[dvblast-devel] dvblast svn crashes on Nagravision channel (glibc detected: free(): invalid next size (fast) )
Christophe Massiot
cmassiot at openheadend.tv
Wed Aug 11 22:52:46 CEST 2010
Le 11 août 2010 à 12:44, Jakub Paweł Głazik a écrit :
> Program received signal SIGABRT, Aborted.
> [Switching to Thread 0xb76716c0 (LWP 1798)]
> 0xb7813424 in __kernel_vsyscall ()
> (gdb) bt
> #0 0xb7813424 in __kernel_vsyscall ()
> #1 0xb769d6d0 in raise () from /lib/tls/i686/cmov/libc.so.6
> #2 0xb769f098 in abort () from /lib/tls/i686/cmov/libc.so.6
> #3 0xb76db24d in ?? () from /lib/tls/i686/cmov/libc.so.6
> #4 0xb76e1604 in ?? () from /lib/tls/i686/cmov/libc.so.6
> #5 0xb76e35b6 in free () from /lib/tls/i686/cmov/libc.so.6
> #6 0x080563e0 in TPDURecv (p_access=0x0) at en50221.c:421
> #7 0x0804e1ad in dvb_Read () at dvb.c:164
> #8 0x0805064d in demux_Run () at demux.c:153
> #9 0x0804afb5 in main (i_argc=-1079038732, pp_argv=0x0) at dvblast.c:730
I can't find a wrong free() call in the code. My assumption is that free() crashes because of an earlier memory corruption happening when we print the "CAM:" info line. The latest revision fixes the corruption. You can also apply this patch to r144:
Index: en50221.c
===================================================================
--- en50221.c (révision 144)
+++ en50221.c (copie de travail)
@@ -1009,7 +1009,6 @@
uint8_t *d = APDUGetLength( p_apdu, &l );
if ( l < 4 ) break;
- p_apdu[l + 4] = '\0';
i_type = *d++;
i_manufacturer = ((int)d[0] << 8) | d[1];
@@ -1017,9 +1016,14 @@
i_code = ((int)d[0] << 8) | d[1];
d += 2;
d = GetLength( d, &l );
- d[l] = '\0';
- msg_Info( p_access, "CAM: %s, %02X, %04X, %04X",
- d, i_type, i_manufacturer, i_code );
+
+ {
+ char psz_name[l + 1];
+ memcpy( psz_name, d, l );
+ psz_name[l] = '\0';
+ msg_Info( p_access, "CAM: %s, %02X, %04X, %04X",
+ psz_name, i_type, i_manufacturer, i_code );
+ }
break;
}
default:
More information about the dvblast-devel
mailing list