s ***: %s terminated\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#4  0x00511938 in __fortify_fail (msg=0x5560c6 "buffer overflow detected")
    at fortify_fail.c:32
#5  0x0050fa30 in __chk_fail () at chk_fail.c:29
#6  0x0050f118 in _IO_str_chk_overflow (fp=0xbffff240, c=54)
    at vsprintf_chk.c:35
#7  0x00481958 in _IO_default_xsputn (f=0xbffff240, data=0xbffff19a, n=2)
    at genops.c:485
#8  0x0045455c in _IO_vfprintf_internal (s=0xbffff240, 
    format=0x82864c "%02d:%02d:%02d", ap=0xbffff32c "\b") at vfprintf.c:1580
#9  0x0050f1c7 in ___vsprintf_chk (s=0x82fec4 "-4:-17:-", flags=1, slen=9, 
    format=0x82864c "%02d:%02d:%02d", args=0xbffff320 "������������\b")
    at vsprintf_chk.c:87
#10 0x0050f10d in ___sprintf_chk (s=0x82fec4 "-4:-17:-", flags=1, slen=9, 
    format=0x82864c "%02d:%02d:%02d") at sprintf_chk.c:33
#11 0x00820900 in sprintf () at /usr/include/bits/stdio2.h:34
#12 time_frame_to_mmssff (f=-19340) at time.c:41
#13 0x008216f8 in toc_print_track (fp=0xbce008, track=0xbd27d8)
---Type <return> to continue, or q <return> to quit---
    at toc_print.c:133
#14 0x00821af6 in toc_print (fp=0xbce008, cd=0xbce170) at toc_print.c:50
#15 0x00820a53 in cf_print (name=0xbffff693 "toc.toc", format=0xbffff41c, 
    cd=0xbce170) at cuefile.c:72
#16 0x00bcb7ee in convert (iname=0xbffff68b "cue.CUE", iformat=0, 
    oname=0xbffff693 "toc.toc", oformat=1) at cueconvert.c:74
#17 0x00bcbc20 in main (argc=7, argv=0xbffff4f4) at cueconvert.c:144

---
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 2 Paul P Komkoff Jr 2009-02-16 13:10:06 EST
I fail to figure out how the attached cue file mages negative time offset. I can fix the symptom for sure (that is: make more space for time) but the problem is time_frame_to_mmssff (f=-19340)

Maybe this is something arch-specific, since my devel environment is x86_64...
Comment 3 Jon Dufresne 2009-02-16 13:29:05 EST
(In reply to comment #2)
> I fail to figure out how the attached cue file mages negative time offset. I
> can fix the symptom for sure (that is: make more space for time) but the
> problem is time_frame_to_mmssff (f=-19340)
> 
> Maybe this is something arch-specific, since my devel environment is x86_64...

My Fedora install is on a 32 bit machine, x86.

As a curiosity, I tested the cuetools svn (r305), from svn://svn.berlios.de/cuetools/trunk

The buffer overflow does not occur in the svn version. This appears to be fixed upstream.
Comment 4 Paul P Komkoff Jr 2009-02-16 15:45:58 EST
Not quite.
The version in RPM is patched to r305 + some patches (cuetools-1.3.1-svn305-fixes.patch.bz2 in the spec)
as this is the detected buffer overrun it matters which compilation flags you set etc.

In this particular case I cannot trace to f=-19340, this is most likely goes in from uninitialized index[] array.

Ok, well, I have one idea which I'm going to try now, stay tuned.

P.S. Upstream is practically dead, patch.bz2 is almost twice the size of the source :)
Comment 5 Paul P Komkoff Jr 2009-02-16 15:54:43 EST
OK, I triggered it, now trying to find a way to fix it.
Comment 6 Paul P Komkoff Jr 2009-02-18 10:23:17 EST
Here's the instance of a prblem
  TRACK 02 AUDIO
    TITLE "Something"
    PERFORMER "The Beatles"
    INDEX 00 04:17:65
FILE "02 - Something.wav" WAVE
    INDEX 01 00:00:00

According to the doc I've found it's OK (well, it does not contradict the spec) but cuetools do not understand it.
Second INDEX produces negative offset since cuetools will not switch the file, so then we'll try to put more than 9 symbols into buffer -> FAIL.

I can put an assert into the code to intentionaly asplode on this, however it's not the proper fix.
Comment 7 Fedora Update System 2009-07-15 11:15:26 EDT
cuetools-1.4.0-0.4.svn305.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/cuetools-1.4.0-0.4.svn305.fc10
Comment 8 Fedora Update System 2009-07-15 11:15:44 EDT
cuetools-1.4.0-0.4.svn305.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/cuetools-1.4.0-0.4.svn305.fc11
Comment 9 Fedora Update System 2009-07-19 06:06:31 EDT
cuetools-1.4.0-0.4.svn305.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2009-07-19 06:14:45 EDT
cuetools-1.4.0-0.4.svn305.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.