Created attachment 332021 [details] cue file to convert cueconvert -i cue -o toc Misc/cue.CUE toc.toc *** buffer overflow detected ***: cueconvert terminated ======= Backtrace: ========= /lib/libc.so.6(__fortify_fail+0x48)[0x432938] /lib/libc.so.6[0x430a30] /lib/libc.so.6[0x430118] /lib/libc.so.6(_IO_default_xsputn+0xc8)[0x3a2958] /lib/libc.so.6(_IO_vfprintf+0xf4c)[0x37555c] /lib/libc.so.6(__vsprintf_chk+0xa7)[0x4301c7] /lib/libc.so.6(__sprintf_chk+0x2d)[0x43010d] /usr/lib/libcuefile.so.0(time_frame_to_mmssff+0x70)[0x50b900] /usr/lib/libcuefile.so.0(toc_print_track+0x368)[0x50c6f8] /usr/lib/libcuefile.so.0(toc_print+0xd6)[0x50caf6] /usr/lib/libcuefile.so.0(cf_print+0xb3)[0x50ba53] cueconvert[0x26e7ee] cueconvert(main+0x2e0)[0x26ec20] /lib/libc.so.6(__libc_start_main+0xe5)[0x34b6e5] cueconvert[0x26e6d1] ======= Memory map: ======== 00167000-00168000 r-xp 00167000 00:00 0 [vdso] 0026e000-00270000 r-xp 00000000 fd:00 57565017 /usr/bin/cueconvert 00270000-00271000 rw-p 00001000 fd:00 57565017 /usr/bin/cueconvert 00335000-004a3000 r-xp 00000000 fd:00 48431241 /lib/libc-2.9.so 004a3000-004a5000 r--p 0016e000 fd:00 48431241 /lib/libc-2.9.so 004a5000-004a6000 rw-p 00170000 fd:00 48431241 /lib/libc-2.9.so 004a6000-004a9000 rw-p 004a6000 00:00 0 00508000-0051a000 r-xp 00000000 fd:00 57565026 /usr/lib/libcuefile.so.0.0.0 0051a000-0051b000 rw-p 00011000 fd:00 57565026 /usr/lib/libcuefile.so.0.0.0 006bb000-006db000 r-xp 00000000 fd:00 48431208 /lib/ld-2.9.so 006dc000-006dd000 r--p 00020000 fd:00 48431208 /lib/ld-2.9.so 006dd000-006de000 rw-p 00021000 fd:00 48431208 /lib/ld-2.9.so 00ed7000-00ee4000 r-xp 00000000 fd:00 48434509 /lib/libgcc_s-4.3.2-20081105.so.1 00ee4000-00ee5000 rw-p 0000c000 fd:00 48434509 /lib/libgcc_s-4.3.2-20081105.so.1 01a51000-01a72000 rw-p 01a51000 00:00 0 [heap] b8045000-b8047000 rw-p b8045000 00:00 0 b8065000-b8066000 rw-p b8065000 00:00 0 bf850000-bf865000 rw-p bffeb000 00:00 0 [stack] Аварийный останов
Thank you for taking the time to report this bug. This bug report lacks a complete stack trace. Next time please make sure you have debuginfo packages installed and see http://fedoraproject.org/wiki/StackTraces for more information about getting a useful stack trace. I have tested your test case and can confirm the error. Below is a full stack trace. With a full stack trace and reproducible test case I am marking this assigned. Program received signal SIGABRT, Aborted. 0x00b31416 in __kernel_vsyscall () (gdb) bt #0 0x00b31416 in __kernel_vsyscall () #1 0x0043f460 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #2 0x00440e28 in abort () at abort.c:88 #3 0x0047cfed in __libc_message (do_abort=2, fmt=0x55611c "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:170 #4 0x00511938 in __fortify_fail (msg=0x5560c6 "buffer overflow detected") at fortify_fail.c:32 #5 0x0050fa30 in __chk_fail () at chk_fail.c:29 #6 0x0050f118 in _IO_str_chk_overflow (fp=0xbffff240, c=54) at vsprintf_chk.c:35 #7 0x00481958 in _IO_default_xsputn (f=0xbffff240, data=0xbffff19a, n=2) at genops.c:485 #8 0x0045455c in _IO_vfprintf_internal (s=0xbffff240, format=0x82864c "%02d:%02d:%02d", ap=0xbffff32c "\b") at vfprintf.c:1580 #9 0x0050f1c7 