Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 197158 - Audacious 1.3.2 [20070405-4320] - possible double free
Summary: Audacious 1.3.2 [20070405-4320] - possible double free
Status: RESOLVED UPSTREAM
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://bugzilla.atheme.org/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-10-26 17:18 UTC by Marek Cruz
Modified: 2007-10-29 15:53 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marek Cruz 2007-10-26 17:18:42 UTC 
sh-3.2$ audacious
*** glibc detected *** audacious: double free or corruption (top): 0x083cd258 ***
======= Backtrace: =========
/lib/libc.so.6[0xb74f1d92]
/lib/libc.so.6(__libc_free+0x87)[0xb74f3407]
/usr/lib/gcc/i686-pc-linux-gnu/4.1.2/libstdc++.so.6(_ZdlPv+0x21)[0xb7684d61]
/usr/lib/gcc/i686-pc-linux-gnu/4.1.2/libstdc++.so.6(_ZdaPv+0x1d)[0xb7684dbd]
/usr/lib/audacious/Input/libadplug.so(_ZN10Cu6mPlayerD0Ev+0x30)[0xb5d347f0]
======= Memory map: ========
08048000-080f7000 r-xp 00000000 08:03 1639015    /usr/bin/audacious
080f7000-080fd000 rw-p 000af000 08:03 1639015    /usr/bin/audacious
080fd000-0841d000 rw-p 080fd000 00:00 0          [heap]
b1d00000-b1d21000 rw-p b1d00000 00:00 0 
b1d21000-b1e00000 ---p b1d21000 00:00 0 
b1efb000-b1efc000 ---p b1efb000 00:00 0 
b1efc000-b26fc000 rwxp b1efc000 00:00 0 
b26fc000-b26fd000 ---p b26fc000 00:00 0 
b26fd000-b2efd000 rwxp b26fd000 00:00 0 
b2efd000-b2efe000 ---p b2efd000 00:00 0 
b2efe000-b36fe000 rwxp b2efe000 00:00 0 
b36fe000-b36ff000 ---p b36fe000 00:00 0 
b36ff000-b3eff000 rwxp b36ff000 00:00 0 
b3eff000-b3f13000 r-xp 00000000 08:03 1361679    /usr/lib/libICE.so.6.3.0
b3f13000-b3f14000 rw-p 00013000 08:03 1361679    /usr/lib/libICE.so.6.3.0
b3f14000-b3f16000 rw-p b3f14000 00:00 0 
b3f16000-b3f1e000 r-xp 00000000 08:03 1182521    /usr/lib/libSM.so.6.0.0
b3f1e000-b3f1f000 rw-p 00007000 08:03 1182521    /usr/lib/libSM.so.6.0.0
b3f1f000-b3f3d000 r-xp 00000000 08:03 11102325   /usr/lib/libjpeg.so.62.0.0
b3f3d000-b3f3e000 rw-p 0001e000 08:03 11102325   /usr/lib/libjpeg.so.62.0.0
b3f3e000-b3f49000 r-xp 00000000 08:03 1574001    /usr/lib/libgnome-keyring.so.0.0.1
b3f49000-b3f4a000 rw-p 0000a000 08:03 1574001    /usr/lib/libgnome-keyring.so.0.0.1
b3f4a000-b3f61000 r-xp 00000000 08:03 1605724    /usr/lib/libart_lgpl_2.so.2.3.17
b3f61000-b3f62000 rw-p 00016000 08:03 1605724    /usr/lib/libart_lgpl_2.so.2.3.17
b3f62000-b3f8b000 r-xp 00000000 08:03 11103169   /usr/lib/libgnomecanvas-2.so.0.1400.0
b3f8b000-b3f8c000 rw-p 00028000 08:03 11103169   /usr/lib/libgnomecanvas-2.so.0.1400.0
b3f8c000-b3fea000 r-xp 00000000 08:03 1949733    /usr/lib/libbonoboui-2.so.0.0.0
b3fea000-b3fed000 rw-p 0005d000 08:03 1949733    /usr/lib/libbonoboui-2.so.0.0.0
b3fed000-b4076000 r-xp 00000000 08:03 1934765    /usr/lib/libgnomeui-2.so.0.1600.1
b4076000-b407a000 rw-p 00088000 08:03 1934765    /usr/lib/libgnomeui-2.so.0.1600.1
b407a000-b408c000 r-xp 00000000 08:03 1933548    /usr/lib/libbonobo-activation.so.4.0.0
b408c000-b408e000 rw-p 00012000 08:03 1933548    /usr/lib/libbonobo-activation.so.4.0.0
b408e000-b40df000 r-xp 00000000 08:03 1933564    /usr/lib/libbonobo-2.so.0.0.0
b40df000-b40e9000 rw-p 00050000 08:03 1933564    /usr/lib/libbonobo-2.so.0.0.0
b40e9000-b40fd000 r-xp 00000000 08:03 1934109    /usr/lib/libgnome-2.so.0.1600.0
b40fd000-b40fe000 rw-p 00014000 08:03 1934109    /usr/lib/libgnome-2.so.0.1600.0
b4108000-b410d000 r-xp 00000000 08:03 2166596    /usr/lib/libfam.so.0.0.0
b410d000-b410e000 rw-p 00004000 08:03 2166596    /usr/lib/libfam.so.0.0.0
b410e000-b4118000 r-xp 00000000 08:03 1687855    /usr/lib/gnome-vfs-2.0/modules/libfile.so
b4118000-b4119000 rw-p 0000a000 08:03 1687855    /usr/lib/gnome-vfs-2.0/modules/libfile.so
b4119000-b411b000 r-xp 00000000 08:03 1413693    /lib/libutil-2.5.so
b411b000-b411d000 rw-p 00001000 08:03 1413693    /lib/libutil-2.5.so
b411d000-b412b000 r-xp 00000000 08:03 1413681    /lib/libresolv-2.5.so
b412b000-b412d000 rw-p 0000d000 08:03 1413681    /lib/libresolv-2.5.so
b412d000-b412f000 rw-p b412d000 00:00 0 
b412f000-b4189000 r-xp 00000000 08:03 2657216    /usr/lib/libdbus-1.so.3.2.0
b4189000-b418a000 rw-p 0005a000 08:03 2657216    /usr/lib/libdbus-1.so.3.2.0
b418a000-b41a7000 r-xp 00000000 08:03 1884521    /usr/lib/libdbus-glib-1.so.2.1.0
b41a7000-b41a8000 rw-p 0001d000 08:03 1884521    /usr/lib/libdbus-glib-1.so.2.1.0
b41a8000-b41d9000 r-xp 00000000 08:03 11104108   /usr/lib/libcroco-0.6.so.3.0.1
b41d9000-b41dc000 rw-p 00030000 08:03 11104108   /usr/lib/libcroco-0.6.so.3.0.1
b41dc000-b4207000 r-xp 00000000 08:03 1376859 Aborted


