Dear maintainer:
As the new version didn't fix this bug, I looked to the code and I find
the problem (at least for me, but I really don't know how this error has
been hidden just now. Maybe the old libusb masked the error in the code?).
The problem is in protocol.c
In the code:
--
case Tag_Appl_Prot_Id:
memset(datatypes,0,size * sizeof(uint16));
for ( j = i+1; p.packet.data[3*j] == Tag_Data_Type_Id; j++ ) {
datatypes[j-i-1] = get_uint16(p.packet.data + 3*j + 1);
}
--
The outing condition for the FOR loop throws the segmentation because
didn't check the limit of j.
I fixed it checking first the counter 'j' and adjust it to the limit of
the data.
--
case Tag_Appl_Prot_Id:
memset(datatypes,0,size * sizeof(uint16));
for ( j = i+1; (j<=size) && (p.packet.data[3*j] == Tag_Data_Type_Id);
j++ ) {
datatypes[j-i-1] = get_uint16(p.packet.data + 3*j + 1);
}
--
I attach the patch file that fix this bug.
This is my first time I send a patch, so maybe it doesn't correct. If
you need more information or anything else feel free to ask.
Thanks.
commit da9c57e496f5b88d875329e57fb7d47b3b5e84a9
Author: Fenix <fenix@calisto>
Date: Wed Apr 6 00:25:15 2016 +0200
Fix #816314 error Segmentation Fault
diff --git a/src/protocol.c b/src/protocol.c
index 37f66b4..a0c0b36 100644
--- a/src/protocol.c
+++ b/src/protocol.c
@@ -583,7 +583,7 @@ garmin_read_a000_a001 ( garmin_unit * garmin )
break;
case Tag_Appl_Prot_Id:
memset(datatypes,0,size * sizeof(uint16));
- for ( j = i+1; p.packet.data[3*j] == Tag_Data_Type_Id; j++ ) {
+ for ( j = i+1; (j<=size) && (p.packet.data[3*j] == Tag_Data_Type_Id); j++ ) {
datatypes[j-i-1] = get_uint16(p.packet.data + 3*j + 1);
}
garmin_assign_protocol(garmin,data,datatypes);
