Bug#1096012: cmt Feedback Delay Line buffer-overflow
Package: cmt
Version: 1.18-1
Severity: normal
Dear Maintainer,
The CMT ladspa plugins Feedback Delay Line have incorrect number of available
memory to ports.
So the plugin might crash your application with SIGSEGV. See stack trace from
valgrind.
==7644== 5 errors in context 1 of 1:
==7644== Invalid write of size 8
==7644== at 0x9DF2744: ??? (in /home/joelkraehemann/github/cmt_1.18/plugins/cmt.so)
==7644== by 0x49DB9BF: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.8200.4)
==7644== by 0x49F035F: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.8200.4)
==7644== by 0x49F17A8: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.8200.4)
==7644== by 0x49F7665: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.8200.4)
==7644== by 0x49F7722: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.8200.4)
==7644== by 0x4F45AB2: ags_base_plugin_connect_port (ags_base_plugin.c:1804)
==7644== by 0x109B7F: cmt_test_connect_port (cmt_test.c:335)
==7644== by 0x4A2CA82: ??? (in /usr/lib/x86_64-linux-gnu/libcunit.so.1.0.1)
==7644== by 0x4A2CCD7: ??? (in /usr/lib/x86_64-linux-gnu/libcunit.so.1.0.1)
==7644== by 0x4A2D137: CU_run_all_tests (in /usr/lib/x86_64-linux-gnu/libcunit.so.1.0.1)
==7644== by 0x109CF3: main (cmt_test.c:388)
==7644== Address 0x9d7feb0 is 0 bytes after a block of size 32 alloc'd
==7644== at 0x48455B3: operator new[](unsigned long) (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==7644== by 0x9DF331B: ??? (in /home/joelkraehemann/github/cmt_1.18/plugins/cmt.so)
==7644== by 0x62C493B: ags_cclosure_marshal_POINTER__UINT_UINT (ags_marshal.c:2501)
==7644== by 0x49DB9BF: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.8200.4)
==7644== by 0x49F035F: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.8200.4)
==7644== by 0x49F1071: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.8200.4)
==7644== by 0x49F7665: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.8200.4)
==7644== by 0x49F7722: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.8200.4)
==7644== by 0x4F45939: ags_base_plugin_instantiate (ags_base_plugin.c:1745)
==7644== by 0x109698: cmt_test_connect_port (cmt_test.c:180)
==7644== by 0x4A2CA82: ??? (in /usr/lib/x86_64-linux-gnu/libcunit.so.1.0.1)
==7644== by 0x4A2CCD7: ??? (in /usr/lib/x86_64-linux-gnu/libcunit.so.1.0.1)
==7644==
==7644== ERROR SUMMARY: 5 errors from 1 contexts (suppressed: 0 from 0)
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.10-amd64 (SMP w/24 CPU threads; PREEMPT)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages cmt depends on:
ii libc6 2.40-6
ii libgcc-s1 14.2.0-14
ii libstdc++6 14.2.0-14
cmt recommends no packages.
cmt suggests no packages.
-- no debconf information
--- src/delay.cpp.orig 2025-02-15 07:59:34.020345799 +0100
+++ src/delay.cpp 2025-02-15 07:59:58.335821276 +0100
@@ -88,7 +88,7 @@
DelayLine(const unsigned long lSampleRate,
const LADSPA_Data fMaximumDelay)
- : CMT_PluginInstance(4),
+ : CMT_PluginInstance(DELAY_LENGTH_COUNT),
m_fSampleRate(LADSPA_Data(lSampleRate)),
m_fMaximumDelay(fMaximumDelay) {
/* Buffer size is a power of two bigger than max delay time. */
Reply to: