Skip to main content

Topic: OggDropXPd (1.9.0) crashes due to heap corruption (Read 12165 times) previous topic - next topic

0 Members and 1 Guest are viewing this topic.
  • nu774
  • [*][*][*][*][*]
  • Developer
OggDropXPd (1.9.0) crashes due to heap corruption
In encthread.c at around line 1482:
Code: [Select]
        if (out_fn)
            free(out_fn);
        if (enc_opts.filename)
            free(enc_opts.filename);

enc_opts.filename points to the same address as out_fn (see line 1246), hence the double free.
However, it's worse than that. out_fn (and enc_opts.filename) actually points to the stack array strFileName[] (see line 1219). So it tries to free same stack address twice, which leads this encoding thread to a crash.
I was somewhat surprised to see that this file is not touched after year 2008, and no one ever complained about this bug.

  • john33
  • [*][*][*][*][*]
  • Developer
OggDropXPd (1.9.0) crashes due to heap corruption
Reply #1
In encthread.c at around line 1482:
Code: [Select]
        if (out_fn)
            free(out_fn);
        if (enc_opts.filename)
            free(enc_opts.filename);

enc_opts.filename points to the same address as out_fn (see line 1246), hence the double free.
However, it's worse than that. out_fn (and enc_opts.filename) actually points to the stack array strFileName[] (see line 1219). So it tries to free same stack address twice, which leads this encoding thread to a crash.
I was somewhat surprised to see that this file is not touched after year 2008, and no one ever complained about this bug.

Thanks for the interest. I'll look into this when I return home later.
John
----------------------------------------------------------------
My compiles and utilities are at http://www.rarewares.org/