[Android?] strncpy: detected read past end of 26-byte buffer

[LossyDragon]

Affected module: http://futurecrew.com/skaven/song_files/qualityt_bmm.it

I managed to catch a crash with his modue using the latest commits up to https://github.com/libxmp/libxmp/commit/c39084e2aa0f943ed983ad0c8c72cb65044d49ef

I don't have much information at this time, but i'd figured to post about it to look into it more. The libs compiled for the current play store version of Xmp Android (libxmp 4.4.1) dont crash it. So it could be a change with libxmp or a compiler issue for android?

I see it scans to test modules, but crashes on/after "Warning: load format: Impulse Tracker'

Note: I have crashlytics for my personal test builds and its uploading crashes that its caused by linux-gate.so.1 (I don't havevdebug symbols uploaded so thats all the info its giving me).

2021-01-14 08:55:37.175 14251-14360/org.helllabs.android.xmp D/libxmp: Warning: path = /sdcard/mod/qualityt_bmm.it
2021-01-14 08:55:37.178 14251-14360/org.helllabs.android.xmp D/libxmp: Warning: load
2021-01-14 08:55:37.179 14251-14360/org.helllabs.android.xmp D/libxmp: Warning: test Fast Tracker II
2021-01-14 08:55:37.179 14251-14360/org.helllabs.android.xmp D/libxmp: Warning: test Amiga Protracker/Compatible
2021-01-14 08:55:37.179 14251-14360/org.helllabs.android.xmp D/libxmp: Warning: test Startrekker
2021-01-14 08:55:37.179 14251-14360/org.helllabs.android.xmp D/libxmp: Warning: test Soundtracker
2021-01-14 08:55:37.179 14251-14360/org.helllabs.android.xmp D/libxmp: Warning: test Impulse Tracker
2021-01-14 08:55:37.179 14251-14360/org.helllabs.android.xmp D/libxmp: Warning: load format: Impulse Tracker

