[PATCH] free of an unallocated pointer in ogginfo
When running ogginfo against a file with an invalid byte sequence in the comment section, ogginfo frees the pointer decoded when it is only allocated through the call to utf8_decode that only happens when no detected encoding errors are present.
Patch
--- vorbis-tools-1.1.1.orig/ogginfo/ogginfo2.c 2007-01-19 19:51:05.000000000 -0500
+++ vorbis-tools-1.1.1/ogginfo/ogginfo2.c 2007-01-19 19:49:47.000000000 -0500
@@ -298,8 +298,10 @@
}
*sep = 0;
- info("\t%s=%s\n", comment, decoded);
- free(decoded);
+ if(!broken) {
+ info("\t%s=%s\n", comment, decoded);
+ free(decoded);
+ }
}
static void theora_process(stream_processor *stream, ogg_page *page)Mac OS X (PPC), self compiled pre-patch output
herodotus:~/Desktop/sophocles/Mike_Oldfield-Tubular_Bells_2003 seneca$ ogginfo 09.Ghost_Bells.ogg
Processing file "09.Ghost_Bells.ogg"...
New logical stream (#1, serial: 0520f5a8): type vorbis
Vorbis headers parsed for stream 1, information follows...
Version: 0
Vendor: Xiph.Org libVorbis I 20050304
Channels: 2
Rate: 44100
Nominal bitrate: 224.000000 kb/s
Upper bitrate not set
Lower bitrate not set
User comments section follows...
ARTIST=Mike Oldfield
Warning: Illegal UTF-8 sequence in comment 1 (stream 1): length marker wrong
ALBUM=Mike Oldfield
ogginfo(8965) malloc: *** error for object 0x4030a0: double free
ogginfo(8965) malloc: *** set a breakpoint in szone_error to debug
TITLE=Ghost Bells
DATE=2003
GENRE=New Age
TRACKNUMBER=09
CDDB=03115612
Vorbis stream 1:
Total data length: 731280 bytes
Playback length: 0m:30.546s
Average bitrate: 191.518114 kb/s
Logical stream 1 ended
herodotus:~/Desktop/sophocles/Mike_Oldfield-Tubular_Bells_2003 seneca$Ubuntu 6.10 (i386), package version 1.1.1-5 pre-patch output
seneca@hawk:~$ ogginfo /music/Mike_Oldfield-Tubular_Bells_2003/17.The_Sailors_Hornpipe.ogg
Processing file "/music/Mike_Oldfield-Tubular_Bells_2003/17.The_Sailors_Hornpipe.ogg"...
New logical stream (#1, serial: 121967e8): type vorbis
Vorbis headers parsed for stream 1, information follows...
Version: 0
Vendor: Xiph.Org libVorbis I 20050304
Channels: 2
Rate: 44100
Nominal bitrate: 224.000000 kb/s
Upper bitrate not set
Lower bitrate not set
User comments section follows...
