GNOME Bugzilla – Bug 606010
crashes at audio CD insertion
Last modified: 2010-07-23 08:22:10 UTC
this report has been filed here: https://bugs.edge.launchpad.net/ubuntu/+source/brasero/+bug/501207 "Inserting an audio CD will crash Nautilus and also take down RhythmBox, along with other audio-related apps that might be running." ".
+ Trace 219874
Thread 1 (process 5440)
An additional observation has been made by the original reporter. He tried the alpha 2 version of Lucid Lynx and found that the problem does not occur in that version of Ubuntu. Therefore, it appears that the very latest versions of code solves the issue and it is just a matter of determining what it is that needs fixing.
Thanks for the report. I checked the code and I may have found a place where it looked fishy. What is strange is that the error was in both stable and master. Anyway, I fixed it in both. So please let your user know so he can test whether it helped. Tell him also that the problem should arise from some audio discs with CD-TEXT. So maybe he has got one disc in particular that should trigger the problem. If I'm right it should not happen with all audio discs and even less with audio discs without CD-TEXT.
I've encountered this problem on Ubuntu Lucid too and add some more information to the Launchpad bug. Could you tell me where I can get you patch that fixes this issue, I would very much like to try it. Thanks.
Just re-pinging to point out Paul's comment #43 and #44 in the Launchpad report: In the above debug log, there are some <value optimised out> values, one crucial value is that of num in the brasero_medium_read_CD_TEXT() function that calls _next_CD_TEXT_pack() where the crash happens. This sets the assumed size of the array who's access is causing the SEGV. The value is 954437176 probably more that actually allocated. On another machine running the same version of brasero, the value is 0. If I prevent the call to _next_CD_TEXT_pack() then the crash does not happen and the applications appear to function as expected. I'm not sure what CD_TEXT actually is but the audio CD I have been trying appears to no use it. I still get the "I/O error" messages of course. : [85642.694961] sr 0:0:1:0: [sr0] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE [85642.694968] sr 0:0:1:0: [sr0] Sense Key : Illegal Request [current] [85642.694974] sr 0:0:1:0: [sr0] Add. Sense: Illegal mode for this track [85642.694982] sr 0:0:1:0: [sr0] CDB: Read(10): 28 00 00 00 00 00 00 00 02 00 [85642.694994] end_request: I/O error, dev sr0, sector 0 I think there is a low level problem with the CD driver that needs fixing but the crash in brasero could possibly be prevented.
Created attachment 166121 [details] Debug log from launchpad entry Log file from Paul. Can be found in comment #43 of the original launchpad bug report.
Right, I tried again and modified the code. The attempt is to be found at: commit f031e1ee921886ef2a0f50a936cf939a9d614463 Author: Philippe Rouquier <bonfire-app@wanadoo.fr> Date: Mon Jul 19 14:01:01 2010 +0200 Try again to fix #606010 - crashes at audio CD insertion Could you let your users know please so they can test and report if it works?
I tried your patch but I still get the crash. If I've applied your patch correctly, you have added the check "if(num <= 0)". However, num in my case is 954437176 so does not get caught. I don't know anything about CD-Text Data Pack sizes but a quick search appears to suggest the maximum value is 256. If I change you patch to "if (num <= 0 || num>256)" then the error is trapped and everything continues and works. Hope that helps.
I added this check indeed but that was not the important part. I also changed the way num is calculated by using the size value instead of cd_text->hdr->len. Could you tell me what size and cd_text->hdr->len values are for you please?
Just to be more precise. I suspect that your size of even cd_text->hdr->len is wrong and probably too small leading to a negative value.
Here is another patch to address the possible issue I described above. It should return from the function if size < sizeof (BraseroScsiTocPmaAtipHdr) avoiding negative values. author Philippe Rouquier <bonfire-app@wanadoo.fr> 2010-07-22 08:10:38 (GMT) committer Philippe Rouquier <bonfire-app@wanadoo.fr> 2010-07-22 08:10:53 (GMT) commit b1b8ae5c0bf918503cd10380c9634d814f9f7a23 (patch) (side-by-side diff) tree 458154fa1e1bec8d3d1a40d511e6ced6f8af6f8c parent f535d9d5446ee7481f5ebf76f2ec5ac5562767ed (diff) Another try at #606010 - crashes at audio CD insertiongnome-2-30 http://git.gnome.org/browse/brasero/commit/?h=gnome-2-30&id=b1b8ae5c0bf918503cd10380c9634d814f9f7a23 If you could try it please? Thanks in advance.
Thanks for looking at this Philippe. Your latest patch fixed the crash however, it appears that you are using the num variable before it is initialised. I'm applying both you original patch and the new one to the Ubuntu Lucid version of the source 2.30.2-0ubuntu1 as I can't build the git version directly. Apologies if this has meant I do not have the complete patch. These are the values of the variables you requested: size = 2 BRASERO_GET_16 (cd_text->hdr->len) = 0
Thanks a lot for testing. It turns out you are entirely right; while writing the previous patch I introduced a stupid mistake using num instead of size. Thank you for spotting it. So apparently I was right, some drives return idiotic values or cannot read CD-TEXT maybe hence the value returned... I'm closing this bug. If someone still see this problem after brasero 2.30.3 please feel free to reopen it.