Reproducible: Always

Steps to Reproduce:
1. I add an mp3 file from Metallica to the playlist

Actual Results:  
Audacious 1.3.2 [20070405-4320] crashes with the messages above

Expected Results:  
The files should be added

System uname: 2.6.22.10 i686 AMD Sempron(tm) 2600+
Timestamp of tree: Fri, 26 Oct 2007 16:30:01 +0000
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=athlon-xp -O2 -pipe -fomit-frame-pointer -ggdb"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/lib/mozilla/defaults/pref /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-march=athlon-xp -O2 -pipe -fomit-frame-pointer -ggdb"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks metadata-transfer sandbox sfperms splitdebug strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
MAKEOPTS=""
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_EXTRA_OPTS=""
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext X acpi alsa arts avi berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus debug dlloader dri dvd dvdr eds emboss encode esd fam firefox fortran gdbm gif gnome gpm gstreamer gtk hal iconv isdnlog jpeg libg++ mad midi mikmod mmx mmxext mp3 mpeg mudflap ncurses nls nptl nptlonly nsplugin ogg opengl openmp oss pam pcre pdflib perl png postgres ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl sse ssl tcpd tiff tk truetype truetype-fonts type1-fonts udev unicode vorbis win32codecs wma x86 xf86-video-ati xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS
Comment 1 Marek Cruz 2007-10-26 17:31:51 UTC 
The only file which always cause the crash can be downloaded from the following location http://files-upload.com/files/582839/03-The_Wait.mp3

The other files are processed and played without any problem.
Comment 2 Tony Vroon (RETIRED) gentoo-dev 2007-10-28 11:29:28 UTC 
This should be reported on the upstream bugtracker (bugzilla at atheme.org). Please use the URL field to go there. Note that a double free is generally hard to exploit and can only be used to shut the program down in a particularly unclean way. How would this work, sending the user a specially crafted MP3 file to shut their media player down?
Comment 3 Tony Vroon (RETIRED) gentoo-dev 2007-10-28 11:40:26 UTC 
This plays in the 1.4 branch:
* Chainsaw is listening to [Metallica - Garage_Days_Re-Revisited - The_Wait (MPEG Audio (MP3) - lossy)] length[0:09/4:57]

Will be resolved once 1.4 RC1 is released.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-10-28 12:26:18 UTC 
Can't reproduce on amd64 with Audacious 1.3.2 [20070405-4320].
Comment 5 Tony Vroon (RETIRED) gentoo-dev 2007-10-28 12:49:27 UTC 
(In reply to comment #4)
> Can't reproduce on amd64 with Audacious 1.3.2 [20070405-4320].

Based on the backtrace you need USE="adplug" for it to trigger.
Comment 6 Lubomir Rintel 2007-10-29 15:35:39 UTC 
I was not able to reproduce it. Could you please make a debug build and try to obtain a core dump or more reasonable backtrace?

Until we have a fix I suggest working around the issue by not listening to Metallica. I propose Alice Cooper as a more than a reasonable replacement.

Tony: Did you file an upstream bugzilla ticket? Can you provide the number?
Comment 7 Tony Vroon (RETIRED) gentoo-dev 2007-10-29 15:53:06 UTC 
(In reply to comment #6)
> Tony: Did you file an upstream bugzilla ticket? Can you provide the number?

I did not. Upstream is working on 1.4 which does not have the bug. I have stopped reporting bugs upstream on behalf of a user as most do not follow up.