ARTIST=Mike Oldfield
Warning: Illegal UTF-8 sequence in comment 1 (stream 1): length marker wrong
ALBUM=
*** glibc detected *** ogginfo: double free or corruption (fasttop): 0x08070088 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7e8f8bd]
/lib/tls/i686/cmov/libc.so.6(__libc_free+0x84)[0xb7e8fa44]
ogginfo[0x8049503]
ogginfo[0x8049936]
ogginfo[0x804a687]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xdc)[0xb7e3e8cc]
ogginfo[0x8048fb1]
======= Memory map: ========
08048000-0804d000 r-xp 00000000 03:01 1242650 /usr/bin/ogginfo
0804d000-0804e000 rwxp 00005000 03:01 1242650 /usr/bin/ogginfo
0804e000-08091000 rwxp 0804e000 00:00 0 [heap]
b7bf5000-b7bff000 r-xp 00000000 03:01 651600 /lib/libgcc_s.so.1
b7bff000-b7c00000 rwxp 00009000 03:01 651600 /lib/libgcc_s.so.1
b7c00000-b7c21000 rwxp b7c00000 00:00 0
b7c21000-b7d00000 ---p b7c21000 00:00 0
b7d1c000-b7d1e000 rwxp b7d1c000 00:00 0
b7d1e000-b7d51000 r-xp 00000000 03:01 2170271 /usr/lib/locale/en_CA.utf8/LC_CTYPE
b7d51000-b7e28000 r-xp 00000000 03:01 2170294 /usr/lib/locale/en_CA.utf8/LC_COLLATE
b7e28000-b7e29000 rwxp b7e28000 00:00 0
b7e29000-b7f56000 r-xp 00000000 03:01 652966 /lib/tls/i686/cmov/libc-2.4.so
b7f56000-b7f58000 r-xp 0012c000 03:01 652966 /lib/tls/i686/cmov/libc-2.4.so
b7f58000-b7f5a000 rwxp 0012e000 03:01 652966 /lib/tls/i686/cmov/libc-2.4.so
b7f5a000-b7f5d000 rwxp b7f5a000 00:00 0
b7f5d000-b7f61000 r-xp 00000000 03:01 1244259 /usr/lib/libogg.so.0.5.3
b7f61000-b7f62000 rwxp 00003000 03:01 1244259 /usr/lib/libogg.so.0.5.3
b7f62000-b7f86000 r-xp 00000000 03:01 655753 /lib/tls/i686/cmov/libm-2.4.so
b7f86000-b7f88000 rwxp 00023000 03:01 655753 /lib/tls/i686/cmov/libm-2.4.so
b7f88000-b7fa1000 r-xp 00000000 03:01 1244267 /usr/lib/libvorbis.so.0.3.1
b7fa1000-b7faf000 rwxp 00019000 03:01 1244267 /usr/lib/libvorbis.so.0.3.1
b7faf000-b7fb0000 rwxp b7faf000 00:00 0
b7fb3000-b7fb4000 r-xp 00000000 03:01 2170272 /usr/lib/locale/en_CA.utf8/LC_NUMERIC
b7fb4000-b7fb5000 r-xp 00000000 03:01 2170293 /usr/lib/locale/en_CA.utf8/LC_TIME
b7fb5000-b7fb6000 r-xp 00000000 03:01 2170295 /usr/lib/locale/en_CA.utf8/LC_MONETARY
b7fb6000-b7fb7000 r-xp 00000000 03:01 2170297 /usr/lib/locale/en_CA.utf8/LC_MESSAGES/SYS_LC_MESSAGES
b7fb7000-b7fb8000 r-xp 00000000 03:01 2170298 /usr/lib/locale/en_CA.utf8/LC_PAPER
b7fb8000-b7fb9000 r-xp 00000000 03:01 2170279 /usr/lib/locale/en_CA.utf8/LC_NAME
b7fb9000-b7fba000 r-xp 00000000 03:01 2170299 /usr/lib/locale/en_CA.utf8/LC_ADDRESS
b7fba000-b7fbb000 r-xp 00000000 03:01 2170300 /usr/lib/locale/en_CA.utf8/LC_TELEPHONE
b7fbb000-b7fbc000 r-xp 00000000 03:01 2170282 /usr/lib/locale/en_CA.utf8/LC_MEASUREMENT
b7fbc000-b7fc3000 r-xs 00000000 03:01 1238951 /usr/lib/gconv/gconv-modules.cache
b7fc3000-b7fc4000 r-xp 00000000 03:01 2170301 /usr/lib/locale/en_CA.utf8/LC_IDENTIFICATION
b7fc4000-b7fc5000 rwxp b7fc4000 00:00 0
b7fc5000-b7fde000 r-xp 00000000 03:01 657181 /lib/ld-2.4.so
b7fde000-b7fe0000 rwxp 00018000 03:01 657181 /lib/ld-2.4.so
bfe33000-bfe48000 rw-p bfe33000 00:00 0 [stack]
ffffe000-fffff000 ---p 00000000 00:00 0 [vdso]
Aborted (core dumped)
seneca@hawk:~$