Debian Patches
Status for id3lib3.8.3/3.8.3-23
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 00-add-libz-to-compilation.patch | This patch was first introduced in version 3.8.3-3 It fixes http://bugs.debian.org/208672 |
no | ||||
| 05-create-m4-directory.patch | Create a local m4 subdirectory | no | ||||
| 10-fix-compilation-with-cpp-headers.patch | This patch imports the proper C++ headers | no | ||||
| 15-fix-headers-of-main-functions.patch | This patch fixes some function headers in demo code used during 'make check' | no | ||||
| 20-create-manpages.patch | This patch adds debian-made man pages | no | ||||
| 30-fix-utf16.patch | Patch from 'Spoon' to fix issues with writing certain unicode characters | no | ||||
| 31-fix-utf16-stringlists.patch | This patch fixes tag corruption after pipe characters. | Urs Fleisch <urs.fleisch@gmail.com> | no | |||
| 40-deal-with-mkstemp.patch | This patch fixes an issues where temporary files were created in an insecure way. It was first intruduced in version 3.8.3-7 and fixes http://bugs.debian.org/438540 |
no | ||||
| 50-remove-outdated-check.patch | We don't actually need iomanip.h | no | ||||
| 60-id3lib-missing-nullpointer-check.patch | This patch adds a check for a null pointer | no | ||||
| 60-add-c-wrapper-functions.patch | This patch adds C wrapper functions for field encoding. It was first introduced in version 3.8.3-8 and fixes http://bugs.debian.org/281292 |
no | ||||
| 60-fix_make_check.patch | This patch fixes some function headers and imports in order for 'make check' to work. It was first introduced in version 3.8.3-9 diff -Naur id3lib-3.8.3.orig/examples/findeng.cpp id3lib-3.8.3/examples/findeng.cpp |
no | ||||
| 60-spelling.patch | This patch fixes some minor spelling mistakes diff -Naur id3lib-3.8.3.orig//ChangeLog id3lib-3.8.3//ChangeLog |
no | ||||
| 61-fix_vbr_stack_smash.patch | Fix crashes when reading VBR MP3 file. =================================================================== |
Urs Fleisch | invalid | upstream, http://sourceforge.net/tracker/?func=detail&aid=937707&group_id=979&atid=300979 | ||
| 62-remove-remote-icons.patch | This patch removes two icons from the documentation which would be loaded from remote servers, thereby exposing the reader's IP address to potential tracking (lintian keywords privacy-breach-logo and privacy-breach-w3c-valid-html). |
Stefan Ott <stefan@ott.net> | no | |||
| 65-fix-compiler-warnings.patch | Fix two compiler warnings in the upstream sources. field_binary.cpp ignored the return value of fread() (-Wunused-result); evaluate it and pass the number of bytes actually read to Set(), which also avoids handing uninitialised buffer bytes to Set() on a short read. header_frame.cpp assigned a string literal to a non-const char pointer (-Wwrite-strings); make the pointer const, matching the const char* return type of the function. |
Martin A. Godisch <godisch@debian.org> | no | 2026-06-16 | ||
| 66-do-not-build-bundled-zlib.patch | Do not configure or build the bundled zlib copy. id3lib bundles an ancient zlib under zlib/. On Debian the library is always linked against the system zlib (Build-Depends: zlib1g-dev, 00-add-libz-to-compilation.patch), so ID3_NEEDZLIB is false and the bundled copy is never built. However, configure.in called AC_CONFIG_SUBDIRS(zlib) unconditionally, so the top-level configure always recursed into the bundled zlib/configure, which fails to configure with current toolchains. Drop the unused bundled zlib from the build system entirely; the system zlib link path (ID3_NEEDZLIB else -lz) is unaffected. |
Martin A. Godisch <godisch@debian.org> | no | 2026-06-16 | ||