in ___vsprintf_chk (s=0x82fec4 "-4:-17:-", flags=1, slen=9, format=0x82864c "%02d:%02d:%02d", args=0xbffff320 "������������\b") at vsprintf_chk.c:87 #10 0x0050f10d in ___sprintf_chk (s=0x82fec4 "-4:-17:-", flags=1, slen=9, format=0x82864c "%02d:%02d:%02d") at sprintf_chk.c:33 #11 0x00820900 in sprintf () at /usr/include/bits/stdio2.h:34 #12 time_frame_to_mmssff (f=-19340) at time.c:41 #13 0x008216f8 in toc_print_track (fp=0xbce008, track=0xbd27d8) ---Type <return> to continue, or q <return> to quit--- at toc_print.c:133 #14 0x00821af6 in toc_print (fp=0xbce008, cd=0xbce170) at toc_print.c:50 #15 0x00820a53 in cf_print (name=0xbffff693 "toc.toc", format=0xbffff41c, cd=0xbce170) at cuefile.c:72 #16 0x00bcb7ee in convert (iname=0xbffff68b "cue.CUE", iformat=0, oname=0xbffff693 "toc.toc", oformat=1) at cueconvert.c:74 #17 0x00bcbc20 in main (argc=7, argv=0xbffff4f4) at cueconvert.c:144 --- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
I fail to figure out how the attached cue file mages negative time offset. I can fix the symptom for sure (that is: make more space for time) but the problem is time_frame_to_mmssff (f=-19340) Maybe this is something arch-specific, since my devel environment is x86_64...
(In reply to comment #2) > I fail to figure out how the attached cue file mages negative time offset. I > can fix the symptom for sure (that is: make more space for time) but the > problem is time_frame_to_mmssff (f=-19340) > > Maybe this is something arch-specific, since my devel environment is x86_64... My Fedora install is on a 32 bit machine, x86. As a curiosity, I tested the cuetools svn (r305), from svn://svn.berlios.de/cuetools/trunk The buffer overflow does not occur in the svn version. This appears to be fixed upstream.
Not quite. The version in RPM is patched to r305 + some patches (cuetools-1.3.1-svn305-fixes.patch.bz2 in the spec) as this is the detected buffer overrun it matters which compilation flags you set etc. In this particular case I cannot trace to f=-19340, this is most likely goes in from uninitialized index[] array. Ok, well, I have one idea which I'm going to try now, stay tuned. P.S. Upstream is practically dead, patch.bz2 is almost twice the size of the source :)
OK, I triggered it, now trying to find a way to fix it.
Here's the instance of a prblem TRACK 02 AUDIO TITLE "Something" PERFORMER "The Beatles" INDEX 00 04:17:65 FILE "02 - Something.wav" WAVE INDEX 01 00:00:00 According to the doc I've found it's OK (well, it does not contradict the spec) but cuetools do not understand it. Second INDEX produces negative offset since cuetools will not switch the file, so then we'll try to put more than 9 symbols into buffer -> FAIL. I can put an assert into the code to intentionaly asplode on this, however it's not the proper fix.
cuetools-1.4.0-0.4.svn305.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/cuetools-1.4.0-0.4.svn305.fc10
cuetools-1.4.0-0.4.svn305.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/cuetools-1.4.0-0.4.svn305.fc11
cuetools-1.4.0-0.4.svn305.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
cuetools-1.4.0-0.4.svn305.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.