[MPlayer-dev-eng] Re: [MPlayer-users] patch to fix bad code (UMR) in mp3lib/layer2.c causing signal 11 in mplayer

D Richard Felker III dalias at aerifal.cx
Thu Jan 23 08:38:31 CET 2003 

This patch was sent to -users and looks good to me. Unless anyone
objects or commits it first I'll commit it.

Rich


On Thu, Jan 23, 2003 at 02:00:02AM -0500, Nilmoni Deb wrote:
> [Automatic answer: RTFM (read DOCS, FAQ), also read DOCS/bugreports.html]
> 
> This is in reference to the bug reported in
> http://mplayerhq.hu/pipermail/mplayer-users/2003-January/027281.html .
> The bug appearred for a movie whose audio is mp2 (so thats all is needed 
> to reproduce the problem since the bug is in mp3lib/layer2.c).
> 
> The problem is very easy to see as follows:
> 
> In mp3lib/sr1.c, look at the line 226:
> 
>   if(fr->sampling_frequency>8) return FALSE;  // valid: 0..8
> 
> which allows fr->sampling_frequency to go up to 8.
> 
> Now, in mp3lib/layer2.c, in the function definition of II_select_table,
> this code exists:
> 
>   if(fr->lsf)
>     table = 4;
>   else
>     table = translate[fr->sampling_frequency][2-fr->stereo][fr->bitrate_index];
> 
> The problem is that in II_select_table function definition, translate is
> declared as:
> 
>   static int translate[3][2][16] = .....
> 
> which means fr->sampling_frequency must be < 3 to prevent illegal memory
> reads.
> 
> Obviously, the code does not bother about what would happen if
> fr->sampling_frequency lies in the range [3,8]. In my test case,
> fr->sampling_frequency = 3 and naturally there is a problem.
> 
> Here is a patch to fix this:
> 
> ----- PATCH STARTS NEXT LINE ---------------
> --- layer2.c    2003-01-08 02:20:23.000000000 +0000
> +++ layer2.c.new        2003-01-23 01:49:55.000000000 +0000
> @@ -241,13 +241,28 @@
> 
>  static void II_select_table(struct frame *fr)
>  {
> -  static int translate[3][2][16] =
> -   { { { 0,2,2,2,2,2,2,0,0,0,1,1,1,1,1,0 } ,
> -       { 0,2,2,0,0,0,1,1,1,1,1,1,1,1,1,0 } } ,
> -     { { 0,2,2,2,2,2,2,0,0,0,0,0,0,0,0,0 } ,
> -       { 0,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0 } } ,
> -     { { 0,3,3,3,3,3,3,0,0,0,1,1,1,1,1,0 } ,
> -       { 0,3,3,0,0,0,1,1,1,1,1,1,1,1,1,0 } } };
> +  static int translate[8][2][16] =
> +   { { { 0,2,2,2,2,2,2,0,0,0,1,1,1,1,1,0 } ,   /*44.1 stereo*/
> +       { 0,2,2,0,0,0,1,1,1,1,1,1,1,1,1,0 } } , /*44.1 mono*/
> +     { { 0,2,2,2,2,2,2,0,0,0,0,0,0,0,0,0 } ,   /*48 stereo*/
> +       { 0,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0 } } , /*48 mono*/
> +     { { 0,3,3,3,3,3,3,0,0,0,1,1,1,1,1,0 } ,   /*32 stereo*/
> +       { 0,3,3,0,0,0,1,1,1,1,1,1,1,1,1,0 } } , /*32 mono*/
> +     { { 2,2,2,2,2,2,2,3,3,3,3,3,3,3,3,0 } ,   /*22.05 stereo*/
> +       { 2,2,2,3,3,3,3,3,3,3,3,3,3,3,3,0 } } , /*22.05 mono*/
> +     { { 2,2,2,2,2,2,2,3,3,3,3,3,3,3,3,0 } ,   /*24 stereo*/
> +       { 2,2,2,3,3,3,3,3,3,3,3,3,3,3,3,0 } } , /*24 mono*/
> +     { { 2,2,2,2,2,2,2,3,3,3,3,3,3,3,3,0 } ,   /*16 stereo*/
> +       { 2,2,2,3,3,3,3,3,3,3,3,3,3,3,3,0 } } , /*16 mono*/
> +     { { 2,2,2,2,2,2,2,3,3,3,3,3,3,3,3,0 } ,   /*11.025 stereo*/
> +       { 2,2,2,3,3,3,3,3,3,3,3,3,3,3,3,0 } } , /*11.025 mono*/
> +     { { 2,2,2,2,2,2,2,3,3,3,3,3,3,3,3,0 } ,   /*12 stereo*/
> +       { 2,2,2,3,3,3,3,3,3,3,3,3,3,3,3,0 } } , /*12 mono*/
> +     { { 2,2,2,2,2,2,2,3,3,3,3,3,3,3,3,0 } ,   /*8 stereo*/
> +       { 2,2,2,3,3,3,3,3,3,3,3,3,3,3,3,0 } }   /*8 mono*/
> +/*       0  48  64  96 128 192 256 384 */
> +/*        32  56  80 112 160 224 320  XX*/
> +       };
> 
>    int table,sblim;
>    static struct al_table *tables[5] =
> ----- PATCH ENDED PREVIOUS LINE ---------------
> 
> This is from Nick.
> 
> thanks
> - Nil
> 
> _______________________________________________
> RTFM!!!  http://www.MPlayerHQ.hu/DOCS
> Search:  http://www.MPlayerHQ.hu/cgi-bin/htsearch
> http://mplayerhq.hu/mailman/listinfo/mplayer-users

More information about the MPlayer-dev-eng mailing list