another TagLib crash in STL due 0-length string
David Lasker
dave at altosdesign.com
Wed Jun 6 05:41:28 CEST 2007
Hi Michael
Sorry for the delayed reply; I was traveling today.
Your version of the fix works fine. Please commit it to the repository.
Thanks for the help!
Dave
-----Original Message-----
From: Michael Pyne [mailto:michael.pyne at kdemail.net]
Sent: Monday, June 04, 2007 9:03 PM
To: David Lasker; taglib-devel at kde.org
Subject: Re: another TagLib crash in STL due 0-length string
On Monday 04 June 2007, you wrote:
> I found a similar error in tfile.cpp method File::removeBlock when
deleting
> an APE v2 tag.
>
> There is a loop reading through end-of-file, but it tries to do all its
> stuff the last time through the loop when zero bytes were read. The STL
> error occurs on line 420
>
> fwrite(buffer.data(), ...
>
> when buffer is of zero length
> <snip>
> Would Michael or someone else be willing to commit this (or similar)
> change?
Please try this patch:
Index: tfile.cpp
===================================================================
--- tfile.cpp (revision 671580)
+++ tfile.cpp (working copy)
@@ -402,12 +402,11 @@
ByteVector buffer(static_cast<uint>(bufferLength));
- ulong bytesRead = true;
+ ulong bytesRead = 1;
while(bytesRead != 0) {
seek(readPosition);
bytesRead = fread(buffer.data(), sizeof(char), bufferLength, d->file);
- buffer.resize(bytesRead);
readPosition += bytesRead;
// Check to see if we just read the last block. We need to call
clear()
The problem is the buffer.resize() call may resize the buffer to 0, which
will
later crash in the fwrite call when buffer.data() is called. In this case
the buffer will never be larger than its initial size and it will be quickly
deallocated in any case so there is no need to retain the buffer.
If it works I'll commit it when I get home tomorrow if Scott doesn't beat me
to it.
Regards,
- Michael Pyne
More information about the taglib-devel
mailing list