OggDropXPd (1.9.0) crashes due to heap corruption |
  |
OggDropXPd (1.9.0) crashes due to heap corruption |
 Jan 27 2013, 05:28
Post
#1
|
|
 Group: Developer Posts: 295 Joined: 22-November 10 From: Japan Member No.: 85902  |
In encthread.c at around line 1482:
CODE if (out_fn) free(out_fn); if (enc_opts.filename) free(enc_opts.filename); enc_opts.filename points to the same address as out_fn (see line 1246), hence the double free. However, it's worse than that. out_fn (and enc_opts.filename) actually points to the stack array strFileName[] (see line 1219). So it tries to free same stack address twice, which leads this encoding thread to a crash. I was somewhat surprised to see that this file is not touched after year 2008, and no one ever complained about this bug. |
 |
 
|
|
Jan 27 2013, 10:19
Post
#2
|
|
 xcLame and OggDropXPd Developer Group: Developer Posts: 3708 Joined: 30-September 01 From: Bracknell, UK Member No.: 111 |
QUOTE (nu774 @ Jan 27 2013, 04:28)  In encthread.c at around line 1482: CODE if (out_fn) free(out_fn); if (enc_opts.filename) free(enc_opts.filename); enc_opts.filename points to the same address as out_fn (see line 1246), hence the double free. However, it's worse than that. out_fn (and enc_opts.filename) actually points to the stack array strFileName[] (see line 1219). So it tries to free same stack address twice, which leads this encoding thread to a crash. I was somewhat surprised to see that this file is not touched after year 2008, and no one ever complained about this bug. Thanks for the interest. I'll look into this when I return home later. -------------------- John
---------------------------------------------------------------- My compiles and utilities are at http://www.rarewares.org/ |
|
|
|
|
|
Lo-Fi Version | Time is now: 22nd May 2013 - 15:46 |
