I have found that the function id3_render_paddedstring will crash if you are rendering a string that is longer (or exactly as long as) the length parameter you give it.
Basically, length would be decremented to zero in the first loop and by the time it got to the second loop it wrapped around back to 0xFFFFFFFF. It is unsigned so a <=0 comparison won't help.
I have changed two lines (marked below). Rob, if I read your code correctly I'm guessing you have somewhat of an antipathy toward "for" loops, so adapt as you see fit.
- Mark Malson
id3_length_t id3_render_paddedstring(id3_byte_t **ptr, id3_ucs4_t const *ucs4, id3_length_t length) { id3_ucs4_t padded[31], *data; int i;
/* latin1 encoding only (this is used for ID3v1 fields) */
assert(length <= 30);
data = padded;
if (ucs4) { /* ** This line used to read: ** while (*ucs4 && length--) { */ for (i=0; (i<length) && *ucs4; i++) { *data++ = *ucs4++;
if (data[-1] == '\n') data[-1] = ' '; } }
/* ** This line used to read: ** while (length--) */ for ( ; i<length; i++) *data++ = ' ';
*data = 0;
return id3_latin1_serialize(ptr, padded, 0); }
On Tuesday, October 8, 2002, at 01:13 PM, Mark Malson wrote:
I have found that the function id3_render_paddedstring will crash if you are rendering a string that is longer (or exactly as long as) the length parameter you give it.
Good call.
Actually I had already discovered this problem, and I apologize it's taken so long to release an update. Here is my fix:
On 10/8/02 4:30 PM, "Rob Leslie" rob@mars.org wrote:
On Tuesday, October 8, 2002, at 01:13 PM, Mark Malson wrote:
I have found that the function id3_render_paddedstring will crash if you are rendering a string that is longer (or exactly as long as) the length parameter you give it.
Good call.
Actually I had already discovered this problem, and I apologize it's taken so long to release an update. Here is my fix:
No apologies necessary - you've given the development community some great useful code.
Is a new version imminent? I'd be happy to help any way I can -- I know our coding styles differ vastly, but if you need any assistance, I'm happy to help...
On Tue, Oct 08, 2002 at 01:30:30PM -0700, Rob Leslie wrote:
On Tuesday, October 8, 2002, at 01:13 PM, Mark Malson wrote:
I have found that the function id3_render_paddedstring will crash if you are rendering a string that is longer (or exactly as long as) the length parameter you give it.
Good call.
Actually I had already discovered this problem, and I apologize it's taken so long to release an update. Here is my fix: [...]
Hi Rob and list,
I've also encountered that bug and also another, and posted two patches on the SF project page some time ago. Dunno if you've seen it, perhaps this mailing list is a better way to post patches.
thanks for a great lib!
On 10/10/02 7:21 AM, "Martin Hedenfalk" mhe@home.se wrote:
On Tue, Oct 08, 2002 at 01:30:30PM -0700, Rob Leslie wrote:
On Tuesday, October 8, 2002, at 01:13 PM, Mark Malson wrote:
I have found that the function id3_render_paddedstring will crash if you are rendering a string that is longer (or exactly as long as) the length parameter you give it.
Good call.
Actually I had already discovered this problem, and I apologize it's taken so long to release an update. Here is my fix: [...]
Hi Rob and list,
I've also encountered that bug and also another, and posted two patches on the SF project page some time ago. Dunno if you've seen it, perhaps this mailing list is a better way to post patches.
thanks for a great lib!
Where is the SF project page?
On Thu, Oct 10, 2002 at 06:14:48PM -0400, Mark Malson wrote:
[...] I've also encountered that bug and also another, and posted two patches on the SF project page some time ago. Dunno if you've seen it, perhaps this mailing list is a better way to post patches.
thanks for a great lib!
Where is the SF project page?
http://sourceforge.net/projects/mad
/mhe
-
Mark Malson -
Martin Hedenfalk -
Rob Leslie