Skip to main content

Notice

Please note that most of the software linked on this forum is likely to be safe to use. If you are unsure, feel free to ask in the relevant topics, or send a private message to an administrator or moderator. To help curb the problems of false positives, or in the event that you do find actual malware, you can contribute through the article linked here.
Topic: OggDropXPd (1.9.0) crashes due to heap corruption (Read 14087 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

OggDropXPd (1.9.0) crashes due to heap corruption

In encthread.c at around line 1482:
Code: [Select]
        if (out_fn)
            free(out_fn);
        if (enc_opts.filename)
            free(enc_opts.filename);

enc_opts.filename points to the same address as out_fn (see line 1246), hence the double free.
However, it's worse than that. out_fn (and enc_opts.filename) actually points to the stack array strFileName[] (see line 1219). So it tries to free same stack address twice, which leads this encoding thread to a crash.
I was somewhat surprised to see that this file is not touched after year 2008, and no one ever complained about this bug.

OggDropXPd (1.9.0) crashes due to heap corruption

Reply #1
In encthread.c at around line 1482:
Code: [Select]
        if (out_fn)
            free(out_fn);
        if (enc_opts.filename)
            free(enc_opts.filename);

enc_opts.filename points to the same address as out_fn (see line 1246), hence the double free.
However, it's worse than that. out_fn (and enc_opts.filename) actually points to the stack array strFileName[] (see line 1219). So it tries to free same stack address twice, which leads this encoding thread to a crash.
I was somewhat surprised to see that this file is not touched after year 2008, and no one ever complained about this bug.

Thanks for the interest. I'll look into this when I return home later.