From a677678e3196a1981d0ff60cd1f756b985abaaeb Mon Sep 17 00:00:00 2001
From: Nicolas Pennequin <nicolas.pennequin@free.fr>
Date: Sat, 10 Nov 2007 18:22:55 +0000
Subject: Fix a possible NULL pointer dereference I introduced in r15503 by
 making an unwise assumption. This would cause crashes on track skip in
 certain (very unlikely, I think) situations.

git-svn-id: svn://svn.rockbox.org/rockbox/trunk@15557 a1c6a512-1295-4272-9138-f99709370657
---
 apps/playback.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'apps')

diff --git a/apps/playback.c b/apps/playback.c
index 61bb326574..0b2c9bb76c 100644
--- a/apps/playback.c
+++ b/apps/playback.c
@@ -2548,6 +2548,7 @@ static int audio_check_new_track(void)
 {
     int track_count = audio_track_count();
     int old_track_ridx = track_ridx;
+    int i, idx;
     bool forward;
 
     if (dir_skip)
@@ -2603,12 +2604,12 @@ static int audio_check_new_track(void)
     /* Save the old track */
     copy_mp3entry(&prevtrack_id3, &curtrack_id3);
 
-    int i, idx;
     for (i = 0; i < ci.new_track; i++)
     {
         idx = (track_ridx + i) & MAX_TRACK_MASK;
-        if ((unsigned)buf_handle_offset(tracks[idx].audio_hid) >
-            bufgetid3(tracks[idx].id3_hid)->first_frame_offset)
+        struct mp3entry *id3 = bufgetid3(tracks[idx].id3_hid);
+        ssize_t offset = buf_handle_offset(tracks[idx].audio_hid);
+        if (!id3 || offset < 0 || (unsigned)offset > id3->first_frame_offset)
         {
             /* We don't have all the audio data for that track, so clear it */
             clear_track_info(&tracks[idx]);
-- 
cgit v1.2.3