another TagLib crash in STL due 0-length string

Michael Pyne michael.pyne at
Tue Jun 5 06:03:26 CEST 2007

On Monday 04 June 2007, you wrote:
> I found a similar error in tfile.cpp method File::removeBlock when deleting
> an APE v2 tag.
> There is a loop reading through end-of-file, but it tries to do all its
> stuff the last time through the loop when zero bytes were read. The STL
> error occurs on line 420
> 	fwrite(, ...
> when buffer is of zero length
> <snip>
> Would Michael or someone else be willing to commit this (or similar)
> change?

Please try this patch:

Index: tfile.cpp
--- tfile.cpp   (revision 671580)
+++ tfile.cpp   (working copy)
@@ -402,12 +402,11 @@

   ByteVector buffer(static_cast<uint>(bufferLength));

-  ulong bytesRead = true;
+  ulong bytesRead = 1;

   while(bytesRead != 0) {
     bytesRead = fread(, sizeof(char), bufferLength, d->file);
-    buffer.resize(bytesRead);
     readPosition += bytesRead;

     // Check to see if we just read the last block.  We need to call clear()

The problem is the buffer.resize() call may resize the buffer to 0, which will 
later crash in the fwrite call when is called.  In this case 
the buffer will never be larger than its initial size and it will be quickly 
deallocated in any case so there is no need to retain the buffer.

If it works I'll commit it when I get home tomorrow if Scott doesn't beat me 
to it.

 - Michael Pyne
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : 

More information about the taglib-devel mailing list