Skip to main content

Notice

Please note that most of the software linked on this forum is likely to be safe to use. If you are unsure, feel free to ask in the relevant topics, or send a private message to an administrator or moderator. To help curb the problems of false positives, or in the event that you do find actual malware, you can contribute through the article linked here.
Topic: FLAC decoder lockup (Read 3754 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

FLAC decoder lockup

Reply #1
Thanks, fixed. FLAC library seems to be unable to return from FLAC__stream_decoder_process_single() function on invalid data.

FLAC decoder lockup

Reply #2
There is a general problem with the http_reader. What makes you think http://slashdot.org/?play=test.flac is a FLAC file?

The url returns content-type: text/html and the first 4 chars are "<!DO". If it was a FLAC file the content-type would be audio/x-flac and the first 4 chars would be "fLaC".

You can't really determine the file type based on the url.

FLAC decoder lockup

Reply #3
Testing only filename (URI) and content-type is easier/quicker than testing file contents for "magic numbers". You would have to open (and sometimes at least partially download from Internet, or network shares) file before you can even tell if any plugin can play it...

And it works good in most cases, except for trying to play mp3 renamed to *.ogg or trying to play html stream from url ending with .flac (etc.). In such cases noone can really expect that player would try to play something (and it does not).

FLAC decoder lockup

Reply #4
Checking the content-type should be enough - that is why it's there.

I think correct behaviour (according to http RFC2616) would be to choose plug-in from specific content types like: audio/x-flac, audio/mpeg, application/x-ogg, and audio/x-wave.

If the general binary application/octet-stream is returned, plug-in can decided from url, and text/* should never be played.
 

FLAC decoder lockup

Reply #5
Mime type is checked first and extension is used only if no match is found. Being strict and only playing proper mime types would be nice but unfortunately people usually don't bother configuring servers properly.