Re: [flac-dev] free() invalid pointer

Thu, 13 Nov 2014 12:10:28 -0800 

Op 13-11-14 om 17:45 schreef lvqcl:

FLAC__window_partial_tukey():

        Np = (FLAC__int32)(p / 2.0f * N) - 1;

and Np can be equal to -1. So later in the code

        for (; n < (end_n-Np); n++)
                window[n] = 1.0f;

libFLAC writes outside of window[] memory.
That does the trick indeed. I still wonder how it is possible that this didn't trigger anything on x86_64? Now that I've taken a better look, there are a few other problems with that code actually. Here's a patch to fix the issue 
>From 04c8a952754608367064cd8bf4fa0978662a7d9f Mon Sep 17 00:00:00 2001
From: Martijn van Beurden <[email protected]>
Date: Thu, 13 Nov 2014 20:51:55 +0100
Subject: [PATCH] Add more checks to partial_tukey and punchout_tukey windows

---
 src/libFLAC/window.c | 74 +++++++++++++++++++++++++++-------------------------
 1 file changed, 39 insertions(+), 35 deletions(-)

diff --git a/src/libFLAC/window.c b/src/libFLAC/window.c
index c41120b..42772e8 100644
--- a/src/libFLAC/window.c
+++ b/src/libFLAC/window.c
@@ -214,23 +214,25 @@ void FLAC__window_partial_tukey(FLAC__real *window, const FLAC__int32 L, const F
 	const FLAC__int32 N = end_n - start_n;
 	FLAC__int32 Np, n, i;
 
-	if (p <= 0.0)
+	if (p <= 0.0f)
 		FLAC__window_partial_tukey(window, L, 0.01f, start, end);
-	else if (p >= 1.0)
-		FLAC__window_partial_tukey(window, L, 1, start, end);
-
-	Np = (FLAC__int32)(p / 2.0f * N) - 1;
+	else if (p >= 1.0f)
+		FLAC__window_partial_tukey(window, L, 1.0f, start, end);
+	else {
 
-	for (n = 0; n < start_n; n++)
-		window[n] = 0.0f;
-	for (i = 1; n < (start_n+Np); n++, i++)
-		window[n] = (FLAC__real)(0.5f - 0.5f * cos(M_PI * i / Np));
-	for (; n < (end_n-Np); n++)
-		window[n] = 1.0f;
-	for (i = Np; n < end_n; n++, i--)
-		window[n] = (FLAC__real)(0.5f - 0.5f * cos(M_PI * i / Np));
-	for (; n < L; n++)
-		window[n] = 0.0f;
+		Np = (FLAC__int32)(p / 2.0f * N);
+
+		for (n = 0; n < start_n && n < L; n++)
+			window[n] = 0.0f;
+		for (i = 1; n < (start_n+Np) && n < L; n++, i++)
+			window[n] = (FLAC__real)(0.5f - 0.5f * cos(M_PI * i / Np));
+		for (; n < (end_n-Np) && n < L; n++)
+			window[n] = 1.0f;
+		for (i = Np; n < end_n && n < L; n++, i--)
+			window[n] = (FLAC__real)(0.5f - 0.5f * cos(M_PI * i / Np));
+		for (; n < L; n++)
+			window[n] = 0.0f;
+	}
 }
 
 void FLAC__window_punchout_tukey(FLAC__real *window, const FLAC__int32 L, const FLAC__real p, const FLAC__real start, const FLAC__real end)
@@ -239,28 +241,30 @@ void FLAC__window_punchout_tukey(FLAC__real *window, const FLAC__int32 L, const
 	const FLAC__int32 end_n = (FLAC__int32)(end * L);
 	FLAC__int32 Ns, Ne, n, i;
 
-	if (p <= 0.0)
+	if (p <= 0.0f)
 		FLAC__window_partial_tukey(window, L, 0.01f, start, end);
-	else if (p >= 1.0)
-		FLAC__window_partial_tukey(window, L, 1, start, end);
-
-	Ns = (FLAC__int32)(p / 2.0f * start_n);
-	Ne = (FLAC__int32)(p / 2.0f * (L - end_n));
+	else if (p >= 1.0f)
+		FLAC__window_partial_tukey(window, L, 1.0f, start, end);
+	else {
 
-	for (n = 0, i = 1; n < Ns; n++, i++)
-		window[n] = (FLAC__real)(0.5f - 0.5f * cos(M_PI * i / Ns));
-	for (; n < start_n-Ns; n++)
-		window[n] = 1.0f;
-	for (i = Ns; n < start_n; n++, i--)
-		window[n] = (FLAC__real)(0.5f - 0.5f * cos(M_PI * i / Ns));
-	for (; n < end_n; n++)
-		window[n] = 0.0f;
-	for (i = 1; n < end_n+Ne; n++, i++)
-		window[n] = (FLAC__real)(0.5f - 0.5f * cos(M_PI * i / Ne));
-	for (; n < L - (Ne); n++)
-		window[n] = 1.0f;
-	for (i = Ne; n < L; n++, i--)
-		window[n] = (FLAC__real)(0.5f - 0.5f * cos(M_PI * i / Ne));
+		Ns = (FLAC__int32)(p / 2.0f * start_n);
+		Ne = (FLAC__int32)(p / 2.0f * (L - end_n));
+
+		for (n = 0, i = 1; n < Ns && n < L; n++, i++)
+			window[n] = (FLAC__real)(0.5f - 0.5f * cos(M_PI * i / Ns));
+		for (; n < start_n-Ns && n < L; n++)
+			window[n] = 1.0f;
+		for (i = Ns; n < start_n && n < L; n++, i--)
+			window[n] = (FLAC__real)(0.5f - 0.5f * cos(M_PI * i / Ns));
+		for (; n < end_n && n < L; n++)
+			window[n] = 0.0f;
+		for (i = 1; n < end_n+Ne && n < L; n++, i++)
+			window[n] = (FLAC__real)(0.5f - 0.5f * cos(M_PI * i / Ne));
+		for (; n < L - (Ne) && n < L; n++)
+			window[n] = 1.0f;
+		for (i = Ne; n < L; n++, i--)
+			window[n] = (FLAC__real)(0.5f - 0.5f * cos(M_PI * i / Ne));
+	}
 }
 
 void FLAC__window_welch(FLAC__real *window, const FLAC__int32 L)
-- 
1.9.1


_______________________________________________
flac-dev mailing list
[email protected]
http://lists.xiph.org/mailman/listinfo/flac-dev

Reply via email to