mirror of
https://github.com/rtlsdrblog/rtl-sdr-blog.git
synced 2025-01-14 20:27:19 +01:00
rtl_adsb: Fix invalid memory access
single_manchester() considers both i and i+1, but the loop only tests that i is in bounds. This causes undefined behavior, including but not limited to a SIGBUS-related crash on Mac OS X. (And also, we should not enter an infinite loop, caused by applying an patch I sent that didn't also change the while condition.) Signed-off-by: Steve Markgraf <steve@steve-m.de>
This commit is contained in:
parent
c4fcfbb46e
commit
4914b5d431
@ -258,9 +258,10 @@ void manchester(uint16_t *buf, int len)
|
|||||||
uint16_t a=0, b=0;
|
uint16_t a=0, b=0;
|
||||||
uint16_t bit;
|
uint16_t bit;
|
||||||
int i, i2, start, errors;
|
int i, i2, start, errors;
|
||||||
|
int maximum_i = len - 1; // len-1 since we look at i and i+1
|
||||||
// todo, allow wrap across buffers
|
// todo, allow wrap across buffers
|
||||||
i = 0;
|
i = 0;
|
||||||
while (i < len) {
|
while (i < maximum_i) {
|
||||||
/* find preamble */
|
/* find preamble */
|
||||||
for ( ; i < (len - preamble_len); i++) {
|
for ( ; i < (len - preamble_len); i++) {
|
||||||
if (!preamble(buf, i)) {
|
if (!preamble(buf, i)) {
|
||||||
@ -275,7 +276,7 @@ void manchester(uint16_t *buf, int len)
|
|||||||
i2 = start = i;
|
i2 = start = i;
|
||||||
errors = 0;
|
errors = 0;
|
||||||
/* mark bits until encoding breaks */
|
/* mark bits until encoding breaks */
|
||||||
for ( ; i < len; i+=2, i2++) {
|
for ( ; i < maximum_i; i+=2, i2++) {
|
||||||
bit = single_manchester(a, b, buf[i], buf[i+1]);
|
bit = single_manchester(a, b, buf[i], buf[i+1]);
|
||||||
a = buf[i];
|
a = buf[i];
|
||||||
b = buf[i+1];
|
b = buf[i+1];
|
||||||
|
Loading…
Reference in New Issue
Block a user