From gpalmer@orion.webspan.net  Fri Dec 27 14:36:10 1996
Received: from mail.webspan.net (mail.webspan.net [206.154.70.7])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id OAA11600
          for <freebsd-gnats-submit@freebsd.org>; Fri, 27 Dec 1996 14:36:08 -0800 (PST)
Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) 
          by mail.webspan.net (8.7.5/8.7.3) with ESMTP id RAA09728
          for <freebsd-gnats-submit@freebsd.org>; Fri, 27 Dec 1996 17:35:17 -0500 (EST)
Received: from orion.webspan.net (localhost [127.0.0.1]) 
          by orion.webspan.net (8.8.3/8.7.3) with ESMTP id RAA03717
          for <freebsd-gnats-submit@freebsd.org>; Fri, 27 Dec 1996 17:35:16 -0500 (EST)
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.18]) 
          by mail.webspan.net (8.7.5/8.7.3) with ESMTP id TAA04915
          for <gpalmer@webspan.net>; Thu, 26 Dec 1996 19:44:32 -0500 (EST)
Received: from hydrogen.nike.efn.org (resnet.uoregon.edu [128.223.170.28])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id QAA21489
          for <FreeBSD-gnats@freefall.FreeBSD.org>; Thu, 26 Dec 1996 16:44:05 -0800 (PST)
Received: (from jmg@localhost)
          by hydrogen.nike.efn.org (8.8.4/8.8.4)
	  id QAA28028; Thu, 26 Dec 1996 16:44:03 -0800 (PST)
Message-Id: <199612270044.QAA28028@hydrogen.nike.efn.org>
Date: Thu, 26 Dec 1996 16:44:03 -0800 (PST)
From: John-Mark Gurney <jmg@hydrogen.nike.efn.org>
Reply-To: gurney_j@efn.org
To: FreeBSD-gnats@freefall.freebsd.org
Subject: cdcontrol can read to many toc entries if track numbers are large
X-Send-Pr-Version: 3.2

>Number:         2303
>Category:       bin
>Synopsis:       cdcontrol can read to many toc entries if track numbers are large
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Dec 27 14:40:00 PST 1996
>Closed-Date:    Tue Mar 25 19:30:20 PST 1997
>Last-Modified:  Tue Mar 25 19:30:51 PST 1997
>Originator:     John-Mark Gurney
>Release:        FreeBSD 2.2-960801-SNAP i386
>Organization:
Cu Networking
>Environment:

pretty much and version of cdcontrol...

plus a cd such as Nine Inch Nail's Broken cd which has track numbers 1 to 153 (yes that is 153)...
	

>Description:

basicly it blindly uses the stant and ending track numbers to see how many toc entries exist... but from the looks of it (I'm not completely sure on this) there can only be a total of 100, no more...

if you try to read more it returns an error... basicly meaning any cd that has more than 99 (plus the last whole cd track number 170) it makes the cd unplayable....

at first I though it was because the buffer (hard coded to 100) wasn't big enough.. but then I added code to dynamicly allocate it but it didn't fix the problem...

if you would like example toc_header output of a failed case I can send the info to you... 
	

>How-To-Repeat:

put a cd that has more than 99 playable tracks in the cd drive and use cdcontrol to get info on it... or play it...  it fails...
	

>Fix:
	
apply this fix... it basicly checks to see if there are more than 99 tracks reported.. and if so, reduct the number of tracks down to 99...  

open_cd already does the checking for a valid fd, and returns appropriately...  the check before open_cd is called isn't needed... also move all the open_cd calls into one place...  to reduce code duplication...

the last two hunks are the one that fixes the above bug... the rest are consolidating the open_cd code...

Index: cdcontrol.c
===================================================================
RCS file: /usr/cvs/src/usr.sbin/cdcontrol/cdcontrol.c,v
retrieving revision 1.13
diff -c -r1.13 cdcontrol.c
*** cdcontrol.c	1996/06/25 21:01:27	1.13
--- cdcontrol.c	1996/12/27 00:39:02
***************
*** 246,282 ****
  
  	switch (cmd) {
  
  	case CMD_QUIT:
  		exit (0);
  
  	case CMD_INFO:
- 		if (fd < 0 && ! open_cd ())
- 			return (0);
- 
  		return info (arg);
  
  	case CMD_STATUS:
- 		if (fd < 0 && ! open_cd ())
- 			return (0);
- 
  		return pstatus (arg);
  
  	case CMD_PAUSE:
- 		if (fd < 0 && ! open_cd ())
- 			return (0);
- 
  		return ioctl (fd, CDIOCPAUSE);
  
  	case CMD_RESUME:
- 		if (fd < 0 && ! open_cd ())
- 			return (0);
- 
  		return ioctl (fd, CDIOCRESUME);
  
  	case CMD_STOP:
- 		if (fd < 0 && ! open_cd ())
- 			return (0);
- 
  		rc = ioctl (fd, CDIOCSTOP);
  
