another TagLib crash in STL due 0-length string

David Lasker dave at
Wed Jun 6 05:41:28 CEST 2007

Hi Michael

Sorry for the delayed reply; I was traveling today.

Your version of the fix works fine. Please commit it to the repository.

Thanks for the help!


-----Original Message-----
From: Michael Pyne [mailto:michael.pyne at] 
Sent: Monday, June 04, 2007 9:03 PM
To: David Lasker; taglib-devel at
Subject: Re: another TagLib crash in STL due 0-length string

On Monday 04 June 2007, you wrote:
> I found a similar error in tfile.cpp method File::removeBlock when
> an APE v2 tag.
> There is a loop reading through end-of-file, but it tries to do all its
> stuff the last time through the loop when zero bytes were read. The STL
> error occurs on line 420
> 	fwrite(, ...
> when buffer is of zero length
> <snip>
> Would Michael or someone else be willing to commit this (or similar)
> change?

Please try this patch:

Index: tfile.cpp
--- tfile.cpp   (revision 671580)
+++ tfile.cpp   (working copy)
@@ -402,12 +402,11 @@

   ByteVector buffer(static_cast<uint>(bufferLength));

-  ulong bytesRead = true;
+  ulong bytesRead = 1;

   while(bytesRead != 0) {
     bytesRead = fread(, sizeof(char), bufferLength, d->file);
-    buffer.resize(bytesRead);
     readPosition += bytesRead;

     // Check to see if we just read the last block.  We need to call

The problem is the buffer.resize() call may resize the buffer to 0, which
later crash in the fwrite call when is called.  In this case 
the buffer will never be larger than its initial size and it will be quickly

deallocated in any case so there is no need to retain the buffer.

If it works I'll commit it when I get home tomorrow if Scott doesn't beat me

to it.

 - Michael Pyne

More information about the taglib-devel mailing list