Bug#890023: abcmidi fails autopkg tests on 32bit architectures

To: 890023@bugs.debian.org, seymour.shlien@crc.ca
Cc: Matthias Klose <doko@debian.org>
Subject: Bug#890023: abcmidi fails autopkg tests on 32bit architectures
From: James Cowgill <jcowgill@debian.org>
Date: Mon, 12 Feb 2018 13:28:59 +0000
Message-id: <[🔎] 0369e161-ac8a-58d6-44c0-8fe953deb79d@debian.org>
Reply-to: James Cowgill <jcowgill@debian.org>, 890023@bugs.debian.org
In-reply-to: <[🔎] 49155f80-58a1-abd7-ff64-65790e256acf@debian.org>
References: <[🔎] 49155f80-58a1-abd7-ff64-65790e256acf@debian.org> <[🔎] 49155f80-58a1-abd7-ff64-65790e256acf@debian.org>

Control: tags -1 patch

Hi,

On 10/02/18 08:52, Matthias Klose wrote:
> Package: src:abcmidi
> Version: 20180125-1
> Severity: serious
> Tags: sid buster
> 
> abcmidi fails autopkg tests on 32bit architectures, midi2abc crashing.  Is there
> a reason why the tests are not run at build time?
> 
> --------------------------------
> MIDI to ABC conversion test
> --------------------------------
> Convert the araber47.mid file back to abc
> Aborted (core dumped)
> autopkgtest [14:08:29]: test conversions: -----------------------]
> autopkgtest [14:08:33]: test conversions:  - - - - - - - - - - results - - - - -
> - - - - -
> conversions          FAIL non-zero exit status 134
> autopkgtest [14:08:33]: test conversions:  - - - - - - - - - - stderr - - - - -
> - - - - -
> *** Error in `midi2abc': free(): invalid pointer: 0x00c43f28 ***
> Aborted (core dumped)

Caused by a buffer overflow in midi2abc.c:329
> char* addstring(s)
> /* create space for string and store it in memory */
> char* s;
> {
>   char* p;
> 
>   p = (char*) checkmalloc(strlen(s)+1);
>   strncpy(p, s,strlen(s)+2); /* [SS] 2017-08-30 */
>   return(p);
> }

strncpy writes to exactly n bytes to the output buffer, so the call will
always overflow the buffer allocated one line above by 1 byte.

Attached patch fixes this. I think using strcpy is safe here because the
size of the buffer allocated is always greater than the string length.

I think the comment on that line refers to this (from doc/CHANGES):
> August 30 2017
> 
> Midi2abc - The metatext string is not terminated with a 0 and
> as a result can contain random junk, in particular on the Windows
> operating system. Fix in midifile.c, the Msgbuff is initialized to
> 0 when it is allocated.

Some old code I found shows the code originally used strcpy. I'm not I
understand how using strncpy was supposed to fix this. I've copied
upstream who might be able to shed some light on this.

Thanks,
James

--- a/midi2abc.c
+++ b/midi2abc.c
@@ -333,7 +333,7 @@ char* s;
   char* p;
 
   p = (char*) checkmalloc(strlen(s)+1);
-  strncpy(p, s,strlen(s)+2); /* [SS] 2017-08-30 */
+  strcpy(p, s);
   return(p);
 }

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Bug#890023: abcmidi fails autopkg tests on 32bit architectures
  - From: Ross Gammon <rossgammon@debian.org>

References:
- Bug#890023: abcmidi fails autopkg tests on 32bit architectures
  - From: Matthias Klose <doko@debian.org>

Prev by Date: Bug#890250: abcmidi: valgrind errors running conversions autopkgtest
Next by Date: Processed: Re: Bug#890023: abcmidi fails autopkg tests on 32bit architectures
Previous by thread: Bug#890023: abcmidi fails autopkg tests on 32bit architectures
Next by thread: Bug#890023: abcmidi fails autopkg tests on 32bit architectures
Index(es):
- Date
- Thread