    --------- beginning of crash
2021-01-14 09:15:50.589 14901-15318/org.helllabs.android.xmp A/libc: FORTIFY: strncpy: detected read past end of 26-byte buffer
2021-01-14 09:15:50.620 14901-15318/org.helllabs.android.xmp A/libc: Fatal signal 6 (SIGABRT), code -6 (SI_TKILL) in tid 15318 (Play Thread), pid 14901 (abs.android.xmp)
2021-01-14 09:15:50.709 15322-15322/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2021-01-14 09:15:50.709 15322-15322/? A/DEBUG: Build fingerprint: 'google/sdk_gphone_x86_arm/generic_x86_arm:11/RSR1.201013.001/6903271:userdebug/dev-keys'
2021-01-14 09:15:50.709 15322-15322/? A/DEBUG: Revision: '0'
2021-01-14 09:15:50.709 15322-15322/? A/DEBUG: ABI: 'x86'
2021-01-14 09:15:50.711 15322-15322/? A/DEBUG: Timestamp: 2021-01-14 09:15:50-0600
2021-01-14 09:15:50.711 15322-15322/? A/DEBUG: pid: 14901, tid: 15318, name: Play Thread  >>> org.helllabs.android.xmp <<<
2021-01-14 09:15:50.711 15322-15322/? A/DEBUG: uid: 10156
2021-01-14 09:15:50.711 15322-15322/? A/DEBUG: signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
2021-01-14 09:15:50.711 15322-15322/? A/DEBUG: Abort message: 'FORTIFY: strncpy: detected read past end of 26-byte buffer'
2021-01-14 09:15:50.711 15322-15322/? A/DEBUG:     eax 00000000  ebx 00003a35  ecx 00003bd6  edx 00000006
2021-01-14 09:15:50.711 15322-15322/? A/DEBUG:     edi efc4081e  esi c051a280
2021-01-14 09:15:50.711 15322-15322/? A/DEBUG:     ebp f2068b90  esp c051a228  eip f2068b99
2021-01-14 09:15:50.780 15322-15322/? A/DEBUG: backtrace:
2021-01-14 09:15:50.780 15322-15322/? A/DEBUG:       #00 pc 00000b99  [vdso] (__kernel_vsyscall+9)
2021-01-14 09:15:50.781 15322-15322/? A/DEBUG:       #01 pc 0005ad68  /apex/com.android.runtime/lib/bionic/libc.so (syscall+40) (BuildId: 6e3a0180fa6637b68c0d181c343e6806)
2021-01-14 09:15:50.781 15322-15322/? A/DEBUG:       #02 pc 00076511  /apex/com.android.runtime/lib/bionic/libc.so (abort+209) (BuildId: 6e3a0180fa6637b68c0d181c343e6806)
2021-01-14 09:15:50.781 15322-15322/? A/DEBUG:       #03 pc 000a4667  /apex/com.android.runtime/lib/bionic/libc.so (__fortify_fatal(char const*, ...)+55) (BuildId: 6e3a0180fa6637b68c0d181c343e6806)
2021-01-14 09:15:50.781 15322-15322/? A/DEBUG:       #04 pc 000a5366  /apex/com.android.runtime/lib/bionic/libc.so (__strncpy_chk2+150) (BuildId: 6e3a0180fa6637b68c0d181c343e6806)
2021-01-14 09:15:50.781 15322-15322/? A/DEBUG:       #05 pc 000386e2  /data/app/~~Sp-g6P8tyG-FhMFFXRI20g==/org.helllabs.android.xmp-Gksf8Iuv0ZDzGzagP1b9qA==/lib/x86/libxmp-jni.so (BuildId: c3b83f921b3e5ec29be6bd16cc2008d10b3b0475)
2021-01-14 09:15:50.781 15322-15322/? A/DEBUG:       #06 pc 000194fb  /data/app/~~Sp-g6P8tyG-FhMFFXRI20g==/org.helllabs.android.xmp-Gksf8Iuv0ZDzGzagP1b9qA==/lib/x86/libxmp-jni.so (BuildId: c3b83f921b3e5ec29be6bd16cc2008d10b3b0475)
2021-01-14 09:15:50.781 15322-15322/? A/DEBUG:       #07 pc 00018bd4  /data/app/~~Sp-g6P8tyG-FhMFFXRI20g==/org.helllabs.android.xmp-Gksf8Iuv0ZDzGzagP1b9qA==/lib/x86/libxmp-jni.so (xmp_load_module+500) (BuildId: c3b83f921b3e5ec29be6bd16cc2008d10b3b0475)
2021-01-14 09:15:50.781 15322-15322/? A/DEBUG:       #08 pc 00009296  /data/app/~~Sp-g6P8tyG-FhMFFXRI20g==/org.helllabs.android.xmp-Gksf8Iuv0ZDzGzagP1b9qA==/lib/x86/libxmp-jni.so (Java_org_helllabs_android_xmp_Xmp_loadModule+150) (BuildId: c3b83f921b3e5ec29be6bd16cc2008d10b3b0475)
2021-01-14 09:15:50.781 15322-15322/? A/DEBUG:       #09 pc 00142132  /apex/com.android.art/lib/libart.so (art_quick_generic_jni_trampoline+82) (BuildId: 8191579dfafff37a5cbca70f9a73020f)
2021-01-14 09:15:50.781 15322-15322/? A/DEBUG:       #10 pc 0013b922  /apex/com.android.art/lib/libart.so (art_quick_invoke_stub+338) (BuildId: 8191579dfafff37a5cbca70f9a73020f)
2021-01-14 09:15:50.781 15322-15322/? A/DEBUG:       #11 pc 001d0381  /apex/com.android.art/lib/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+241) (BuildId: 8191579dfafff37a5cbca70f9a73020f)
2021-01-14 09:15:50.781 15322-15322/? A/DEBUG:       #12 pc 00386701  /apex/com.android.art/lib/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+385) (BuildId: 8191579dfafff37a5cbca70f9a73020f)
2021-01-14 09:15:50.781 15322-15322/? A/DEBUG:       #13 pc 0037aa3e  /apex/com.android.art/lib/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+1070) (BuildId: 8191579dfafff37a5cbca70f9a73020f)
2021-01-14 09:15:50.781 15322-15322/? A/DEBUG:       #14 pc 007a11b7  /apex/com.android.art/lib/libart.so (MterpInvokeVirtual+967) (BuildId: 8191579dfafff37a5cbca70f9a73020f)
2021-01-14 09:15:50.782 15322-15322/? A/DEBUG:       #15 pc 001357a1  /apex/com.android.art/lib/libart.so (mterp_op_invoke_virtual+33) (BuildId: 8191579dfafff37a5cbca70f9a73020f)
2021-01-14 09:15:50.782 15322-15322/? A/DEBUG:       #16 pc 000a0442  [anon:dalvik-classes2.dex extracted in memory from /data/app/~~AnatKZDGJSMPv4oObdpIHw==/org.helllabs.android.xmp-ExpQZfBS1OhgWqggSyaogw==/base.apk!classes2.dex] (org.helllabs.android.xmp.service.PlayerService$PlayRunnable.run+406)
2021-01-14 09:15:50.782 15322-15322/? A/DEBUG:       #17 pc 007a355e  /apex/com.android.art/lib/libart.so (MterpInvokeInterface+2126) (BuildId: 8191579dfafff37a5cbca70f9a73020f)
2021-01-14 09:15:50.782 15322-15322/? A/DEBUG:       #18 pc 001359a1  /apex/com.android.art/lib/libart.so (mterp_op_invoke_interface+33) (BuildId: 8191579dfafff37a5cbca70f9a73020f)
2021-01-14 09:15:50.782 15322-15322/? A/DEBUG:       #19 pc 000eb7d0  /apex/com.android.art/javalib/core-oj.jar (java.lang.Thread.run+8)
2021-01-14 09:15:50.785 15322-15322/? A/DEBUG:       #20 pc 0036fb02  /apex/com.android.art/lib/libart.so (art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) (.llvm.16375758241455872412)+370) (BuildId: 8191579dfafff37a5cbca70f9a73020f)
2021-01-14 09:15:50.786 15322-15322/? A/DEBUG:       #21 pc 00379b00  /apex/com.android.art/lib/libart.so (art::interpreter::EnterInterpreterFromEntryPoint(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*)+176) (BuildId: 8191579dfafff37a5cbca70f9a73020f)
2021-01-14 09:15:50.786 15322-15322/? A/DEBUG:       #22 pc 0078b325  /apex/com.android.art/lib/libart.so (artQuickToInterpreterBridge+1061) (BuildId: 8191579dfafff37a5cbca70f9a73020f)
2021-01-14 09:15:50.786 15322-15322/? A/DEBUG:       #23 pc 0014220d  /apex/com.android.art/lib/libart.so (art_quick_to_interpreter_bridge+77) (BuildId: 8191579dfafff37a5cbca70f9a73020f)
2021-01-14 09:15:50.786 15322-15322/? A/DEBUG:       #24 pc 0013b922  /apex/com.android.art/lib/libart.so (art_quick_invoke_stub+338) (BuildId: 8191579dfafff37a5cbca70f9a73020f)
2021-01-14 09:15:50.786 15322-15322/? A/DEBUG:       #25 pc 001d0381  /apex/com.android.art/lib/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+241) (BuildId: 8191579dfafff37a5cbca70f9a73020f)
2021-01-14 09:15:50.786 15322-15322/? A/DEBUG:       #26 pc 0062f37c  /apex/com.android.art/lib/libart.so (art::JValue art::InvokeVirtualOrInterfaceWithJValues<art::ArtMethod*>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, art::ArtMethod*, jvalue const*)+620) (BuildId: 8191579dfafff37a5cbca70f9a73020f)
2021-01-14 09:15:50.786 15322-15322/? A/DEBUG:       #27 pc 0062f595  /apex/com.android.art/lib/libart.so (art::JValue art::InvokeVirtualOrInterfaceWithJValues<_jmethodID*>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, jvalue const*)+85) (BuildId: 8191579dfafff37a5cbca70f9a73020f)
2021-01-14 09:15:50.786 15322-15322/? A/DEBUG:       #28 pc 00697701  /apex/com.android.art/lib/libart.so (art::Thread::CreateCallback(void*)+1537) (BuildId: 8191579dfafff37a5cbca70f9a73020f)
2021-01-14 09:15:50.786 15322-15322/? A/DEBUG:       #29 pc 000e6974  /apex/com.android.runtime/lib/bionic/libc.so (__pthread_start(void*)+100) (BuildId: 6e3a0180fa6637b68c0d181c343e6806)
2021-01-14 09:15:50.786 15322-15322/? A/DEBUG:       #30 pc 00078567  /apex/com.android.runtime/lib/bionic/libc.so (__start_thread+71) (BuildId: 6e3a0180fa6637b68c0d181c343e6806)
2021-01-14 09:15:51.129 279-279/? E/tombstoned: Tombstone written to: /data/tombstones/tombstone_04```

