Skip to content
GitLab
Closed
Created by tentra@tentra

[PATCH] free of an unallocated pointer in ogginfo

When running ogginfo against a file with an invalid byte sequence in the comment section, ogginfo frees the pointer decoded when it is only allocated through the call to utf8_decode that only happens when no detected encoding errors are present.

Patch

--- vorbis-tools-1.1.1.orig/ogginfo/ogginfo2.c  2007-01-19 19:51:05.000000000 -0500
+++ vorbis-tools-1.1.1/ogginfo/ogginfo2.c       2007-01-19 19:49:47.000000000 -0500
@@ -298,8 +298,10 @@
      }

      *sep = 0;
-     info("\t%s=%s\n", comment, decoded);
-     free(decoded);
+     if(!broken) {
+       info("\t%s=%s\n", comment, decoded);
+       free(decoded);
+     }
 }

 static void theora_process(stream_processor *stream, ogg_page *page)

Mac OS X (PPC), self compiled pre-patch output

herodotus:~/Desktop/sophocles/Mike_Oldfield-Tubular_Bells_2003 seneca$ ogginfo 09.Ghost_Bells.ogg 
Processing file "09.Ghost_Bells.ogg"...

New logical stream (#1, serial: 0520f5a8): type vorbis
Vorbis headers parsed for stream 1, information follows...
Version: 0
Vendor: Xiph.Org libVorbis I 20050304
Channels: 2
Rate: 44100

Nominal bitrate: 224.000000 kb/s
Upper bitrate not set
Lower bitrate not set
User comments section follows...
        ARTIST=Mike Oldfield
Warning: Illegal UTF-8 sequence in comment 1 (stream 1): length marker wrong
        ALBUM=Mike Oldfield
ogginfo(8965) malloc: *** error for object 0x4030a0: double free
ogginfo(8965) malloc: *** set a breakpoint in szone_error to debug
        TITLE=Ghost Bells
        DATE=2003
        GENRE=New Age
        TRACKNUMBER=09
        CDDB=03115612
Vorbis stream 1:
        Total data length: 731280 bytes
        Playback length: 0m:30.546s
        Average bitrate: 191.518114 kb/s
Logical stream 1 ended
herodotus:~/Desktop/sophocles/Mike_Oldfield-Tubular_Bells_2003 seneca$

Ubuntu 6.10 (i386), package version 1.1.1-5 pre-patch output

seneca@hawk:~$ ogginfo /music/Mike_Oldfield-Tubular_Bells_2003/17.The_Sailors_Hornpipe.ogg 
Processing file "/music/Mike_Oldfield-Tubular_Bells_2003/17.The_Sailors_Hornpipe.ogg"...

New logical stream (#1, serial: 121967e8): type vorbis
Vorbis headers parsed for stream 1, information follows...
Version: 0
Vendor: Xiph.Org libVorbis I 20050304
Channels: 2
Rate: 44100

