Rockbox open source high quality audio player as a Music Player Daemon
mpris rockbox mpd libadwaita audio rust zig deno
2
fork

Configure Feed

Select the types of activity you want to include in your feed.

buflib: fix bug in handle_table_shrink

The way it iterated over the handle table is unsafe if *every*
handle is free, leading to an out of bounds access.

This is a contrived example, but the bug can be triggered by
making several allocations, freeing them out of order so that
the handle table remains uncompacted, and then triggering a
compaction using buflib_alloc_maximum().

Change-Id: I879e2f0b223e6ca596769610ac46f4edf1107f5c

+9 -7
+9 -7
firmware/buflib.c
··· 247 247 /* Shrink the handle table, returning true if its size was reduced, false if 248 248 * not 249 249 */ 250 - static inline 251 - bool 252 - handle_table_shrink(struct buflib_context *ctx) 250 + static inline bool handle_table_shrink(struct buflib_context *ctx) 253 251 { 254 - bool rv; 255 252 union buflib_data *handle; 256 - for (handle = ctx->last_handle; !(handle->alloc); handle++); 253 + union buflib_data *old_last = ctx->last_handle; 254 + 255 + for (handle = ctx->last_handle; handle != ctx->handle_table; ++handle) 256 + if (handle->alloc) 257 + break; 258 + 257 259 if (handle > ctx->first_free_handle) 258 260 ctx->first_free_handle = handle - 1; 259 - rv = handle != ctx->last_handle; 261 + 260 262 ctx->last_handle = handle; 261 - return rv; 263 + return handle != old_last; 262 264 } 263 265 264 266