  		(void) ioctl (fd, CDIOCALLOW);
--- 246,287 ----
  
  	switch (cmd) {
  
+ 		/* the following commands need the cd open, so open it, or at
+ 		    least try */
+ 	case CMD_VOLUME:
+ 	case CMD_PLAY:
+ 	case CMD_CLOSE:
+ 	case CMD_EJECT:
+ 	case CMD_DEBUG:
+ 	case CMD_RESET:
+ 	case CMD_STOP:
+ 	case CMD_RESUME:
+ 	case CMD_PAUSE:
+ 	case CMD_STATUS:
+ 	case CMD_INFO:
+ 		if (! open_cd ())
+ 			return (0);
+ 		break;
+ 	}
+ 
+ 	switch (cmd) {
+ 
  	case CMD_QUIT:
  		exit (0);
  
  	case CMD_INFO:
  		return info (arg);
  
  	case CMD_STATUS:
  		return pstatus (arg);
  
  	case CMD_PAUSE:
  		return ioctl (fd, CDIOCPAUSE);
  
  	case CMD_RESUME:
  		return ioctl (fd, CDIOCRESUME);
  
  	case CMD_STOP:
  		rc = ioctl (fd, CDIOCSTOP);
  
  		(void) ioctl (fd, CDIOCALLOW);
***************
*** 284,292 ****
  		return (rc);
  
  	case CMD_RESET:
- 		if (fd < 0 && ! open_cd ())
- 			return (0);
- 
  		rc = ioctl (fd, CDIOCRESET);
  		if (rc < 0)
  			return rc;
--- 289,294 ----
***************
*** 295,303 ****
  		return (0);
  
  	case CMD_DEBUG:
- 		if (fd < 0 && ! open_cd ())
- 			return (0);
- 
  		if (! strcasecmp (arg, "on"))
  			return ioctl (fd, CDIOCSETDEBUG);
  
--- 297,302 ----
***************
*** 309,317 ****
  		return (0);
  
  	case CMD_EJECT:
- 		if (fd < 0 && ! open_cd ())
- 			return (0);
- 
  		(void) ioctl (fd, CDIOCALLOW);
  		rc = ioctl (fd, CDIOCEJECT);
  		if (rc < 0)
--- 308,313 ----
***************
*** 319,327 ****
  		return (0);
  
  	case CMD_CLOSE:
- 		if (fd < 0 && ! open_cd ())
- 			return (0);
- 
  		(void) ioctl (fd, CDIOCALLOW);
  		rc = ioctl (fd, CDIOCCLOSE);
  		if (rc < 0)
--- 315,320 ----
***************
*** 331,339 ****
  		return (0);
  
  	case CMD_PLAY:
- 		if (fd < 0 && ! open_cd ())
- 			return (0);
- 
  		while (isspace (*arg))
  			arg++;
  
--- 324,329 ----
***************
*** 349,357 ****
  		return (0);
  
  	case CMD_VOLUME:
- 		if (fd < 0 && !open_cd ())
- 			return (0);
- 
  		if (! strncasecmp (arg, "left", strlen(arg)))
  			return ioctl (fd, CDIOCSETLEFT);
  
--- 339,344 ----
***************
*** 393,398 ****
--- 380,387 ----
  		return (rc);
  
  	n = h.ending_track - h.starting_track + 1;
+ 	if(n>99)
+ 		n=99;
  	rc = read_toc_entrys ((n + 1) * sizeof (struct cd_toc_entry));
  
  	if (rc < 0)
***************
*** 742,747 ****
--- 731,738 ----
  	}
  
  	n = h.ending_track - h.starting_track + 1;
+ 	if(n>99)
+ 		n=99;
  	rc = read_toc_entrys ((n + 1) * sizeof (struct cd_toc_entry));
  	if (rc < 0)
  		return (rc);
	

>Release-Note:
>Audit-Trail:

From: John-Mark Gurney <jmg@nike.efn.org>
To: freebsd-gnats-submit@freefall.FreeBSD.org
Cc:  Subject: bin/2303 can be closed when kern/2402 has been commited...
Date: Thu, 9 Jan 1997 14:50:37 -0800 (PST)

 basicly the patch in kern/2423 will fix the main thrust behind bin/2303...
 
 the patch in kern/2423 fixes the problem as it wasn't the fault of
 cdcontrol but of the cdrom drive...  I'm not sure if the patch will
 compile under -current, but the patches are relative to -current... I'm
 running 960801-SNAP (my main server is also my developement machine) so I
 can't compile the -current kernel sources until I do an upgrade...  from
 the looks of it... cd.c hasn't changed enough so the patches should be a
 problem... 
 
 also.. right now the patch requires that you add "options CD_BCD_HACK" to
 the kernel for my modes to be incorperated...  then you need to edit
 scsiconf.c to add the option CD_Q_BCD_TRACKS to the quirk entry before the
 code will even run on a cdrom drive...  it also doesn't impact how my
 other 'normal' cdrom drive works...
 
 if you have any questions... just ask... and I'll give all the info you
 need...
 
 
 John-Mark
 
 gurney_j@efn.org
 http://resnet.uoregon.edu/~gurney_j/
 Modem/FAX: (541) 683-6954   (FreeBSD Box)
 
 Live in Peace, destroy Micro$oft, support free software, run FreeBSD (unix)
 
State-Changed-From-To: open->closed 
State-Changed-By: mpp 
State-Changed-When: Tue Mar 25 19:30:20 PST 1997 
State-Changed-Why:  
Duplicate of PR# 2423. 
>Unformatted:
John-Mark Gurney
