Bitzi
home of the
Bitpedia
digital media encyclopedia
About, Products, Download, Search, Browse, Discuss, BitSocieties, Help



Bitzi works
best with Bitzi-Powered Applications.
Register or Sign In 

Bitzi Developer Discussion: Re: Bug in mp3.c (Segmentation fault)

Main Site : bboard : Bitzi Developer Discussion : One Message

Message:

Re: Bug in mp3.c (Segmentation fault)   [forward as email] 
Same patch as above + additional fixes. After making these changes bitcollider
was able to process my library with approximately 1100 tunes. There are still
a couple of samplerate(), mpeg_layer() and padding() function calls without
array boundary checks...

Well, that's all for the moment. Let me know what you think.


--- mp3.c	Tue Jul 31 20:49:20 2001
+++ bitcollider-0.6.0/lib/mp3.c	Mon Jul 19 15:12:24 2004
@@ -86,7 +86,7 @@
    }
 
    /* Loop through the buffer trying to find frames */
-   for(ptr = buffer, max = buffer + len; ptr < max;)
+   for(ptr = buffer, max = buffer + (len-1); ptr < max;)
    {
       /* Find the frame marker */
       if (*ptr != 0xFF || ((*(ptr + 1) & 0xF0) != 0xF0 &&
@@ -97,8 +97,11 @@
       }
 
       /* Extract sample rate and layer from this first frame */
-      firstSampleRate = samplerate(ptr);
-      firstLayer = mpeg_layer(ptr);
+      if (((buffer+len) - ptr) > 3)
+        firstSampleRate = samplerate(ptr);
+       
+      if (((buffer+len) - ptr) > 2)
+        firstLayer = mpeg_layer(ptr);
 
       /* Check for invalid sample rates */
       if (firstSampleRate == 0)
@@ -108,10 +111,14 @@
       }
 
       /* Calculate the size of the frame from the header components */
-      if (mpeg_ver(ptr) == 1)
-          size = (144000 * bitrate(ptr)) / samplerate(ptr) + padding(ptr);
-      else
-          size = (72000 * bitrate(ptr)) / samplerate(ptr) + padding(ptr);
+      if (((buffer+len) - ptr) > 3)
+      {
+          if (mpeg_ver(ptr) == 1)
+              size = (144000 * bitrate(ptr)) / samplerate(ptr) + padding(ptr);
+          else
+              size = (72000 * bitrate(ptr)) / samplerate(ptr) + padding(ptr);
+      }
+
       if (size <= 1 || size > 2048)
       {
           ptr++;
@@ -132,8 +139,11 @@
       /* now we have what seems to be a valid size. Let's see if there
          is a new frame with the right layer and sample rate right after
          this potential frame */
-      secondSampleRate = samplerate(ptr + size);
-      secondLayer = mpeg_layer(ptr + size);
+      if (((buffer+len) - (ptr + size)) > 3)
+         secondSampleRate = samplerate(ptr + size);
+      
+      if (((buffer+len) - (ptr + size)) > 2)
+         secondLayer = mpeg_layer(ptr + size);
 
       /*
       printf("Size: %d\n", size);
@@ -254,7 +264,6 @@
    if (info->badBytes == 0 && info->goodBytes == 0)
    {
       int offset;
-
       offset = find_mp3_start(info, buffer, len);
       if (offset < 0)
          return;
@@ -385,8 +394,9 @@
                         (size > bytesLeft) ? bytesLeft : size);
 
       /* save the first three bytes after the audio sha block (see above) */
-      memcpy(info->audioShaExtra, 
-             ptr + ((size > bytesLeft) ? bytesLeft : size), 3);
+      const unsigned char *src = ptr + ((size > bytesLeft) ? bytesLeft : size);
+      if ((src + 3) < (buffer + len))
+        memcpy(info->audioShaExtra, src, 3);
 
       /* Move the memory pointer past the frame */
       info->frames++;
 
-- rkapsi, July 18, 2004 11:59 pm
[ Post a reply ]

© 2012 The Bitzi Corporation | Policies | Company Info | In The Press | Link To Us

310,817 bitizens have contributed 18,951,782 tags about 3,763,529 files.