SoundTouch / Bugs / #4 SoundTouch crashes in overlap() if offset is negative

#4 SoundTouch crashes in overlap() if offset is negative

Milestone: v1.0 (example)

Status: closed

Owner: nobody

Labels: None

Priority: 5

Updated: 2017-01-08

Created: 2016-12-08

Creator: Jamie Bullock

Private: No

In TDStretch.cpp:665 seekBestOverlapPosition() returns offset as an int

This is subsequently cast to a uint in the following call on line 671:

overlap(outputBuffer.ptrEnd((uint)overlapLength), inputBuffer.ptrBegin(), (uint)offset);

Since it is possible for offset to be negative, the value passed to overlap() can be UINT_MAX causing a crash due to reading out of bounds memory in the input vector for one of the overlap() functions

Discussion

oparviai - 2016-12-08

Hello, thanks for the bug report! This issue is fixed in the SVN development repository rev236, please see here:

https://sourceforge.net/p/soundtouch/code/236/tree/

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jamie Bullock - 2016-12-09

Thanks! I just checkout the latest svn and I confirm that this issue is now fixed for me.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

oparviai - 2017-01-08

Description has changed:

Diff:

--- old +++ new @@ -1,4 +1,3 @@ - In TDStretch.cpp:665 `seekBestOverlapPosition()` returns `offset` as an `int` This is subsequently cast to a `uint` in the following call on line 671:

status: open --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

SoundTouch crashes in overlap() if offset is negative

Group

Searches

Help

#4 SoundTouch crashes in overlap() if offset is negative

Discussion