mirror/rtl-sdr-blog
1
0
Fork 0
mirror of https://github.com/rtlsdrblog/rtl-sdr-blog.git synced 2025-10-31 00:48:08 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

rtl_adsb: Fix invalid memory access

Browse Source 
single_manchester() considers both i and i+1, but the loop only
tests that i is in bounds. This causes undefined behavior, including
but not limited to a SIGBUS-related crash on Mac OS X.

(And also, we should not enter an infinite loop, caused by applying
an patch I sent that didn't also change the while condition.)

Signed-off-by: Steve Markgraf <steve@steve-m.de>
This commit is contained in:
Will Glynn
2013-09-13 01:28:31 +00:00
committed by Steve Markgraf
parent c4fcfbb46e
commit 4914b5d431
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/rtl_adsb.c
View File

@@ -258,9 +258,10 @@ void manchester(uint16_t *buf, int len)
uint16_t a=0, b=0;
uint16_t bit;
int i, i2, start, errors;
int maximum_i = len - 1; // len-1 since we look at i and i+1
// todo, allow wrap across buffers
i = 0;
while (i < len) {
while (i < maximum_i) {
/* find preamble */
for ( ; i < (len - preamble_len); i++) {
if (!preamble(buf, i)) {
@@ -275,7 +276,7 @@ void manchester(uint16_t *buf, int len)
i2 = start = i;
errors = 0;
/* mark bits until encoding breaks */
for ( ; i < len; i+=2, i2++) {
for ( ; i < maximum_i; i+=2, i2++) {
bit = single_manchester(a, b, buf[i], buf[i+1]);
a = buf[i];
b = buf[i+1];