Bug#887640: SIGSEGVs in libcdio: double free or corruption

Thomas Schwinge Thu, 18 Jan 2018 08:03:46 -0800

Package: libcdio
Version: 1.0.0-2


Hi!

I'm attaching two patches to resolve the following two problems.


With, for example, the eponymous audio CD by Regarde les hommes tomber:

    $ gdb -q --args cd-info /dev/sr1
    [...]
    CD-TEXT for Track  7:
            TITLE: The Fall
    double free or corruption (!prev)
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
    51      ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht 
gefunden.
    (gdb) bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
    #1  0x00007ffff72d6cf7 in __GI_abort () at abort.c:90
    #2  0x00007ffff7317f87 in __libc_message (action=action@entry=do_abort, 
fmt=fmt@entry=0x7ffff741dbd8 "%s\n") at ../sysdeps/posix/libc_fatal.c:181
    #3  0x00007ffff731e27a in malloc_printerr (str=str@entry=0x7ffff741f848 
"double free or corruption (!prev)") at malloc.c:5354
    #4  0x00007ffff731ffdc in _int_free (av=0x7ffff7651c20 <main_arena>, 
p=0x5555557614e0, have_lock=<optimized out>) at malloc.c:4281
    #5  0x00007ffff79a96b3 in cdio_generic_free (p_user_data=0x55555575f6d0) at 
_cdio_generic.c:111
    #6  0x00007ffff79acc6d in cdio_destroy (p_cdio=0x5555557611b0) at 
device.c:365
    #7  0x0000555555558c5d in myexit (cdio=<optimized out>, rc=0) at util.c:45
    #8  0x00005555555571d2 in main (argc=<optimized out>, argv=<optimized out>) 
at cd-info.c:1316

Reproducible with upstream release-1.0.0.  No longer reproducible with
release-1.1.0.  Bisected to be fixed by commit
2800f003aaee077f4009f525caf6c8b14a38ec47.  That one confirmed to fix the
problem with Debian's 1.0.0-2 package, too.  Patch attached for your
convenience.


With, for example, the audio CD "The Age of Cataclysm" by Cryptic
Wintermoon:

    $ gdb -q --args cd-info /dev/sr1
    [...]
    CD Analysis Report
    double free or corruption (top)
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
    51      ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht 
gefunden.
    (gdb) bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
    #1  0x00007ffff72d6cf7 in __GI_abort () at abort.c:90
    #2  0x00007ffff7317f87 in __libc_message (action=action@entry=do_abort, 
fmt=fmt@entry=0x7ffff741dbd8 "%s\n") at ../sysdeps/posix/libc_fatal.c:181
    #3  0x00007ffff731e27a in malloc_printerr (str=str@entry=0x7ffff741f808 
"double free or corruption (top)") at malloc.c:5354
    #4  0x00007ffff731ffac in _int_free (av=0x7ffff7651c20 <main_arena>, 
p=0x555555761350, have_lock=<optimized out>) at malloc.c:4273
    #5  0x00007ffff79aa937 in get_cdtext_generic (p_user_data=0x55555575f6d0) 
at _cdio_generic.c:300
    #6  0x000055555555861f in print_cdtext_info (i_first_track=1 '\001', 
i_tracks=<optimized out>, p_cdio=0x5555557611b0) at cd-info.c:437
    #7  print_analysis (ms_offset=0, cdio_iso_analysis=..., fs=1, 
first_data=-1, num_audio=13, i_tracks=13 '\r', i_first_track=1 '\001', 
p_cdio=0x5555557611b0, track_format=<optimized out>) at cd-info.c:668
    #8  0x0000555555557776 in main (argc=<optimized out>, argv=<optimized out>) 
at cd-info.c:1251

Reproducible with upstream release-1.0.0, and release-1.1.0.  No longer
reproducible with release-2.0.0.  Bisected to be fixed by commit
f6f9c48fb40b8a1e8218799724b0b61a7161eb1d.  That one confirmed to fix the
problem with Debian's 1.0.0-2 package, too.  Patch attached for your
convenience.


Grüße
 Thomas

>From 2800f003aaee077f4009f525caf6c8b14a38ec47 Mon Sep 17 00:00:00 2001
From: "R. Bernstein" <ro...@gnu.org>
Date: Wed, 6 Dec 2017 09:10:51 -0500
Subject: [PATCH] Remove duplicate free...

Now that cdio_destroy cleans up after itself better
---
 lib/driver/_cdio_generic.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/driver/_cdio_generic.c b/lib/driver/_cdio_generic.c
index 9e920bbe..e84ee314 100644
--- a/lib/driver/_cdio_generic.c
+++ b/lib/driver/_cdio_generic.c
@@ -1,5 +1,5 @@
 /*
-  Copyright (C) 2004-2009, 2011-2013
+  Copyright (C) 2004-2009, 2011-2013, 2017
   Rocky Bernstein <ro...@gnu.org>
 
   This program is free software: you can redistribute it and/or modify
@@ -108,7 +108,6 @@ cdio_generic_free (void *p_user_data)
 
   if (NULL != p_env->cdtext) {
       cdtext_destroy(p_env->cdtext);
-      free(p_env->cdtext);
       p_env->cdtext = NULL;
   }
 
-- 
2.15.1

>From f6f9c48fb40b8a1e8218799724b0b61a7161eb1d Mon Sep 17 00:00:00 2001
From: "R. Bernstein" <ro...@gnu.org>
Date: Fri, 22 Dec 2017 16:06:57 -0500
Subject: [PATCH] Fix double free courtesy of Chris Clayton

---
 lib/driver/_cdio_generic.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/driver/_cdio_generic.c b/lib/driver/_cdio_generic.c
index d40ac0d9..ae820d25 100644
--- a/lib/driver/_cdio_generic.c
+++ b/lib/driver/_cdio_generic.c
@@ -296,7 +296,6 @@ get_cdtext_generic (void *p_user_data)
 
       if(len <= 0 || 0 != cdtext_data_init (p_env->cdtext, &p_cdtext_data[4], len)) {
         p_env->b_cdtext_error = true;
-        cdtext_destroy (p_env->cdtext);
         free(p_env->cdtext);
         p_env->cdtext = NULL;
       }
-- 
2.15.1

Bug#887640: SIGSEGVs in libcdio: double free or corruption

Reply via email to