On 2025-10-18 01:50:23 +0200, Solar Designer wrote:
> On Sat, Oct 18, 2025 at 01:16:36AM +0200, Vincent Lefevre wrote:
> > Debian distributes Mark R. Boyns's rplay 3.3.2. I've had
> > a very quick look at the source and found at least:
> >
> > * In rplay/rplay.c line 600, the use of atoi() on something that
> > looks like unsanitized data from a remote server:
> >
> > remote_size = -1;
> > p = rptp_parse(response, "size");
> > if (p)
> > remote_size = atoi(p);
> >
> > * Various malloc() without a check of failure, such as:
>
> These look like minor correctness and robustness issues.
Some of them may be minor, but ones in librplay may be a major
issue. For instance, in Debian, /usr/libexec/fvwm2/2.7.0/FvwmEvent
is linked against this library:
qaa:~> ldd /usr/libexec/fvwm2/2.7.0/FvwmEvent
[...]
librplay.so.3 => /lib/librplay.so.3 (0x00007f25461f4000)
[...]
meaning that this could make the window manager crash (unless it
has some protection for modules).
--
Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
