I can confirm I can trigger a SIGSEGV at https://salsa.debian.org/alteholz/rplay/-/blob/master/librplay/rplay.c?ref_type=heads#L470 reachable from "rplay_unpack" with a simple harness. This is indeed a bit concerning since these packets can potentially be processed by the audio server with no authentication.
Fabio Il giorno ven 17 ott 2025 alle ore 17:26 Vincent Lefevre <[email protected]> ha scritto: > On 2025-10-18 01:50:23 +0200, Solar Designer wrote: > > On Sat, Oct 18, 2025 at 01:16:36AM +0200, Vincent Lefevre wrote: > > > Debian distributes Mark R. Boyns's rplay 3.3.2. I've had > > > a very quick look at the source and found at least: > > > > > > * In rplay/rplay.c line 600, the use of atoi() on something that > > > looks like unsanitized data from a remote server: > > > > > > remote_size = -1; > > > p = rptp_parse(response, "size"); > > > if (p) > > > remote_size = atoi(p); > > > > > > * Various malloc() without a check of failure, such as: > > > > These look like minor correctness and robustness issues. > > Some of them may be minor, but ones in librplay may be a major > issue. For instance, in Debian, /usr/libexec/fvwm2/2.7.0/FvwmEvent > is linked against this library: > > qaa:~> ldd /usr/libexec/fvwm2/2.7.0/FvwmEvent > [...] > librplay.so.3 => /lib/librplay.so.3 (0x00007f25461f4000) > [...] > > meaning that this could make the window manager crash (unless it > has some protection for modules). > > -- > Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/> > 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> > Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon) >
