Bug#887640: SIGSEGVs in libcdio: double free or corruption

2018-01-18 Thread Thomas Schwinge 
Package: libcdio
Version: 1.0.0-2


Hi!

I'm attaching two patches to resolve the following two problems.


With, for example, the eponymous audio CD by Regarde les hommes tomber:

$ gdb -q --args cd-info /dev/sr1
[...]
CD-TEXT for Track  7:
TITLE: The Fall
double free or corruption (!prev)

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51  ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht 
gefunden.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x772d6cf7 in __GI_abort () at abort.c:90
#2  0x77317f87 in __libc_message (action=action@entry=do_abort, 
fmt=fmt@entry=0x7741dbd8 "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x7731e27a in malloc_printerr (str=str@entry=0x7741f848 
"double free or corruption (!prev)") at malloc.c:5354
#4  0x7731ffdc in _int_free (av=0x77651c20 , 
p=0x557614e0, have_lock=) at malloc.c:4281
#5  0x779a96b3 in cdio_generic_free (p_user_data=0x5575f6d0) at 
_cdio_generic.c:111
#6  0x779acc6d in cdio_destroy (p_cdio=0x557611b0) at 
device.c:365
#7  0x8c5d in myexit (cdio=, rc=0) at util.c:45
#8  0x71d2 in main (argc=, argv=) 
at cd-info.c:1316

Reproducible with upstream release-1.0.0.  No longer reproducible with
release-1.1.0.  Bisected to be fixed by commit
2800f003aaee077f4009f525caf6c8b14a38ec47.  That one confirmed to fix the
problem with Debian's 1.0.0-2 package, too.  Patch attached for your
convenience.


With, for example, the audio CD "The Age of Cataclysm" by Cryptic
Wintermoon:

$ gdb -q --args cd-info /dev/sr1
[...]
CD Analysis Report
double free or corruption (top)

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51  ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht 
gefunden.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x772d6cf7 in __GI_abort () at abort.c:90
#2  0x77317f87 in __libc_message (action=action@entry=do_abort, 
fmt=fmt@entry=0x7741dbd8 "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x7731e27a in malloc_printerr (str=str@entry=0x7741f808 
"double free or corruption (top)") at malloc.c:5354
#4  0x7731ffac in _int_free (av=0x77651c20 , 
p=0x55761350, have_lock=) at malloc.c:4273
#5  0x779aa937 in get_cdtext_generic (p_user_data=0x5575f6d0) 
at _cdio_generic.c:300
#6  0x861f in print_cdtext_info (i_first_track=1 '\001', 
i_tracks=, p_cdio=0x557611b0) at cd-info.c:437
#7  print_analysis (ms_offset=0, cdio_iso_analysis=..., fs=1, 
first_data=-1, num_audio=13, i_tracks=13 '\r', i_first_track=1 '\001', 
p_cdio=0x557611b0, track_format=) at cd-info.c:668
#8  0x7776 in main (argc=, argv=) 
at cd-info.c:1251

Reproducible with upstream release-1.0.0, and release-1.1.0.  No longer
reproducible with release-2.0.0.  Bisected to be fixed by commit
f6f9c48fb40b8a1e8218799724b0b61a7161eb1d.  That one confirmed to fix the
problem with Debian's 1.0.0-2 package, too.  Patch attached for your
convenience.


Grüße
 Thomas


>From 2800f003aaee077f4009f525caf6c8b14a38ec47 Mon Sep 17 00:00:00 2001
From: "R. Bernstein" 
Date: Wed, 6 Dec 2017 09:10:51 -0500
Subject: [PATCH] Remove duplicate free...

Now that cdio_destroy cleans up after itself better
---
 lib/driver/_cdio_generic.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/driver/_cdio_generic.c b/lib/driver/_cdio_generic.c
index 9e920bbe..e84ee314 100644
--- a/lib/driver/_cdio_generic.c
+++ b/lib/driver/_cdio_generic.c
@@ -1,5 +1,5 @@
 /*
-  Copyright (C) 2004-2009, 2011-2013
+  Copyright (C) 2004-2009, 2011-2013, 2017
   Rocky Bernstein 
 
   This program is free software: you can redistribute it and/or modify
@@ -108,7 +108,6 @@ cdio_generic_free (void *p_user_data)
 
   if (NULL != p_env->cdtext) {
   cdtext_destroy(p_env->cdtext);
-  free(p_env->cdtext);
   p_env->cdtext = NULL;
   }
 
-- 
2.15.1

>From f6f9c48fb40b8a1e8218799724b0b61a7161eb1d Mon Sep 17 00:00:00 2001
From: "R. Bernstein" 
Date: Fri, 22 Dec 2017 16:06:57 -0500
Subject: [PATCH] Fix double free courtesy of Chris Clayton

---
 lib/driver/_cdio_generic.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/driver/_cdio_generic.c b/lib/driver/_cdio_generic.c
index d40ac0d9..ae820d25 100644
--- a/lib/driver/_cdio_generic.c
+++ b/lib/driver/_cdio_generic.c
@@ -296,7 +296,6 @@ get_cdtext_generic (void *p_user_data)
 
   if(len <= 0 || 0 != cdtext_data_init (p_env->cdtext, &p_cdtext_data[4], len)) {
 p_env->b_cdtext_error = true;
-cdtext_destroy (p_env->cdtext);
 free(p_env->cdtext);
 p_env->cdtext =

Bug#887640: SIGSEGVs in libcdio: double free or corruption

2018-02-24 Thread Thomas Schwinge 
Hi!

For avoidance of doubt:

On Thu, 18 Jan 2018 16:07:37 +0100, I wrote:
> $ gdb -q --args cd-info /dev/sr1
> [...]
> CD-TEXT for Track  7:
> TITLE: The Fall
> double free or corruption (!prev)
> 
> Program received signal SIGABRT, Aborted.

> $ gdb -q --args cd-info /dev/sr1
> [...]
> CD Analysis Report
> double free or corruption (top)
> 
> Program received signal SIGABRT, Aborted.

I'm not reporting these issues against the auxilliary "cd-info" program,
but instead I saw problems with gvfs/the rhythmbox music player.  As can
be seen by the two patches I provided, the problem really is in libcdio
proper and usage of the "cd-info" program here was just for illustration
purposes.


Grüße
 Thomas