From 58e74616a1fd2a66b9ffcd053174e049d5019b77 Mon Sep 17 00:00:00 2001 From: Martin Panter Date: Mon, 23 Apr 2012 12:34:48 +0000 Subject: Check for reading past end before calling mp4ff_read_sample() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously errors like the following would occasionally be reported at the end of an AAC file: mp4ff_read_sample: malloc failure (tried to alloc -2147483648 bytes). possible mp4ff bug or memleak! please report a bug to deadbeef developers (i'm serious). This was because the value of “sample” passed to mp4ff_audio_frame_size() caused that function to read just off the end of an array. Bug reported at https://sourceforge.net/support/tracker.php?aid=3321066 Fix inspired by https://bugs.launchpad.net/bugs/40043 “Crash (SIGSEGV) in memcpy using libfaad2” --- plugins/aac/aac.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'plugins/aac') diff --git a/plugins/aac/aac.c b/plugins/aac/aac.c index b3417879..2f2755f0 100644 --- a/plugins/aac/aac.c +++ b/plugins/aac/aac.c @@ -878,11 +878,16 @@ aac_read (DB_fileinfo_t *_info, char *bytes, int size) { char *samples = NULL; if (info->mp4file) { + if (info->mp4sample >= info->mp4samples) { + break; + } + unsigned char *buffer = NULL; int buffer_size = 0; #ifdef USE_MP4FF int rc = mp4ff_read_sample (info->mp4file, info->mp4track, info->mp4sample, &buffer, &buffer_size); if (rc == 0) { + trace ("mp4ff_read_sample failed\n"); info->eof = 1; break; } @@ -902,12 +907,6 @@ aac_read (DB_fileinfo_t *_info, char *bytes, int size) { u_int64_t myDuration = MP4ConvertFromTrackDuration (info->mp4file, info->mp4track, sampleDuration, MP4_MSECS_TIME_SCALE); #endif - if (info->mp4sample >= info->mp4samples) { - if (buffer) { - free (buffer); - } - break; - } info->mp4sample++; samples = NeAACDecDecode(info->dec, &info->frame_info, buffer, buffer_size); -- cgit v1.2.3