| 67-fix-utf8-text-encoding.patch | Treat ID3TE_UTF8 as a single-byte encoding in text fields. id3lib's text-field read/write dispatch and the single-byte accessors only special-cased ID3TE_ASCII and routed every other encoding through the UTF-16 helpers. As a result UTF-8 text frames (ID3TE_UTF8) were written via the UTF-16 writer: a spurious byte-order mark was prepended and the UTF-8 bytes were paired and byte-swapped, producing a corrupt frame that was mislabelled as UTF-8 and could not be read back. id3lib already models UTF-8 as a single-byte encoding (ID3TE_IS_SINGLE_BYTE_ENC, ID3_IS_ASCII), and the ID3TE_ASCII alias is explicitly documented as "do not use this -> use ID3TE_IS_SINGLE_BYTE_ENC(enc) instead". Use that predicate consistently in the dispatch, the accessors and the fixed-size Clear() path, so UTF-8 text is stored and retrieved as raw UTF-8 bytes, like ISO-8859-1. . ASCII/ISO-8859-1 and the UTF-16/UTF-16BE paths are left unchanged; the remaining "== ID3TE_UNICODE" comparisons (which only affect UTF-16BE) are intentionally not touched here. |
Martin A. Godisch <godisch@debian.org> | no | debian | 2026-06-17 | |
| 68-fix-utf16be-text-encoding.patch | Handle ID3TE_UTF16BE as a double-byte encoding. The text-field unicode accessors (Set/Add/Get/GetRaw* in field_string_unicode.cpp), the multi-item separator, the BinSize() byte doubling and the read/write dispatch only special-cased ID3TE_UNICODE (== ID3TE_UTF16). UTF-16BE text frames (ID3TE_UTF16BE) were therefore not stored at all: a TIT2 written as UTF-16BE ended up empty. globals.h documents ID3TE_UNICODE as "do not use this -> use ID3TE_IS_DOUBLE_BYTE_ENC(enc) instead", so use that predicate for the storage/retrieval and size paths. . Serialisation differs between the two double-byte encodings: UTF-16 carries a byte-order mark, UTF-16BE does not and is always big-endian. The write dispatch now asks io::writeUnicode*() to emit the BOM only for UTF-16, and writeUnicodeText() was restructured so the (always big-endian) code units are written regardless of the BOM flag. On read, UTF-16BE has no BOM and is big-endian, so the byte pairs are swapped into id3lib's host-order internal representation. ID3TE_UNICODE/UTF-16 (BOM, with the string-list BOM reinsertion of 31-fix-utf16-stringlists.patch) and the single-byte paths are unchanged. The BinSize() BOM accounting stays UTF-16-only. Known limitation: id3lib keeps unicode text internally in host byte order and reuses the existing (host-order) UTF-16 code-unit emission for UTF-16BE. The read path therefore swaps the byte pairs unconditionally, which is only correct on little-endian hosts (amd64, arm64, ...). On big-endian release architectures (e.g. s390x) the UTF-16BE round-trip is not byte-correct. This is still strictly better than the previous behaviour, where UTF-16BE text was silently dropped, and it is not regression-tested upstream; the new debian/tests round-trip check exercises this path so the limitation becomes visible on a big-endian buildd instead of failing silently. A fully endianness-independent rewrite is out of scope for this minimal fix. |
Martin A. Godisch <godisch@debian.org> | no | debian | 2026-06-17 | |
| 69-fix-bool-typedef-c23.patch | Fix C23 compilation of the installed C headers (bool typedef). In C23, bool/true/false are keywords, so the unconditional "typedef int bool;" in the C (non-C++) path of globals.h is a hard error. Because id3.h pulls in globals.h, the installed headers can no longer be included from C23 code, which becomes the GCC 15 default. Use <stdbool.h> from C99 onwards and keep the legacy typedef only as a fallback for pre-C99 compilers. . As a side effect this aligns the C view of the public ABI with the library itself, which is built as C++: bool members (e.g. in Mp3_Headerinfo) and bool-returning functions previously appeared as 4-byte int to C consumers, while the compiled library uses the (typically 1-byte) C++ bool. stdbool.h's _Bool matches that layout on the relevant ABIs and also normalises bool-returning function results, so no SONAME change is required. |
Martin A. Godisch <godisch@debian.org> | yes | debian upstream | 2026-06-19 | |
