From 522112ac291393b5a9cbeea550dfd5e7de3863bb Mon Sep 17 00:00:00 2001
From: Andre Noll <maan@tuebingen.mpg.de>
Date: Mon, 28 Jan 2019 00:00:40 +0100
Subject: [PATCH] aft: Avoid invalid read.

This happens with dynamic chunks. In this case we don't reserve any
space for the chunk table, yet the code copies one entry.

==6827== Invalid read of size 4
==6827==    at 0x805A7C6: write_u32 (portable_io.h:95)
==6827==    by 0x805A7C6: save_chunk_table (aft.c:402)
==6827==    by 0x805E035: save_afd (aft.c:616)
==6827==    by 0x805E035: open_and_update_audio_file (aft.c:1097)
==6827==    by 0x80589B5: open_next_audio_file (afs.c:425)
==6827==    by 0x80589B5: execute_server_command (afs.c:867)
==6827==    by 0x80589B5: command_post_select.part.3 (afs.c:921)
==6827==    by 0x80632CE: call_post_select (sched.c:80)
==6827==    by 0x80632CE: sched_post_select (sched.c:106)
==6827==    by 0x80632CE: schedule (sched.c:159)
==6827==    by 0x8059555: afs_init (afs.c:1006)
==6827==    by 0x804D53A: init_afs (server.c:528)
==6827==    by 0x804D53A: server_init (server.c:600)
==6827==    by 0x804D53A: main (server.c:689)
==6827==  Address 0x58c4a20 is 0 bytes after a block of size 40 alloc'd
==6827==    at 0x40345EE: malloc (vg_replace_malloc.c:299)
==6827==    by 0x80539C5: para_malloc (string.c:63)
==6827==    by 0x805B38A: load_chunk_table (aft.c:415)
==6827==    by 0x805DFC4: open_and_update_audio_file (aft.c:1087)
==6827==    by 0x80589B5: open_next_audio_file (afs.c:425)
==6827==    by 0x80589B5: execute_server_command (afs.c:867)
==6827==    by 0x80589B5: command_post_select.part.3 (afs.c:921)
==6827==    by 0x80632CE: call_post_select (sched.c:80)
==6827==    by 0x80632CE: sched_post_select (sched.c:106)
==6827==    by 0x80632CE: schedule (sched.c:159)
==6827==    by 0x8059555: afs_init (afs.c:1006)
==6827==    by 0x804D53A: init_afs (server.c:528)
==6827==    by 0x804D53A: server_init (server.c:600)
==6827==    by 0x804D53A: main (server.c:689)
---
 aft.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aft.c b/aft.c
index 0db2c580..c04d4f9c 100644
--- a/aft.c
+++ b/aft.c
@@ -396,7 +396,7 @@ static void save_chunk_table(struct afh_info *afhi, char *buf)
 {
 	uint32_t n;
 
-	if (!afhi->chunk_table)
+	if (!afhi->chunk_table || afhi->chunks_total == 0)
 		return;
 	for (n = 0; n <= afhi->chunks_total; n++)
 		write_u32(buf + 4 * n, afhi->chunk_table[n]);
-- 
2.39.2