Hi everybody!
I finally found the bug that made dvbcut allocate enormous amounts of
memory, and sometimes even segfault. In mpaframe(), the `layer' variable
is calculated as follows:
int layer=4-((d[pos+1]>>1)&0x03);
That is, its value will be in the range [1;4]. But later, it's used as a
subscript to a 4-element array:
int skipbytes=(mpegaudio_bitrate[layer][bitratecode]*125) ...
which will return "random" data if layer == 4. Which, unfortunately,
happens when the stream contains a broken audio frame header with a
layer field of 0 (reserved).
Fix attached.
--
Michael "Tired" Riepe <[EMAIL PROTECTED]>
X-Tired: Each morning I get up I die a little
Index: dvbcut/src/streamdata.cpp
===================================================================
RCS file: /var/cvs/sys/qt3/dvbcut/src/streamdata.cpp,v
retrieving revision 1.1.1.3
diff -u -r1.1.1.3 streamdata.cpp
--- dvbcut/src/streamdata.cpp 11 Dec 2005 20:08:34 -0000 1.1.1.3
+++ dvbcut/src/streamdata.cpp 9 Feb 2006 20:41:05 -0000
@@ -23,13 +23,10 @@
44100,48000,32000,16000
};
static const int mpegaudio_bitrate[][16]=
- { {
- 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
- }
- , // undefined layer
- {0,32,64,96,128,160,192,224,256,288,320,352,384,416,448}, // layer 1
+ { {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}, // undefined layer
+ {0,32,40,48, 56, 64, 80, 96,112,128,160,192,224,256,320}, // layer 3
{0,32,48,56, 64, 80, 96,112,128,160,192,224,256,320,384}, // layer 2
- {0,32,40,48, 56, 64, 80, 96,112,128,160,192,224,256,320} // layer 3
+ {0,32,64,96,128,160,192,224,256,288,320,352,384,416,448} // layer 1
};
static int mpaframe(const void *data, int &pos, int len)
@@ -40,8 +37,8 @@
if (pos+2>=len)
return 0;
- int layer=4-((d[pos+1]>>1)&0x03);
- int samples=(layer==1)?384:1152;
+ int layer=(d[pos+1]>>1)&0x03;
+ int samples=(layer==4-1)?384:1152;
int samplingrate=mpegaudio_rates[(d[pos+2]>>2)&0x03];
int bitratecode=(d[pos+2]>>4)&0x0f;