| 70-warn-on-unsupported-id3v2-version.patch | Optionally emit a notice for unsupported ID3v2 tag versions. id3lib only fully supports ID3v2.3.0 and earlier (ID3V2_LATEST). When the tag header reports a higher or unrecognised v2 version (e.g. ID3v2.4), the tag cannot be parsed correctly and is discarded without any indication, so a caller cannot tell an unsupported tag from a missing one. . A shared library must not write to stderr unsolicited, and ID3v2.4 tags are very common in the wild, so the notice is made opt-in: it is printed only when the ID3LIB_WARN_UNSUPPORTED environment variable is set. By default the library stays completely silent, preserving the previous behaviour for all existing callers. . This does NOT add ID3v2.4 parsing and does not change any parsing behaviour; it only makes the unsupported-version situation observable on demand. Related to Debian bug #449186, which is intentionally kept open: full ID3v2.4 support is out of scope for this change. |
Martin A. Godisch <godisch@debian.org> | not-needed | debian | 2026-06-20 | |
| 71-preserve-file-owner-on-rewrite.patch | Preserve file owner and group when rewriting a file. When an ID3v2 tag has to be prepended or grown, id3lib cannot update the file in place: RenderV2ToFile() writes the new tag plus the audio data to a temporary file and rename(2)s it over the original. The replacement file is a new inode and was left owned by the current process, so e.g. the file's group could change silently (the symptom reported in Debian bug #630957). The existing code already restored the mode via chmod(2) but not the ownership. . Restore the original owner and group with chown(2) as well, right before the chmod(2). This follows the approach suggested by the maintainer in the bug log. chown(2) is best-effort: an unprivileged caller may not be permitted to restore the owner (or a group it is not a member of), in which case the previous behaviour is kept rather than failing the whole update, so there is no regression. In the common case (the caller is a member of the original group) the group is now preserved. The chown(2) is done before the chmod(2) because chown(2) may clear the set-user-ID and set-group-ID bits. |
Martin A. Godisch <godisch@debian.org> | no | debian | 2026-06-19 | |
| 72-fix-render-buffer-overflow.patch | Make ID3_Tag::Size() a safe upper bound for Render(). ID3_Tag::Render(uchar* buffer, ID3_TagType) writes the rendered tag through an ID3_MemoryWriter constructed with size -1, i.e. it performs NO bounds checking on the caller-supplied buffer. Callers are documented to size that buffer with ID3_Tag::Size(): . size_t size = tag.Size(); uchar* buffer = new uchar[size]; tag.Render(buffer); . However Size() under-reported the number of bytes Render() actually writes, so this idiom overran the heap: . * id3::v2::render() always rounds the rendered v2 tag up to the next ID3_PADMULTIPLE (2048) boundary. The padding flag is effectively ignored on the render path, because the temporary ID3_TagImpl that the renderer operates on is built via ID3_TagImpl::operator=(const ID3_Tag&), which copies the unsync/extended/experimental flags but NOT _is_padded (it is reset to true by Clear()). Size(), running on the real object, honoured SetPadding(false) and could therefore report ~2048 bytes less than Render() wrote. * Even with padding enabled, Size() computed the padding from the wrong base (header + frames) while the renderer computes it from the frame size only, leaving Size() short by exactly ID3_TagHeader::SIZE (10) bytes. . This change reproduces the renderer's size calculation in Size() so that it is always greater than or equal to what Render() writes, closing the heap overflow. Only the buffer-size advice changes; the bytes written by Render() and to files are unchanged (the file write path uses a growable string and does not call Size()). Note that SetPadding(false) remains effectively a no-op on the render path; fixing that would require ID3_TagImpl::operator=() to preserve _is_padded and is left as a separate, behaviour-changing fix. |
Martin A. Godisch <godisch@debian.org> | not-needed | 2026-06-20 |