Closed bryal closed 1 year ago
I've located the source of the issue. It's here: https://github.com/MusicPlayerDaemon/mpdscribble/blob/031e023273affe7b3a1c61a253befb886a50eb39/src/Scrobbler.cxx#L351-L354
In as_md5
, called by Scrobbler::Handshake
, a char*
is extracted from the resulting std:array
of calling md5_hex
.
buffer = md5_hex(password);
password_md5 = buffer.data();
This char*
is then implicitly interpreted as a string as part of the following call to md5_hex
.
return md5_hex(password_md5 + timestamp);
The bug stems from the fact that password_md5
is not null terminated. Unless the memory following the end of password_md5
just happens to be 0 at runtime, out of bound reads will occur, and the returned hash will be incorrect. For me, this occured every time I tried to handshake while MPD was detected to be playing music.
I will publish a PR with a proposed fix for this shortly.
If the music is paused in my MPD client, and I start mpdscribble, the scrobble server is successfully connected to.
If I instead try to start mpdscribble after having pressed the play button in my client, while music is playing, mpdscribble fails to handshake.
This reproduces every time I try it.
My config:
The issue occurs in mpdscribble version 0.25. My system is Arch Linux. Installed via the AUR package
mpdscribble-git
.