tags 510205 + patch
thanks
Hi!
On Tue, Dec 30, 2008 at 02:28:58PM +0100, Max Kellermann wrote:
> Today, the Music Player Daemon project received a bug report from
> Anton Khirnov: MPD crashed when attempting to play a WAV file. "file"
> says:
>
> RIFF (little-endian) data, WAVE audio, Microsoft ADPCM, stereo 44100
> Hz
>
> The MPD bug report: http://musicpd.org/mantis/view.php?id=1915
>
> The test file: http://filebin.ca/meqmyu/max_theme.wav
It seems that audiofile's modules/msadpcm.c::ms_adpcm_decode_block()
incorrectly scales the samplesPerBlock value with the number of
channels. All adpcm-coded files with two channels should be affected.
With the attached patch, I can play the "max_theme" test file without
audiofile crashing. However, I think a few additional checks are in
order to make the module more robust against malicious input. I'll try
to check this in the next days.
Regards,
Daniel.
diff -r 247fd11d763d libaudiofile/modules/msadpcm.c
--- a/libaudiofile/modules/msadpcm.c Sat Jan 03 20:35:58 2009 +0100
+++ b/libaudiofile/modules/msadpcm.c Sun Jan 04 01:43:06 2009 +0100
@@ -129,8 +129,7 @@
ms_adpcm_state *state[2];
/* Calculate the number of bytes needed for decoded data. */
- outputLength = msadpcm->samplesPerBlock * sizeof (int16_t) *
- msadpcm->track->f.channelCount;
+ outputLength = msadpcm->samplesPerBlock * sizeof (int16_t);
channelCount = msadpcm->track->f.channelCount;
@@ -180,8 +179,7 @@
The first two samples have already been 'decoded' in
the block header.
*/
- samplesRemaining = (msadpcm->samplesPerBlock - 2) *
- msadpcm->track->f.channelCount;
+ samplesRemaining = msadpcm->samplesPerBlock - 2;
while (samplesRemaining > 0)
{
