| Subject: | crash in get_mp3tags() due to uninitialize variable reference |
while using the squeezebox 7.4.1 server software i noticed that the
scanner was core dumping in Scan.so`get_mp3tags() with the following
stack trace:
---8<---
Show quoted text
> $c0
libc_hwcap2.so.1`memset+0x90()
Scan.so`get_mp3tags+0x66()
Scan.so`_scan+0xe0()
Scan.so`XS_Audio__Scan_scan+0xc1()
libperl.so.1`Perl_pp_entersub+0x488()
libperl.so.1`Perl_runops_standard+0x3b()
libperl.so.1`S_run_body+0xfa()
libperl.so.1`perl_run+0x1eb()
main+0x8a()
_start+0x7d()
---8<---
looking at the core dump i saw that the compiler had inlined _has_ape()
into get_mp3tags(). the actual bug is in _has_ape(). the problem is
here:
---8<---
static int
_has_ape(PerlIO *infile)
{
Buffer buf;
uint8_t ret = 0;
char *bptr;
if ( (PerlIO_seek(infile, -160, SEEK_END)) == -1 ) {
goto out;
}
...
buffer_init(&buf, 136);
...
out:
buffer_free(&buf);
return ret;
}
---8<---
notice that if PerlIO_seek() fails for any reason then we'll call
buffer_free() on an uninitialized buffer. the fix i applied to my
build is pretty simple:
---8<---
*** src/mp3.c.orig Fri Nov 20 20:07:02 2009
--- src/mp3.c Sun Dec 20 21:36:05 2009
***************
*** 45,49 ****
if ( (PerlIO_seek(infile, -160, SEEK_END)) == -1 ) {
! goto out;
}
--- 45,49 ----
if ( (PerlIO_seek(infile, -160, SEEK_END)) == -1 ) {
! return 0;
}
---8<---