[Bug 2018449] Re: [SRU] `xmms2 add --playlist ... ` causes a core dump

Dave Jones 2018449 at bugs.launchpad.net
Mon Mar 25 15:03:46 UTC 2024 

The patches look fine and certainly fix the issue described. One thing
that does concern me slightly is that this only patches one instance of
XMMS_PATH_MAX and there's several more scattered throughout the code
that look like they could potentially be hit by long pathnames. Wouldn't
it be preferable to simply #define XMMS_PATH_MAX PATH_MAX in
xmmsc_util.h

Anyway, I'll sponsor this as is but I've added a note to the upstream
PR.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2018449

Title:
  [SRU] `xmms2 add --playlist ... ` causes a core dump

Status in xmms2 package in Ubuntu:
  Confirmed
Status in xmms2 source package in Jammy:
  Confirmed
Status in xmms2 source package in Mantic:
  Confirmed

Bug description:
  [ Impact ]

  xmms2 client cli will crash with a buffer overflow if the real path of the files is longer than 255 bytes.
  The user will see:

  *** buffer overflow detected ***: terminated
  Aborted (core dumped)

  [ Test Plan ]

  * copy few mp3 files to a folder, I will use a folder named "testmp3"
  * Use the following command to create a playlist
  xmms2 playlist create testlist
  * Try adding the mp3 files to the list:
  xmms2 add --playlist testlist testmp3/*

  If the package is not fixed it will crash, with the fixed package it
  will not crash and add it to the playlist.

  [ Where problems could occur ]

   * This patch has been accepted upstream and is only modifying the
  size of the local buffer where the path is stored. There is minimum
  chance of regression just for this patch.

  [ Other Info ]

  * There might be other parts of the code which are still using the old
  buffer size and might cause some other problem.

  [ Original Bug Description ]


  1) The release of Ubuntu you are using, via?
  $ lsb_release -rd
  No LSB modules are available.
  Description:	Ubuntu 23.04
  Release:	23.04

  2) The version of the package you are using, via?
  $ apt-cache policy xmms2
  xmms2:
    Installed: 0.8+dfsg-22ubuntu6
    Candidate: 0.8+dfsg-22ubuntu6
    Version table:
   *** 0.8+dfsg-22ubuntu6 500
          500 http://au.archive.ubuntu.com/ubuntu lunar/universe amd64 Packages
          100 /var/lib/dpkg/status

  3). I ran $ xmms2 add --playlist These+Same+Skies "/home/grizzlysmit/Music/Hillsong Live/These+Same+Skies/"*
  I  expected it to populate the playlist `These+Same+Skies` that I had already created withthe files in thee directory `/home/grizzlysmit/Music/Hillsong Live/These+Same+Skies/` it always worked before.

  4) it core dumped   like so

  $ xmms2 add --playlist These+Same+Skies "/home/grizzlysmit/Music/Hillsong Live/These+Same+Skies/"*
  *** buffer overflow detected ***: terminated
  Aborted (core dumped)

  ProblemType: Bug
  DistroRelease: Ubuntu 23.04
  Package: xmms2 0.8+dfsg-22ubuntu6
  ProcVersionSignature: Ubuntu 6.2.0-20.20-generic 6.2.6
  Uname: Linux 6.2.0-20-generic x86_64
  ApportVersion: 2.26.1-0ubuntu2
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: ubuntu:GNOME
  Date: Thu May  4 16:11:01 2023
  InstallationDate: Installed on 2023-04-21 (12 days ago)
  InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Release amd64 (20221020)
  SourcePackage: xmms2
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmms2/+bug/2018449/+subscriptions

More information about the Ubuntu-sponsors mailing list