g_utf8_collate_key() segfaults when passed an invalid length
On Ubuntu mantic with libglib2.0 2.78.0-2, when I open gtkpod and click on a mounted ipod to list the songs, gtkpod segmentation faults.
It seems to be related to parsing unicode characters in artist, song title, or album name tags.
Crash in gdb:
Thread 1 "gtkpod" received signal SIGSEGV, Segmentation fault.
__GI___wcsxfrm_l (dest=0x0, src=0x0, n=0, l=0x7ffff6fff5a0 <_nl_global_locale>) at ../string/strxfrm_l.c:685
685 ../string/strxfrm_l.c: No such file or directory.
(gdb) bt
#0 __GI___wcsxfrm_l (dest=0x0, src=0x0, n=0, l=0x7ffff6fff5a0 <_nl_global_locale>) at ../string/strxfrm_l.c:685
#1 0x00007ffff70c5a5e in g_utf8_collate_key () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2 0x00007ffff7f852ec in fuzzy_skip_prefix () at /lib/x86_64-linux-gnu/libgtkpod.so.1
#3 0x00007fffa80980ca in ??? () at /usr/lib/x86_64-linux-gnu/gtkpod/libsorttab_display.so
#4 0x00007fffa80997fd in normal_sort_tab_page_add_track () at /usr/lib/x86_64-linux-gnu/gtkpod/libsorttab_display.so
#5 0x00007fffa8099526 in normal_sort_tab_page_add_track () at /usr/lib/x86_64-linux-gnu/gtkpod/libsorttab_display.so
#6 0x00007fffa809f196 in sorttab_display_select_playlist_cb () at /usr/lib/x86_64-linux-gnu/gtkpod/libsorttab_display.so
#7 0x00007ffff718d130 in g_closure_invoke () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#8 0x00007ffff71ba4ac in ??? () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#9 0x00007ffff71ab9b1 in ??? () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#10 0x00007ffff71abbd6 in g_signal_emit_valist () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#11 0x00007ffff71abc93 in g_signal_emit () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#12 0x00007ffff7f67e4b in gtkpod_set_current_playlist () at /lib/x86_64-linux-gnu/libgtkpod.so.1
#13 0x00007fffa807cce0 in ??? () at /usr/lib/x86_64-linux-gnu/gtkpod/libplaylist_display.so
#14 0x00007ffff708ba11 in ??? () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#15 0x00007ffff70e746f in ??? () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#16 0x00007ffff708c46f in g_main_loop_run () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#17 0x00007ffff77f61ed in gtk_main () at /lib/x86_64-linux-gnu/libgtk-3.so.0
#18 0x000055555555ea1f in main ()
I did some debugging in the downstream bug: https://bugs.launchpad.net/ubuntu/+source/glib2.0/+bug/2044420
I eventually came up with a minimal reproducer:
hello.c
#include <glib.h>
int main(int argc, char **argv) {
const gchar* badstring = "fórmula, vol. 2 (deluxe edition)";
gsize len = 2;
gchar* ret;
ret = g_utf8_collate_key(badstring, len);
g_free(ret);
return 0;
}
Makefile
all:
cc `pkg-config --cflags glib-2.0` hello.c -g -o hello `pkg-config --libs glib-2.0`
On mantic, with:
$ apt-cache policy libglib2.0-0 | grep Installed
Installed: 2.78.0-2
$ apt-cache policy libc6 | grep Installed
Installed: 2.38-1ubuntu6
$ make
cc `pkg-config --cflags glib-2.0` hello.c -g -o hello `pkg-config --libs glib-2.0`
$ gdb hello
Program received signal SIGSEGV, Segmentation fault.
__wcslen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:76
76 ../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory.
(gdb) bt
#0 __wcslen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:76
#1 0x00007ffff7cd0ace in __GI___wcsxfrm_l (dest=0x0, src=0x0, n=0, l=<optimised out>) at ../string/strxfrm_l.c:676
#2 0x00007ffff7ef1a5e in g_utf8_collate_key () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3 0x00005555555551a2 in main (argc=1, argv=0x7fffffffe118) at hello.c:8
and now on Lunar, with:
$ apt-cache policy libglib2.0-0 | grep Installed
Installed: 2.76.1-1
$ apt-cache policy libc6 | grep Installed
Installed: 2.37-0ubuntu2.1
$ make
cc `pkg-config --cflags glib-2.0` hello.c -o hello `pkg-config --libs glib-2.0`
$ gdb hello
[Inferior 1 (process 3593) exited normally]
I am still bisecting glib, but I find 2.76.x good, and 2.77.0 bad, with 2.78.0 bad. Still tracking down the change between 2.76 -> 2.77.
I also read #3168 (closed), which is similar, but not the same, and I did a build of 2.78.0 with 30e10251 but it didn't help.