On Mon, Jul 02, 2012 at 11:35:54AM +0200, Fabian Greffrath wrote: > Am 02.07.2012 11:15, schrieb Fabian Greffrath: > >_open_device(). I haven't digged through libao sources that much, but > >I believe a more robust check in _sanitize_matrix() (which is where > >the crash actually occurs) may be appropriate. > > The critical part is _sanitize_matrix() calling "char *ret = > calloc(strlen(matrix)+1,1);" in src/audio_out.c line 633, whereas > "matrix" can (and will) be garbage.
Well, no ... _sanitize_matrix() only gets called if format->matrix is not NULL. So I don't really see what "more robust" check it could do. If the caller sets format->matrix to point to an invalid memory location there isn't really anything more that libao can do to validate that. They could set it to &main with more or less equivalent results to leaving it uninitialised, so only the caller is in a position to validate that is sanely set before they pass it to libao. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