Nominal bitrate: 224.000000 kb/s
Upper bitrate not set
Lower bitrate not set
User comments section follows...
        ARTIST=Mike Oldfield
Warning: Illegal UTF-8 sequence in comment 1 (stream 1): length marker wrong
        ALBUM=
*** glibc detected *** ogginfo: double free or corruption (fasttop): 0x08070088 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7e8f8bd]
/lib/tls/i686/cmov/libc.so.6(__libc_free+0x84)[0xb7e8fa44]
ogginfo[0x8049503]
ogginfo[0x8049936]
ogginfo[0x804a687]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xdc)[0xb7e3e8cc]
ogginfo[0x8048fb1]
======= Memory map: ========
08048000-0804d000 r-xp 00000000 03:01 1242650    /usr/bin/ogginfo
0804d000-0804e000 rwxp 00005000 03:01 1242650    /usr/bin/ogginfo
0804e000-08091000 rwxp 0804e000 00:00 0          [heap]
b7bf5000-b7bff000 r-xp 00000000 03:01 651600     /lib/libgcc_s.so.1
b7bff000-b7c00000 rwxp 00009000 03:01 651600     /lib/libgcc_s.so.1
b7c00000-b7c21000 rwxp b7c00000 00:00 0 
b7c21000-b7d00000 ---p b7c21000 00:00 0 
b7d1c000-b7d1e000 rwxp b7d1c000 00:00 0 
b7d1e000-b7d51000 r-xp 00000000 03:01 2170271    /usr/lib/locale/en_CA.utf8/LC_CTYPE
b7d51000-b7e28000 r-xp 00000000 03:01 2170294    /usr/lib/locale/en_CA.utf8/LC_COLLATE
b7e28000-b7e29000 rwxp b7e28000 00:00 0 
b7e29000-b7f56000 r-xp 00000000 03:01 652966     /lib/tls/i686/cmov/libc-2.4.so
b7f56000-b7f58000 r-xp 0012c000 03:01 652966     /lib/tls/i686/cmov/libc-2.4.so
b7f58000-b7f5a000 rwxp 0012e000 03:01 652966     /lib/tls/i686/cmov/libc-2.4.so
b7f5a000-b7f5d000 rwxp b7f5a000 00:00 0 
b7f5d000-b7f61000 r-xp 00000000 03:01 1244259    /usr/lib/libogg.so.0.5.3
b7f61000-b7f62000 rwxp 00003000 03:01 1244259    /usr/lib/libogg.so.0.5.3
b7f62000-b7f86000 r-xp 00000000 03:01 655753     /lib/tls/i686/cmov/libm-2.4.so
b7f86000-b7f88000 rwxp 00023000 03:01 655753     /lib/tls/i686/cmov/libm-2.4.so
b7f88000-b7fa1000 r-xp 00000000 03:01 1244267    /usr/lib/libvorbis.so.0.3.1
b7fa1000-b7faf000 rwxp 00019000 03:01 1244267    /usr/lib/libvorbis.so.0.3.1
b7faf000-b7fb0000 rwxp b7faf000 00:00 0 
b7fb3000-b7fb4000 r-xp 00000000 03:01 2170272    /usr/lib/locale/en_CA.utf8/LC_NUMERIC
b7fb4000-b7fb5000 r-xp 00000000 03:01 2170293    /usr/lib/locale/en_CA.utf8/LC_TIME
b7fb5000-b7fb6000 r-xp 00000000 03:01 2170295    /usr/lib/locale/en_CA.utf8/LC_MONETARY
b7fb6000-b7fb7000 r-xp 00000000 03:01 2170297    /usr/lib/locale/en_CA.utf8/LC_MESSAGES/SYS_LC_MESSAGES
b7fb7000-b7fb8000 r-xp 00000000 03:01 2170298    /usr/lib/locale/en_CA.utf8/LC_PAPER
b7fb8000-b7fb9000 r-xp 00000000 03:01 2170279    /usr/lib/locale/en_CA.utf8/LC_NAME
b7fb9000-b7fba000 r-xp 00000000 03:01 2170299    /usr/lib/locale/en_CA.utf8/LC_ADDRESS
b7fba000-b7fbb000 r-xp 00000000 03:01 2170300    /usr/lib/locale/en_CA.utf8/LC_TELEPHONE
b7fbb000-b7fbc000 r-xp 00000000 03:01 2170282    /usr/lib/locale/en_CA.utf8/LC_MEASUREMENT
b7fbc000-b7fc3000 r-xs 00000000 03:01 1238951    /usr/lib/gconv/gconv-modules.cache
b7fc3000-b7fc4000 r-xp 00000000 03:01 2170301    /usr/lib/locale/en_CA.utf8/LC_IDENTIFICATION
b7fc4000-b7fc5000 rwxp b7fc4000 00:00 0 
b7fc5000-b7fde000 r-xp 00000000 03:01 657181     /lib/ld-2.4.so
b7fde000-b7fe0000 rwxp 00018000 03:01 657181     /lib/ld-2.4.so
bfe33000-bfe48000 rw-p bfe33000 00:00 0          [stack]
ffffe000-fffff000 ---p 00000000 00:00 0          [vdso]
Aborted (core dumped)
seneca@hawk:~$