From 4914b5d4314b7523a13ed00ea4ac82a4b992ea9f Mon Sep 17 00:00:00 2001 From: Will Glynn Date: Fri, 13 Sep 2013 01:28:31 +0000 Subject: [PATCH] rtl_adsb: Fix invalid memory access single_manchester() considers both i and i+1, but the loop only tests that i is in bounds. This causes undefined behavior, including but not limited to a SIGBUS-related crash on Mac OS X. (And also, we should not enter an infinite loop, caused by applying an patch I sent that didn't also change the while condition.) Signed-off-by: Steve Markgraf --- src/rtl_adsb.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/rtl_adsb.c b/src/rtl_adsb.c index 44b62e2..0845bf5 100644 --- a/src/rtl_adsb.c +++ b/src/rtl_adsb.c @@ -258,9 +258,10 @@ void manchester(uint16_t *buf, int len) uint16_t a=0, b=0; uint16_t bit; int i, i2, start, errors; + int maximum_i = len - 1; // len-1 since we look at i and i+1 // todo, allow wrap across buffers i = 0; - while (i < len) { + while (i < maximum_i) { /* find preamble */ for ( ; i < (len - preamble_len); i++) { if (!preamble(buf, i)) { @@ -275,7 +276,7 @@ void manchester(uint16_t *buf, int len) i2 = start = i; errors = 0; /* mark bits until encoding breaks */ - for ( ; i < len; i+=2, i2++) { + for ( ; i < maximum_i; i+=2, i2++) { bit = single_manchester(a, b, buf[i], buf[i+1]); a = buf[i]; b = buf[i+1];