[MPlayer-dev-eng] Re: [PATCH] fix for segmentation fault in ao_nas
Tobias Diedrich
ranma+mplayer at tdiedrich.de
Fri Jun 17 04:25:20 CEST 2005
Erik Auerswald wrote:
> audio output using ao_nas sometimes crashes mplayer with a segmentation
> fault. This is caused by NAS server messages requesting large amounts of
> data. One error in libao2/ao_nas.c is subtracting an AuUint32 from an int
> value. The other is not checking if enough data is in the buffer to
> fulfill the request.
>
> The latter problem is solved by limiting the sent data to the available
> amount of data. The former can be solved by either using 64bit integer
> types or checking the AuUint32 for values that overflow an int in the
> current implementation.
>
> I've attached 2 alternative patches, one for each of the overflow fixes,
> because I'm not sure which way is "better".
I'd argue that an event->num_bytes above 2147483647 would point
to a bug in the server, would it not?
At least AFAICS that is the only case where your patches would
change the behaviour of ao_nas.
So I think that it does make sense to check for out of bounds
event->num_bytes and set it to zero in that case and warn that the
server is buggy.
And that still just tapers over the real bug causing the segmentation
fault, namely missing range checks allowing the buffers to overflow and
cause a segmentation fault.
I just commited a fix, yell if you can still reproduce the problem. :-)
--
Tobias PGP: http://9ac7e0bc.uguu.de
More information about the MPlayer-dev-eng
mailing list