[Bug 9324] New: Mp3Tag: crash when editing the "Year" field in some cases

wine-bugs at winehq.org wine-bugs at winehq.org
Tue Aug 14 23:40:31 CDT 2007 

http://bugs.winehq.org/show_bug.cgi?id=9324

           Summary: Mp3Tag: crash when editing the "Year" field in some
                    cases
           Product: Wine
           Version: CVS
          Platform: PC
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: wine-comctl32
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: the_unknown at gmx.net


Created an attachment (id=7595)
 --> (http://bugs.winehq.org/attachment.cgi?id=7595)
winedbg output and backtrace after crash

wine 0.9.43 and last git version
gcc (GCC) 4.2.0 (Gentoo 4.2.0 p1.4)
Linux k8t800 2.6.22-gentoo-r3 #1 PREEMPT Tue Aug 14 17:33:41 CEST 2007 i686 AMD
Athlon(tm) 64 Processor 3500+ AuthenticAMD GNU/Linux

How to reproduce:
- download Mp3Tag v2.39 from http://www.mp3tag.de/en/download.html
- edit the date field of some OGG file with another editor (e.g. via
Properties->Meta Info in konqueror) to ensure it has more than 4 symbols in
that, e.g. "August 2007"
- open it with Mp3Tag
- select this file in the list
- place the cursor to the beginning of the string "August 2007" in the Year
field in tag panel (left panel)
- press "Delete" button
-> segfault

Relevant part of the winedbg output with some additional trace calls added by
me attached.

The problem is absent on Windows.

It seems that the maximal text length in the "year" combo box in Mp3Tag is set
to 4, but if a file with more text in the "Year" field is loaded, it is showed
in the corresponding combo box tough.
This causes a negative string length in a calculation in EDIT_EM_ReplaceSel
function in dlls/user32/edit.c:3208 and a buffer overflow later (line 3236).

I've made a patch which seems to work fine and do not cause unneeded side
effects, but I'm not very familiar with wine internals so better check it :)

I'll provide additional info if needed.


-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list