[mythtv] Ticket #2420: mythreplex segfault

Tue Sep 26 18:47:22 UTC 2006

| From: D. Hugh Redelmeier <hugh at mimosa.com>

| | #2420: mythreplex segfault
| 
| | Comment (by paulh):
| | 
| |  (In [11294]) Possible fix for #2420. find_audio_sync() was always
| |  expecting the buf array
| |  passed as a parameter to be 7 bytes but some of the calling functions
| |  where
| |  only creating 4 and 6 byte arrays.

On my system, the stack smashing crash was reproduceable.

With the fixes PaulH made to element.c, it no longer crashed.

With my rewrite of find_audio_sync and no changes to buffer
declarations (i.e. without PaulH's fixes), it no longer crashed.  The
output files were identical to the ones produced with PaulH's fixed
version.

I propose that my rewrite of find_audio_sync be adopted because it
simplifies the program and does not require arbitrary appearances of
the number 7.

| int find_audio_sync(ringbuffer *rbuf, uint8_t *buf, int off, int type, int le)
| {
| 	int c;
| 	int l;
| 	uint8_t b1,b2,m2;
| 	int r;
| 
| 	switch(type){
| 	case AC3:
| 		b1 = 0x0B;
| 		b2 = 0x77;
| 		m2 = 0xFF;
| 		l = 6;
| 		break;
| 
| 	case MPEG_AUDIO:
| 		b1 = 0xFF;
| 		b2 = 0xF8;
| 		m2 = 0xF8;
| 		l = 4;
| 		break;
| 
| 	default:
| 		return -1;
| 	}
| 
| 	c = off;
| 	while ( c-off < le){
| 		uint8_t b;
| 
| 		if ((r = mring_peek(rbuf, &b, 1, c)) <0) return -1;
| 		c++;
| 		while ( b == b1) {
| 			if ((r = mring_peek(rbuf, &b, 1, c)) <0) return -1;
| 			c++;
| 			if ( (b&m2) == b2 ) {
| 				if ((r = mring_peek(rbuf, buf, l, c-2)) < -1) 
| 					return -2;
| 				return c-2-off;	
| 			}
| 		}
| 	}
| 	return -1;
| }

I'd prefer to move the declaration of r to just before the declaration
of b.  Not important.