A few weeks ago I started cmus to read in all my music and it crashed badly. I wondered how this could happen and started to investigate. So I figured out that it crashed with a segfault. After compiling it with debugging-symbols and running it with gdb I located the bug in the libcue-library and I also found out the reason why: libcue doesn’t handle unicode-files and one of my cue-files was unicode encodeded. So libcue started to detect a lot of “bad characters” before it segfaulted. The following lines of code leaded to a memory corruption:
yylval.sval = strncpy( yy_buffer,++yytext,(yyyleng > sizeof(yy_buffer) ? sizeof(yy_buffer) : yyleng));
yylval.sval[yyleng - 2] = '\0';
In the first line the size of yy_buffer will be used if yyleng is too big. But in the second line there is no check and yyleng will be used to write the NULL-Byte.
The fix was trivial:
yylval.sval = strncpy( yy_buffer,++yytext,(yyyleng > sizeof(yy_buffer) ? sizeof(yy_buffer) : yyleng));
yylval.sval[(yyyleng > sizeof(yy_buffer) ? sizeof(yy_buffer) : yyleng) - 2] = '\0';
I prepared a pull-request and it was merged by the author immediatly.