Closed naglis closed 1 year ago
I looked into this, it seems to be an underflow issue that occurs here on line 801, with i
being 529 and pcm_length
being 229:
https://github.com/MusicPlayerDaemon/MPD/blob/8a7b7dffec76d3652995274edb0e0a89acdcf684/src/decoder/plugins/MadDecoderPlugin.cxx#L798-L805
The calling function MadDecoder::SynthAndSubmit()
sets i
to drop_start_samples
which had the value of 529. pcm_length
was initially 576 but after subtracting the drop_end_samples
(347) it then became 229. Now i
is greater than pcm_length
which leads to the size_t
underflow in MadDecoder::SubmitPCM()
.
I don't really know anything about MAD so I'm not sure what course of action should be taken, but I guess if (i > pcm_length)
then DecoderCommand::STOP
?
Thanks @zaidhaan, your analysis was correct; the problem was that drop_start_samples and drop_end_samples could overlap, and thus the mistake was in the drop_end_samples >= pcm_length
check which didn't account for drop_start_samples
(= i
).
Bug report
Describe the bug
MPD crashes with segmentation fault when playing this MP3 file.
Expected Behavior
MPD does not crash.
Actual Behavior
MPD crashes.
Version
Configuration
Log
Backtrace