[LossyDragon]

The crash is coming from here https://github.com/libxmp/libxmp/blob/f0ececf9f0958c30da41ae509ee5f04407c6d8a7/src/loaders/it_load.c#L1063

The song name contains the following "Quality Time - Big Money Me" with come unknown characters between "M" and "e".

[sezero]

ifh.name is most possibly not nul-terminated. Maybe something like the following would fix this?

diff --git a/src/loaders/it_load.c b/src/loaders/it_load.c
index 6bba313..8cc9c33 100644
--- a/src/loaders/it_load.c
+++ b/src/loaders/it_load.c
@@ -1060,7 +1060,9 @@ static int it_load(struct module_data *m, HIO_HANDLE *f, const int start)
    hio_read(&ifh.chpan, 64, 1, f);
    hio_read(&ifh.chvol, 64, 1, f);

-   strncpy(mod->name, (char *)ifh.name, XMP_NAME_SIZE);
+   memcpy(mod->name, ifh.name, sizeof(ifh.name));
+   /* sizeof(ifh.name) == 26, sizeof(mod->name) == 64. */
+   mod->name[sizeof(ifh.name)] = '\0';
    mod->len = ifh.ordnum;
    mod->ins = ifh.insnum;
    mod->smp = ifh.smpnum;

[LossyDragon]

That appears to work :)

It plays and displays the following name "Quality Time - Big Money M"

[LossyDragon]

The first unknown character is an End of transmission char. And the other is an Data link escape

[sezero]

The first unknown character is an End of transmission char. And the other is an Data link escape

The file is broken, because the name field is not nul-terminated. Look at struct it_file_header in loaders/it.h: The chars after 'M' are from the fields starting with hilite_min, hence the garbage. (That last 'e' seems like a coincidence to be human-readable.)