FS#78116 - [cdrdao] reading of uninitialized variables with read-toc and copy
Attached to Project:
Arch Linux
Opened by Cebtenzzre (cebtenzzre) - Tuesday, 04 April 2023, 21:52 GMT
Last edited by Antonio Rojas (arojas) - Monday, 10 July 2023, 19:12 GMT
Opened by Cebtenzzre (cebtenzzre) - Tuesday, 04 April 2023, 21:52 GMT
Last edited by Antonio Rojas (arojas) - Monday, 10 July 2023, 19:12 GMT
|
Details
Description:
Since cdrdao 1.2.5, there are some changes to a way the DaoCommandLine class is initialized. Some forgotten NULL assignments mean that uninitialized stack memory is read in two cases: - when using `cdrdao read-toc test.toc`, there are FILE lines in the TOC with garbage values (often invalid UTF-8, which causes whipper to fail) - when using `cdrdao copy`, it segfaults when comparing sourceScsiDevice to NULL Those are the results that I got, but of course there may be different results sometimes since it's a form of undefined behavior. I have attached a simple patch that fixes the issue. Additional info: * cdrdao version 1.2.5-1 * Upstream issue https://github.com/cdrdao/cdrdao/issues/22 * Pull request https://github.com/cdrdao/cdrdao/pull/21 * whipper issue https://github.com/whipper-team/whipper/issues/591 Steps to reproduce: |
This task depends upon
Closed by Antonio Rojas (arojas)
Monday, 10 July 2023, 19:12 GMT
Reason for closing: Fixed
Additional comments about closing: cdrdao 1.2.5-2
Monday, 10 July 2023, 19:12 GMT
Reason for closing: Fixed
Additional comments about closing: cdrdao 1.2.5-2
Comment by Toolybird (Toolybird) -
Tuesday, 04 April 2023, 22:13 GMT
Comment by
Michael Ortmann (mortmann) -
Monday, 03 July 2023, 04:55 GMT
Orphaned pkg (i.e. no maintainer). @arojas was the last to kindly
update it. Should probably wait for upstream's response to the
issue.
Same bug here. If there is no arch maintainer to add the provided
patch, instead of waiting for upstream, can someone downgrade the
arch package to 1.2.4?