New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MPD crashes on windows when large input is submitted #1676
Comments
Oh no, that's indeed a stupid mistake! |
snprintf() does not return the (truncated) length actually written, but the length that would be needed if the buffer were large enough. This API usage mistake in FormatLastError() can lead to overflow of the stack buffer, crashing the process (Windows only). Closes #1676
it's definitely a footgun - now that I think about it, there are probably other places where that happens, I should look into it :) |
There are few places where the return value is really used, and it looks like those are used correctly (to allocate a buffer). |
oh, alright. Awesome, and thanks for the quick fix! |
FWIW this also hits linux, particularly on AudioCD playback. |
@MaxKellermann |
|
Thanks for the tip. |
I don't see any compiler warnings in your paste |
If those are no concerning messages, then fine. For some reason, under While launched regularly it does access CD and then hangs. (IO stuff I'd like to debug) |
I see there are many
Thoughts? |
Can't get much out of |
Bug report
Describe the bug
When sending 1. large input and 2. that would trigger the logging of an error on MPD on windows, MPD just segfaults. For instance, sending
listplaylist <400 times 'A'>
swiftly makes MPD segfaults.The error probably stems from https://github.com/MusicPlayerDaemon/MPD/blob/master/src/system/Error.hxx#L94-L95 , and the fact that
snprintf
returns the number of bytes which would have been written to the final string if enough space had been available (https://linux.die.net/man/3/snprintf), and not the number of bytes actually written.I think changing it by a min(return_value, 512) would work and I'd gladly submit a PR if that's the way to go :)
It also means that it's possible to write
0x3a20
(which corresponds to the:
manually written) about anywhere on the stack, which leads to crashes when it's written to, for instance, rip, but could probably be used for more malicious purposes.Expected Behavior
MPD does not crash when sent arbitrary big input.
Actual Behavior
MPD crashes when sent big payloads.
Version
Configuration
Log
The backtrace is misleading, since we're dealing with stack frame corruptions here, but added a few excerpts, depending on the length of the payload:
or
The text was updated successfully, but these errors were encountered: