Opened 12 years ago

Closed 12 years ago

#289 closed defect (fixed)

Bug in WAV player when frame size is larger than file buffer size (thanks Samuel Vinson)

Reported by: bennylp Owned by: bennylp
Priority: normal Milestone: release-0.6.0
Component: pjmedia Version: 0.5.10.4
Keywords: Cc:
Backport to 1.x milestone: Backported:

Description

Samuel Vinson wrote in http://pjsip.org/pipermail/pjsip/2007-May/003286.html:

During nintendo ds porting,
I use playfile program (without modification), and I obtain an error 
when callback play_cb is called.

Functions stack :
    ...
    play_cb(strm->user_data, strm->timestamp, readbuffer, size=8192)
    pjmedia_port_get_frame
    file_get_frame

In file_get_frame function
    fport->read_pos = 0x2075764
    fport->buf = 0x2075764
    fport->bufsize = 4000
and
    frame_size = 8192

So we are in the else case
    first pj_memcpy copies 4000 bytes
    fill_buffer (I thing 4000 bytes)
    second pj_memcpy copies 4192 bytes (!!!! BUG !!!)

If you call second times play_cb with the same parameters, the problem 
is earlier :
    fport->read_pos = 0x20767c4 (fport->buf + 4192)
    fport->buf = 0x2075764
    fport->bufsize = 4000
and
    frame_size = 4096
So we are in the else case
    first pj_memcpy tries to copy -192 bytes (0xffffff40) (!!! BUG !!!)

I will modify my sizes of buffer to be in lower part of the 4000 bytes 
but this is a temporary solution.
Do you have  another solution to correct this problems ?

Greetings

Samuel

Change History (1)

comment:1 Changed 12 years ago by bennylp

  • Resolution set to fixed
  • Status changed from new to closed

Workaround in r1322 (added assert to prevent application from specifying ptime larger than the buffer size)

Note: See TracTickets for help on using tickets.