Bug#591525: [PATCH] segfault in playtree.c

Reinhard Tartler siretart at tauware.de
Fri Aug 6 17:22:12 UTC 2010


On Fri, Aug 06, 2010 at 11:49:59 (EDT), Reimar Döffinger wrote:

> On Thu, Aug 05, 2010 at 08:48:59PM -0400, Reinhard Tartler wrote:
>> On Thu, Aug 05, 2010 at 18:00:11 (EDT), Reimar Döffinger wrote:
>> 
>> > On Thu, Aug 05, 2010 at 12:39:52AM -0400, Reinhard Tartler wrote:
>> >> Hi Folks,
>> >> 
>> >> This is a patch from Adrian Knoth <adi at drcomp.erfurt.thur.de> to fix a
>> >> segfault on empty playlists.
>> >> 
>> >> This is Debian Bug: http://bugs.debian.org/591525
>> >> 
>> >> Index: playtree.c
>> >> ===================================================================
>> >> --- playtree.c	(revision 31912)
>> >> +++ playtree.c	(working copy)
>> >> @@ -223,6 +223,13 @@
>> >>    assert(pt->entry_type == PLAY_TREE_ENTRY_NODE);
>> >>  #endif
>> >>  
>> >> +  /* Roughly validate input data. Both, pt and child are going to be
>> >> +   * dereferenced, hence assure they're not NULL.
>> >> +   */
>> >> +  if (NULL == pt || NULL == child) {
>> >> +      return;
>> >> +  }
>> >> +
>> >>    //DEBUG_FF: Where are the children freed?
>> >>    // Attention in using this function!
>> >>    for(iter = pt->child ; iter != NULL ; iter = iter->next)
>> >
>> > Think I replied to the wrong place first: I think this is the wrong
>> > place, at least it must be before the asserts.
>> 
>> I've analyzed the stacktrace more, and I think there is a bug in
>> parse_pls() in playtreeparser.c. In case there is no (valid) entry, the
>> for loop in line 344 is executed 0 times. This leads to leaving the
>> variable 'list' to '0', which in turn causes the crash. For this reason,
>> I'm proposing this patch:
>> 
>> Index: playtreeparser.c
>> ===================================================================
>> --- playtreeparser.c	(revision 31930)
>> +++ playtreeparser.c	(working copy)
>> @@ -368,6 +368,7 @@
>>    free(entries);
>>  
>>    entry = play_tree_new();
>> +  if (list)
>>    play_tree_set_child(entry,list);
>>    return entry;
>>  }
>
> I don't know how the code is supposed to handle it, but I think that
> and empty playlist should be considered invalid and the return value
> should indicate this.
> E.g. by returning NULL instead of an empty new playtree.

I see. In this case, I propose this:

Index: playtreeparser.c
===================================================================
--- playtreeparser.c	(revision 31931)
+++ playtreeparser.c	(working copy)
@@ -367,6 +367,9 @@
 
   free(entries);
 
+  if (list)
+    return NULL;
+
   entry = play_tree_new();
   play_tree_set_child(entry,list);
   return entry;


>
>> However, I still think Adrians Patch isn't bad and in this case would
>> have had the exact same behavior. If perhaps other parsers have a
>> similar problems, Adi's patch would be more safe.
>
> I am not against applying an improved version (with the checks before
> the asserts) as an additional safety measure, however it should
> also print an error message, IMO failing at that point is an
> indication the playlist parser code had a bug and failed to detect
> a malformed playlist file.

Okay, so how about this:

Index: playtree.c
===================================================================
--- playtree.c	(revision 31931)
+++ playtree.c	(working copy)
@@ -218,8 +218,15 @@
 play_tree_set_child(play_tree_t* pt, play_tree_t* child) {
   play_tree_t* iter;
 
-#ifdef MP_DEBUG
-  assert(pt != NULL);
+  /* Roughly validate input data. Both, pt and child are going to be
+   * dereferenced, hence assure they're not NULL.
+   */
+  if (NULL == pt || NULL == child) {
+    mp_msg(MSGT_PLAYTREE,MSGL_ERR, "Detected malformed playlist file. Possible bug in paser?\n");
+    return;
+  }
+
+#ifdef MP_DEBUG || 1
   assert(pt->entry_type == PLAY_TREE_ENTRY_NODE);
 #endif
 


-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4





More information about the pkg-multimedia-maintainers mailing list