An infinite loop bug in the Structured Storage library
librefstg.a distributed in the Linux AAF SDK has been
discovered. It was uncovered when using InfoDumper on
an AAF file exported from Avid DV Xpress 3.0.
InfoDumper was built from the Build-501 tag of AAF cvs
on an i686 RedHat 6.2 machine using gcc-2.95.2. The
bug does not occur when using InfoDumper with the
native MS Windows implementation of Structured Storage.
The nature of the bug is an infinite loop after
InfoDumper calls StgOpenStorage() at line 2370 in
OMMSSStoredObject.cpp. The following instructions are
involved in the infinite loop.
0x40323443 mov 0x18(%ecx),%eax
0x40323446 cmpl $0x0,0x1c(%eax)
0x4032344a je 0x40323453
0x4032344c mov (%eax),%eax
0x4032344e mov %eax,0x18(%ecx)
0x40323451 jmp 0x40323443
When this section of code is first entered, the value
loaded into %eax is 0x0809ea28. As each iteration of
the loop is executed, the value of (%eax)+0x1c is
compared with 0, perhaps as a check that the end of a
linked list has been reached. However, the values
loaded and dereferenced in %eax repeat every 12
iteractions without the termination condition being
satisfied. The twelfth deference stores 0x0809ea28
back into a local variable and causes the loop to repeat:
address (pointer) contents (dereferenced pointer)
The attached first_minute.aaf file was the file that
triggered this bug.