Bug#372954: Another two ID3v2 crashes (with patch) [tags.c:409, id3v2.c:704]

[Anthony DeRobertis]

Package: xmms-scrobbler
Version: 0.3.8.1-4asd3
Severity: important
Tags: patch

Valgrind helped track these crashers down:

==17384== Invalid read of size 4
==17384==    at 0x593DF64: metaID3v2 (tags.c:409)
==17384==    by 0x593E5B2: get_tag_data (tags.c:761)
==17384==    by 0x593B704: xs_thread (xmms_scrobbler.c:445)
==17384==    by 0x420FCA2: start_thread (in /lib/tls/i686/cmov/libpthread-0.60.s
o)
==17384==    by 0x442BF59: clone (in /lib/tls/i686/cmov/libc-2.3.2.so)
==17384==  Address 0x0 is not stack'd, malloc'd or (recently) free'd

and

==27394== Invalid read of size 4
==27394==    at 0x5941E9A: freeID3v2 (id3v2.c:704)
==27394==    by 0x593E7E7: metatag_delete (tags.c:796)
==27394==    by 0x593B724: xs_thread (xmms_scrobbler.c:461)
==27394==    by 0x420FCA2: start_thread (in /lib/tls/i686/cmov/libpthread-0.60.s
o)
==27394==    by 0x442BF59: clone (in /lib/tls/i686/cmov/libc-2.3.2.so)
==27394==  Address 0xC is not stack'd, malloc'd or (recently) free'd


Both are the result of a null-pointer dereference. Trivial fix attached.
[Expect an offset applying the patch... my line numbers surely differ
due to other things I've changed.]


-- System Information:
Debian Release: 3.1
  APT prefers stable
  APT policy: (500, 'stable'), (100, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-2-686-smp
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages xmms-scrobbler depends on:
ii  libc6               2.3.2.ds1-22sarge3   GNU C Library: Shared libraries an
ii  libcurl3            7.13.2-2sarge5       Multi-protocol file transfer libra
ii  libidn11            0.5.13-1.0           GNU libidn library, implementation
ii  libmusicbrainz4     2.1.1-3              Second generation incarnation of t
ii  libssl0.9.7         0.9.7e-3sarge1       SSL shared libraries
ii  libstdc++5          1:3.3.5-13           The GNU Standard C++ Library v3
ii  xmms                1.2.10+cvs20050209-2 Versatile X audio player that look
ii  zlib1g              1:1.2.2-4.sarge.2    compression library - runtime

xmms-scrobbler recommends no packages.

-- no debconf information

--- xmms-scrobbler-0.3.8.1.orig/tags/tags.c
+++ xmms-scrobbler-0.3.8.1/tags/tags.c
@@ -400,6 +400,11 @@
 	{
 		unsigned char *data = NULL, *utf = NULL;
 		framedata_t *frame = id3v2->items[i];
+		if (!frame) {
+			pdebug("frame = NULL; skip", META_DEBUG);
+			continue;
+		}
+
 		if(	(id3v2->version == 2 && frame->frameid == ID3V22_TT2) ||
 			(id3v2->version == 3 && frame->frameid == ID3V23_TIT2) ||
 			(id3v2->version == 4 && frame->frameid == ID3V24_TIT2))
--- xmms-scrobbler-0.3.8.1.orig/tags/id3v2.c
+++ xmms-scrobbler-0.3.8.1/tags/id3v2.c
@@ -701,9 +701,11 @@
 		framedata_t *frame;
 		
 		frame = id3v2->items[i];
-		free(frame->flags);
-		free(frame->data);
-		free(frame);
+		if (frame) {
+			free(frame->flags);
+			free(frame->data);
+			free(frame);
+		}
 	}
 	free(id3v2->items);
 	free(id3v2);