From f3944cb694b46052975f0a1f1ec9b0aebe047679 Mon Sep 17 00:00:00 2001
From: Rafaël Carré <rafael.carre@gmail.com>
Date: Sun, 25 Oct 2009 11:03:59 +0000
Subject: buffering: leave a comment to explain what is broken in the code and
 link to FS#10605

git-svn-id: svn://svn.rockbox.org/rockbox/trunk@23344 a1c6a512-1295-4272-9138-f99709370657
---
 apps/buffering.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/apps/buffering.c b/apps/buffering.c
index e66e95d66d..22ec821a30 100644
--- a/apps/buffering.c
+++ b/apps/buffering.c
@@ -486,6 +486,31 @@ static bool move_handle(struct memory_handle **h, size_t *delta,
         cur_handle = dest;
 
     if (overlap > 0) {
+        /* FIXME : this code is broken and can leave the data corrupted when
+         * the amount of data to move is close to the whole buffer size.
+         *
+         * Example : ('S' is the source data, '-' is empty buffer)
+         * Size of the buffer is 8 bytes, starts at 0.
+         * Size of the data to move is 7 bytes.
+         *
+         * -SSSSSSS
+         *  ^-------- start of source data == 1
+         *
+         * DD-DDDDD ('D' is desired destination data)
+         *    ^------ start of destination data == 3
+         *
+         *  memmove(3, 1, 5);
+         *  memmove(0, 7, 2);
+         *
+         * First memmove() call will leave the buffer in this state:
+         *
+         * -SSDDDDD
+         *       ^^
+         *       \--- data to be moved by the second memmove() call, but
+         *            overwritten by the first call.
+         *
+         * See FS#10605 for more details
+         */
         size_t first_part = size_to_move - overlap;
         memmove(dest, src, first_part);
         memmove(buffer, (const char *)src + first_part, overlap);
-- 
cgit v1.2.3