[MPlayer-dev-eng] NAS segmenatation fault fix

[Erik Auerswald]

Hi,

mplayer sometimes crashes with a segmentation fault in the NAS code,
caused by 1) an integer overflow or 2) unchecked buffer access. The
attached patch fixes these 2 errors.

Erik
-------------- next part --------------
diff -Naur main.orig/libao2/ao_nas.c main.new/libao2/ao_nas.c
--- main.orig/libao2/ao_nas.c	2005-02-28 00:06:32.000000000 +0100
+++ main.new/libao2/ao_nas.c	2005-05-17 11:05:39.341241904 +0200
@@ -254,6 +254,23 @@
 		event->num_bytes,
 		nas_data->expect_underrun);
 
+	/* fix for segmentation faults in this code
+	 *
+	 * obviously a AuUint32 is never negative, but used as an int it
+	 * could appear so and cause unexpected results on 32 bit systems
+	 * since the AuUint32 event->num_bytes is subtracted from the int value
+	 * nas_data->server_buffer_used any "negative" int value should be
+	 * ignored (i.e. set to 0) */
+	if(((int)event->num_bytes) < 0) {
+		mp_msg(MSGT_AO, MSGL_V, "ao_nas: event_handler(): NAS event with negative (int)event->num_bytes=%d\n", (int)event->num_bytes);
+		mp_msg(MSGT_AO, MSGL_V, "ao_nas: event_handler(): setting event->num_bytes to 0\n");
+		event->num_bytes = 0;
+	}
+	/* values of event->num_bytes > nas_data->server_buffer_used can result
+	 * in a segmentation fault as well */
+	if(event->num_bytes > nas_data->server_buffer_used)
+		event->num_bytes = nas_data->server_buffer_used;
+
 	nas_data->server_buffer_used -= event->num_bytes;
 	if (nas_data->server_buffer_used < 0)
 		nas_data->server_buffer_used = 0;