[MPlayer-dev-eng] NAS segmenatation fault fix
Erik Auerswald
auerswal at unix-ag.uni-kl.de
Tue May 17 12:28:31 CEST 2005
Hi,
mplayer sometimes crashes with a segmentation fault in the NAS code,
caused by 1) an integer overflow or 2) unchecked buffer access. The
attached patch fixes these 2 errors.
Erik
-------------- next part --------------
diff -Naur main.orig/libao2/ao_nas.c main.new/libao2/ao_nas.c
--- main.orig/libao2/ao_nas.c 2005-02-28 00:06:32.000000000 +0100
+++ main.new/libao2/ao_nas.c 2005-05-17 11:05:39.341241904 +0200
@@ -254,6 +254,23 @@
event->num_bytes,
nas_data->expect_underrun);
+ /* fix for segmentation faults in this code
+ *
+ * obviously a AuUint32 is never negative, but used as an int it
+ * could appear so and cause unexpected results on 32 bit systems
+ * since the AuUint32 event->num_bytes is subtracted from the int value
+ * nas_data->server_buffer_used any "negative" int value should be
+ * ignored (i.e. set to 0) */
+ if(((int)event->num_bytes) < 0) {
+ mp_msg(MSGT_AO, MSGL_V, "ao_nas: event_handler(): NAS event with negative (int)event->num_bytes=%d\n", (int)event->num_bytes);
+ mp_msg(MSGT_AO, MSGL_V, "ao_nas: event_handler(): setting event->num_bytes to 0\n");
+ event->num_bytes = 0;
+ }
+ /* values of event->num_bytes > nas_data->server_buffer_used can result
+ * in a segmentation fault as well */
+ if(event->num_bytes > nas_data->server_buffer_used)
+ event->num_bytes = nas_data->server_buffer_used;
+
nas_data->server_buffer_used -= event->num_bytes;
if (nas_data->server_buffer_used < 0)
nas_data->server_buffer_used = 0;
More information about the MPlayer-dev-eng
mailing list