GNOME Bugzilla – Bug 603261
rhythmbox crashes during drag n drop of mp3 to iPod
Last modified: 2010-03-13 14:16:28 UTC
Originally reported at https://bugs.launchpad.net/ubuntu/+source/rhythmbox/+bug/476167: It looks like this has to do with the underlying name of the mp3. One mp3 file that was causing this crash was given this name via my podcatcher (hpodder): podcast.mp3_e_id=CA6152EF-CF75-283F-B143EBB231A94818_ref=p_itune After renaming this file to podcast.mp3, drag n drop to my iPod doesn't cause the crash. Stacktrace: http://launchpadlibrarian.net/35238461/Stacktrace.txt Valgrind (ca. 37 MB): http://launchpadlibrarian.net/35516453/valgrind.log.bz2
Comment from launchpad: >>> Errors in the log are: ==3065== Invalid write of size 1 ==3065== at 0xA0F8E4A: impl_build_dest_uri (rb-ipod-source.c:1381) ==3065== by 0x409B344: rb_removable_media_source_build_dest_uri (rb-removable-media-source.c:602) ==3065== by 0x409C1B9: impl_paste (rb-removable-media-source.c:399) ==3065== by 0x40ACE1A: rb_source_paste (rb-source.c:1117) ==3065== by 0x409BF0E: impl_receive_drag (rb-removable-media-source.c:584) ==3065== by 0x40AD022: rb_source_receive_drag (rb-source.c:1410) <<<
Crash is caused by the overlong extension. In rb-ipod-source.c:get_ipod_filename, we end up doing: if (strlen (result) >= IPOD_MAX_PATH_LEN) { char *ext, *suffix; ext = strrchr (result, '.'); if (ext == NULL) { suffix = result + IPOD_MAX_PATH_LEN - 4; result [IPOD_MAX_PATH_LEN - 1] = '\0'; } else { suffix = result + IPOD_MAX_PATH_LEN - 4 - strlen(ext); memmove (&result[IPOD_MAX_PATH_LEN - strlen (ext) - 1] , ext, strlen (ext) + 1); } ... with "result" being equal to podcast.mp3_e_id=CA6152EF-CF75-283F-B143EBB231A94818_ref=p_itune Then we do suffix = result + IPOD_MAX_PATH_LEN - 4 - strlen(ext); but IPOD_MAX_PATH_LEN - 4 - strlen (ext); ends up being negative with this filename, so hell breaks loose:) We need to sanitize the extension before ending up in this code path imo.
fixed by commit 4051e272