[annodex-dev] segfault in oggz_auto.c
Ian Malone
ibmalone at gmail.com
Wed Oct 3 14:48:52 PDT 2007
Hi,
I can persuade svn liboggz to segfault with the following program:
/* Begin */
#include <stdio.h>
#include <oggz/oggz.h>
int pktcb ( OGGZ *oggz, ogg_packet *op, long serialno, void *user_data) {
return 0;
}
int main (int argc, char **argv) {
OGGZ *m_oggz;
if(argc < 2) {
fprintf(stdout, "trial_1 input.ogg\n");
return 0;
}
/* [1] */
m_oggz = oggz_open ( argv[1], OGGZ_READ);
if(!m_oggz) {
fprintf(stdout, "failed to open %s as Ogg stream\n", argv[1]);
return 0;
oggz_close(m_oggz);
}
oggz_set_read_callback ( m_oggz, -1, pktcb, 0 );
oggz_run(m_oggz); /* Segfault */
oggz_close(m_oggz);
return 0;
}
/* End */
What happens is that as when auto_rcalc_vorbis gets called
it tries to dereference stream->calculate_data (introduced
by rev 3216). As I haven't given OGGZ_AUTO at [1]
calculate_data is NULL. Hilarity ensues.
I don't really know the code flow in oggz_auto, so I'm not
certain what the fix should be. Possibly a check in
oggz_auto_calculate_gp_backwards for the OGGZ_AUTO flag,
but I'm not entirely sure how important this is for oggz_read:
ultimately it's used for oggz_read_update_gp, so maybe
the auto_calc function should have been used anyway.
Similarly auto_rcalc_vorbis should probably check for
the 0 pointer, but I didn't want to change it in case
silent failure here causes problems somewhere else.
The Theora functions don't have this problem; its rcalc is
called but doesn't dereference any pointers beyond 'stream'.
The final possibility is OGGZ_AUTO is required now, but
I didn't think it was.
--
imalone
More information about the annodex-dev
mailing list