Merge proposal attached. Sponsor, please use the `-DVcs-Git*` upload args when building the package, as documented in https://canonical-git- ubuntu.readthedocs-hosted.com/en/latest/howto/upload.html#manual- workflow. Thanks!
** Description changed: + [ Impact ] + + GLib 2.85 (included in Ubuntu 25.10) changed the way that GStrings were copied, + adding a null byte to the end of the string [1][2]. In the subroutines + responsible for loading and saving cover art, Rhythmbox <3.4.9 did not allocate + enough memory when creating GStrings [3]. This caused a buffer overflow, crashing + Rhythmbox on several possible allocator assertions: + + % rhythmbox + malloc(): invalid next size (unsorted) + [1] 64949 IOT instruction (core dumped) rhythmbox + + Fatal glibc error: malloc.c:2610 (sysmalloc): assertion failed: (old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0) + Aborted (core dumped) + + Users are unable to use Rhythmbox with certain cover art. This bug has been + reported to Ubuntu twice. + + The bug was reported upstream in [4] and fixed in [5]. + + [1] https://gitlab.gnome.org/GNOME/glib/-/commit/b9d27192229fc9be3299a47f5ebd4a3163073a0c + [2] https://bbs.archlinux.org/viewtopic.php?pid=2266072#p2266072 + [3] https://gitlab.gnome.org/GNOME/rhythmbox/-/issues/2118 + [4] https://gitlab.gnome.org/GNOME/rhythmbox/-/issues/2118 + [5] https://gitlab.gnome.org/GNOME/rhythmbox/-/commit/741ac2167dda6b685ada5fd92b67c9e3aa5d685b + + [ Test Plan ] + + The attached python script (`png-gen.py`) can be used to generate a png album + cover (`comp0.png`, also attached) which has reliably caused crashes in two + test environments. + + To cause the crash, import an audio file or directory of audio files to + Rhythmbox. Right click a track, select Properties > Album Art > Browse and + select `comp0.png`. + + Expected behavior: Rhythmbox loads the new album cover. + + Actual behavior: Rhythmbox crashes with SIGABRT. + + If Rythmbox does not crash, play the track with the new album cover. Repeated + restarts of Rhythmbox on the command line may produce the following error + messages: + + % rhythmbox + malloc(): invalid next size (unsorted) + [1] 64949 IOT instruction (core dumped) rhythmbox + + Fatal glibc error: malloc.c:2610 (sysmalloc): assertion failed: (old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0) + Aborted (core dumped) + + The patch will be verified if Rythmbox can load and play tracks with the + `comp0.png` album cover. + + [ Where problems could occur ] + + The patch replaces GString with GBytes in the three locations where the bug + exists. If the patch is bad or incorrect, we should expect to see failures + loading and saving album art (see "Other Information"). + + No commits on upstream master since the fix landed have modified the upstream + patch. + + [ Other information ] + + The patch modifies three functions, all of them used for saving album art: + - `store_external_art_cb` + - `do_load_request`, called by `rb_ext_db_request`, which is only ever called + with an `art_store` as its first parameter. + - `do_store_request`, called by `maybe_start_store_request`, which takes a + `RBExtDB` as its only parameter. `RBExtDB` appears only to be used in the + context of storing album art. + + [ Original Description ] + After upgrading to Ubuntu 25.10, rhythmbox consistenly crashes when I start podcast streams from one specific source (https://podcasts.apple.com/us/podcast/nieuwe-feiten/id1346567686?uo=4). Streaming episodes from this source works fine in the browser and in the gnome Podcasts app. It even works in rhtyhmbox if I search for the podcast in Categories/Search WITHOUT subscribing to it. The moment I add it, the player starts crashing again. When I start rhythmbox from the command line, I consistently get the following message when the player crashes: Fatal glibc error: malloc.c:2610 (sysmalloc): assertion failed: (old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0) Aborted (core dumped) According to https://bbs.archlinux.org/viewtopic.php?id=308581, the issue is likely more related to glibc than rhythmbox. On a side note, the version currently available as a snap package appears to be unaffected by this bug. But then it misses certain plug- ins so it is not really a replacement. ProblemType: Bug DistroRelease: Ubuntu 25.10 Package: rhythmbox 3.4.8-1ubuntu2 ProcVersionSignature: Ubuntu 6.17.0-6.6-generic 6.17.1 Uname: Linux 6.17.0-6-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.33.1-0ubuntu3 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Wed Nov 5 16:45:10 2025 InstallationDate: Installed on 2025-05-09 (180 days ago) InstallationMedia: Ubuntu 25.04 "Plucky Puffin" - Release amd64 (20250415.3) ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR=<set> SourcePackage: rhythmbox UpgradeStatus: Upgraded to questing on 2025-10-30 (6 days ago) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2130733 Title: rhythmbox crashes when loading cover art To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rhythmbox/+bug/2130733/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
