FUN WITH LINUX

How I fixed a bug in my favourite media player

9 November 2017

A few weeks ago I started cmus to read in all my music and it crashed badly. I wondered how this could happen and started to investigate. So I figured out that it crashed with a segfault. After compiling it with debugging-symbols and running it with gdb I located the bug in the libcue-library and I also found out the reason why: libcue doesn’t handle unicode-files and one of my cue-files was unicode encodeded. So libcue started to detect a lot of “bad characters” before it segfaulted. The following lines of code leaded to a memory corruption:

yylval.sval = strncpy( yy_buffer,++yytext,(yyyleng > sizeof(yy_buffer) ? sizeof(yy_buffer) : yyleng)); 
yylval.sval[yyleng - 2] = '\0'; 

In the first line the size of yy_buffer will be used if yyleng is too big. But in the second line there is no check and yyleng will be used to write the NULL-Byte.

The fix was trivial:

yylval.sval = strncpy( yy_buffer,++yytext,(yyyleng > sizeof(yy_buffer) ? sizeof(yy_buffer) : yyleng)); 
yylval.sval[(yyyleng > sizeof(yy_buffer) ? sizeof(yy_buffer) : yyleng) - 2] = '\0'; 

I prepared a pull-request and it was merged by the author immediatly.

[ Programming  C  ]
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 Unported License.

Copyright 2015-present Hoti