FS#12245 - Memory corruption in libfaad

Attached to Project: Rockbox
Opened by Thomas Jarosch (thomasjfox) - Thursday, 25 August 2011, 20:31 GMT
Last edited by Andree Buschmann (Buschel) - Friday, 26 August 2011, 12:38 GMT
Task Type Bugs
Category Codecs
Status Closed
Assigned To No-one
Operating System All players
Severity High
Priority Normal
Reported Version Release 3.9
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No



libfaad currently has a memory corruption issue here:
[apps/codecs/libfaad/syntax.c:2206]: (error) Buffer access out-of-bounds: drc.exclude_mask

To save some RAM, the define MAX_CHANNLES was turned down
from 64 to 2. The code has some minimum assumptions about the size
of exclude_mask and additional_excluded_chns.

Dunno what the correct fix is, for now I would turn back MAX_CHANNELS to 64
to prevent a crash.

This task depends upon

Closed by  Andree Buschmann (Buschel)
Friday, 26 August 2011, 12:38 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fix submitted with r30356.
Comment by Andree Buschmann (Buschel) - Thursday, 25 August 2011, 21:44 GMT
Do you experience this crash, or is this the result of a static code analysis? I am not sure whether the problematic code section in the DRC-handling is called, if the file has more than MAX_CHANNELS channels. If you have any file that results in such crash, please provide it for further detailed analysis.

Edit: A simple workaround would be to allow the related arrays to have a size of 64 -- like the attached patch does. We should not rollback the MAX_CHANNEL change as it allows to move data arrays into IRAM and speed up the decoder a lot.
Comment by Thomas Jarosch (thomasjfox) - Friday, 26 August 2011, 05:38 GMT
Result of static code analysis. Your fix looks sane, didn't come up with that yesterday (and wouldn't even today ;))