From 3685a9093ae12ff9ce02fc58e607eb9b63894443 Mon Sep 17 00:00:00 2001
From: Andre Noll <maan@tuebingen.mpg.de>
Date: Sat, 30 May 2020 01:22:49 +0200
Subject: [PATCH] aft: Avoid invalid read.

A short chunk table is fatal for all audio formats except aac,
which employs dynamic chunks. The below valgrind spat was found when
para_server tried to open an aac audio file. Setting afhi->chunk_table
to NULL in this case should fix it.

==17667== Invalid read of size 4
==17667==    at 0x805A862: write_u32 (portable_io.h:95)
==17667==    by 0x805A862: save_chunk_table (aft.c:402)
==17667==    by 0x805A862: save_chunk_table (aft.c:395)
==17667==    by 0x805DDE6: save_afd (aft.c:616)
==17667==    by 0x805DDE6: open_and_update_audio_file (aft.c:1113)
==17667==    by 0x8058AA2: open_next_audio_file (afs.c:425)
==17667==    by 0x8058AA2: execute_server_command (afs.c:867)
==17667==    by 0x8058AA2: command_post_select.part.0 (afs.c:921)
==17667==    by 0x8063062: call_post_select (sched.c:80)
==17667==    by 0x8063062: sched_post_select (sched.c:106)
==17667==    by 0x8063062: schedule (sched.c:159)
==17667==    by 0x8059643: afs_init (afs.c:1006)
==17667==    by 0x804D747: init_afs (server.c:529)
==17667==    by 0x804D747: server_init (server.c:601)
==17667==    by 0x804D747: main (server.c:690)
==17667==  Address 0x4d7dcd0 is 0 bytes after a block of size 40 alloc'd
==17667==    at 0x40365E2: malloc (vg_replace_malloc.c:309)
==17667==    by 0x8053AB6: para_malloc (string.c:63)
==17667==    by 0x805B20D: load_chunk_table (aft.c:415)
==17667==    by 0x805DD65: open_and_update_audio_file (aft.c:1103)
==17667==    by 0x8058AA2: open_next_audio_file (afs.c:425)
==17667==    by 0x8058AA2: execute_server_command (afs.c:867)
==17667==    by 0x8058AA2: command_post_select.part.0 (afs.c:921)
==17667==    by 0x8063062: call_post_select (sched.c:80)
==17667==    by 0x8063062: sched_post_select (sched.c:106)
==17667==    by 0x8063062: schedule (sched.c:159)
==17667==    by 0x8059643: afs_init (afs.c:1006)
==17667==    by 0x804D747: init_afs (server.c:529)
==17667==    by 0x804D747: server_init (server.c:601)
==17667==    by 0x804D747: main (server.c:690)
---
 aft.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aft.c b/aft.c
index f41bfade..e370eaad 100644
--- a/aft.c
+++ b/aft.c
@@ -407,7 +407,7 @@ static void load_chunk_table(struct afh_info *afhi, const struct osl_object *ct)
 	int i;
 	size_t sz;
 
-	if (!ct->data || ct->size < 4) {
+	if (!ct->data || ct->size < 4 * (afhi->chunks_total + 1)) {
 		afhi->chunk_table = NULL;
 		return;
 	}
-- 
2.39.2