rtl_adsb: Fix invalid memory access

single_manchester() considers both i and i+1, but the loop only
tests that i is in bounds. This causes undefined behavior, including
but not limited to a SIGBUS-related crash on Mac OS X.

(And also, we should not enter an infinite loop, caused by applying
an patch I sent that didn't also change the while condition.)

Signed-off-by: Steve Markgraf <steve@steve-m.de>
master
Will Glynn 11 years ago committed by Steve Markgraf
parent c4fcfbb46e
commit 4914b5d431
  1. 5
      src/rtl_adsb.c

@ -258,9 +258,10 @@ void manchester(uint16_t *buf, int len)
uint16_t a=0, b=0; uint16_t a=0, b=0;
uint16_t bit; uint16_t bit;
int i, i2, start, errors; int i, i2, start, errors;
int maximum_i = len - 1; // len-1 since we look at i and i+1
// todo, allow wrap across buffers // todo, allow wrap across buffers
i = 0; i = 0;
while (i < len) { while (i < maximum_i) {
/* find preamble */ /* find preamble */
for ( ; i < (len - preamble_len); i++) { for ( ; i < (len - preamble_len); i++) {
if (!preamble(buf, i)) { if (!preamble(buf, i)) {
@ -275,7 +276,7 @@ void manchester(uint16_t *buf, int len)
i2 = start = i; i2 = start = i;
errors = 0; errors = 0;
/* mark bits until encoding breaks */ /* mark bits until encoding breaks */
for ( ; i < len; i+=2, i2++) { for ( ; i < maximum_i; i+=2, i2++) {
bit = single_manchester(a, b, buf[i], buf[i+1]); bit = single_manchester(a, b, buf[i], buf[i+1]);
a = buf[i]; a = buf[i];
b = buf[i+1]; b = buf[i+1];

Loading…
Cancel
Save