I've hit a crash bug in the version of mpglib shipped with LAME 3.92.
It's triggered by region2 < region1 in III_dequantize_sample, i.e. a
region claiming to have negative length, causing an array bounds overrun
later in the code. Quick fix below.
/* mpglib/layer3.c */
static int III_dequantize_sample(real xr[SBLIMIT][SSLIMIT],int *scf,
struct gr_info_s *gr_infos,int sfreq,int part2bits)
...
/*
* we may lose the 'odd' bit here !!
* check this later again
*/
if(bv <= region1) {
l[0] = bv; l[1] = 0; l[2] = 0;
}
else {
l[0] = region1;
if(bv <= region2) {
l[1] = bv - l[0]; l[2] = 0;
}
else {
l[1] = region2 - l[0]; l[2] = bv - region2;
}
}
/* MDH crash fix */
{
int i;
for (i = 0; i < 3; i++) {
if (l[i] < 0) {
fprintf(stderr, "mpg123: Bogus region length (%d)\n", l[i]);
l[i] = 0;
}
}
}
/* end MDH crash fix */
-- Mat.
_______________________________________________
mp3encoder mailing list
[EMAIL PROTECTED]
http://minnie.tuhs.org/mailman/listinfo/mp3encoder
