diff options
author | Nicolas Pennequin <nicolas.pennequin@free.fr> | 2007-11-10 18:22:55 +0000 |
---|---|---|
committer | Nicolas Pennequin <nicolas.pennequin@free.fr> | 2007-11-10 18:22:55 +0000 |
commit | a677678e3196a1981d0ff60cd1f756b985abaaeb (patch) | |
tree | b090fdf0f22bcc08cef6ef792e6382564e77ad3a /apps | |
parent | a953e65dbde27ae550514dce3024c3b42f3364b7 (diff) | |
download | rockbox-a677678e3196a1981d0ff60cd1f756b985abaaeb.tar.gz rockbox-a677678e3196a1981d0ff60cd1f756b985abaaeb.zip |
Fix a possible NULL pointer dereference I introduced in r15503 by making an unwise assumption. This would cause crashes on track skip in certain (very unlikely, I think) situations.
git-svn-id: svn://svn.rockbox.org/rockbox/trunk@15557 a1c6a512-1295-4272-9138-f99709370657
Diffstat (limited to 'apps')
-rw-r--r-- | apps/playback.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/apps/playback.c b/apps/playback.c index 61bb326574..0b2c9bb76c 100644 --- a/apps/playback.c +++ b/apps/playback.c | |||
@@ -2548,6 +2548,7 @@ static int audio_check_new_track(void) | |||
2548 | { | 2548 | { |
2549 | int track_count = audio_track_count(); | 2549 | int track_count = audio_track_count(); |
2550 | int old_track_ridx = track_ridx; | 2550 | int old_track_ridx = track_ridx; |
2551 | int i, idx; | ||
2551 | bool forward; | 2552 | bool forward; |
2552 | 2553 | ||
2553 | if (dir_skip) | 2554 | if (dir_skip) |
@@ -2603,12 +2604,12 @@ static int audio_check_new_track(void) | |||
2603 | /* Save the old track */ | 2604 | /* Save the old track */ |
2604 | copy_mp3entry(&prevtrack_id3, &curtrack_id3); | 2605 | copy_mp3entry(&prevtrack_id3, &curtrack_id3); |
2605 | 2606 | ||
2606 | int i, idx; | ||
2607 | for (i = 0; i < ci.new_track; i++) | 2607 | for (i = 0; i < ci.new_track; i++) |
2608 | { | 2608 | { |
2609 | idx = (track_ridx + i) & MAX_TRACK_MASK; | 2609 | idx = (track_ridx + i) & MAX_TRACK_MASK; |
2610 | if ((unsigned)buf_handle_offset(tracks[idx].audio_hid) > | 2610 | struct mp3entry *id3 = bufgetid3(tracks[idx].id3_hid); |
2611 | bufgetid3(tracks[idx].id3_hid)->first_frame_offset) | 2611 | ssize_t offset = buf_handle_offset(tracks[idx].audio_hid); |
2612 | if (!id3 || offset < 0 || (unsigned)offset > id3->first_frame_offset) | ||
2612 | { | 2613 | { |
2613 | /* We don't have all the audio data for that track, so clear it */ | 2614 | /* We don't have all the audio data for that track, so clear it */ |
2614 | clear_track_info(&tracks[idx]); | 2615 | clear_track_info(&tracks[idx]); |