another TagLib crash in STL due 0-length string
Michael Pyne
michael.pyne at kdemail.net
Tue Jun 5 06:03:26 CEST 2007
On Monday 04 June 2007, you wrote:
> I found a similar error in tfile.cpp method File::removeBlock when deleting
> an APE v2 tag.
>
> There is a loop reading through end-of-file, but it tries to do all its
> stuff the last time through the loop when zero bytes were read. The STL
> error occurs on line 420
>
> fwrite(buffer.data(), ...
>
> when buffer is of zero length
> <snip>
> Would Michael or someone else be willing to commit this (or similar)
> change?
Please try this patch:
Index: tfile.cpp
===================================================================
--- tfile.cpp (revision 671580)
+++ tfile.cpp (working copy)
@@ -402,12 +402,11 @@
ByteVector buffer(static_cast<uint>(bufferLength));
- ulong bytesRead = true;
+ ulong bytesRead = 1;
while(bytesRead != 0) {
seek(readPosition);
bytesRead = fread(buffer.data(), sizeof(char), bufferLength, d->file);
- buffer.resize(bytesRead);
readPosition += bytesRead;
// Check to see if we just read the last block. We need to call clear()
The problem is the buffer.resize() call may resize the buffer to 0, which will
later crash in the fwrite call when buffer.data() is called. In this case
the buffer will never be larger than its initial size and it will be quickly
deallocated in any case so there is no need to retain the buffer.
If it works I'll commit it when I get home tomorrow if Scott doesn't beat me
to it.
Regards,
- Michael Pyne
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://mail.kde.org/pipermail/taglib-devel/attachments/20070605/6af06612/attachment.pgp
More information about the taglib-devel
mailing list