[PATCH] rtl_adsb: Fix invalid memory access

Will Glynn will at willglynn.com
Fri Sep 13 01:28:31 UTC 2013


single_manchester() considers both i and i+1, but the loop only
tests that i is in bounds. This causes undefined behavior, including
but not limited to a SIGBUS-related crash on Mac OS X.

(And also, we should not enter an infinite loop, caused by applying
an patch I sent that didn't also change the while condition.)
---
 src/rtl_adsb.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/rtl_adsb.c b/src/rtl_adsb.c
index 44b62e2..0845bf5 100644
--- a/src/rtl_adsb.c
+++ b/src/rtl_adsb.c
@@ -258,9 +258,10 @@ void manchester(uint16_t *buf, int len)
 	uint16_t a=0, b=0;
 	uint16_t bit;
 	int i, i2, start, errors;
+	int maximum_i = len - 1;        // len-1 since we look at i and i+1
 	// todo, allow wrap across buffers
 	i = 0;
-	while (i < len) {
+	while (i < maximum_i) {
 		/* find preamble */
 		for ( ; i < (len - preamble_len); i++) {
 			if (!preamble(buf, i)) {
@@ -275,7 +276,7 @@ void manchester(uint16_t *buf, int len)
 		i2 = start = i;
 		errors = 0;
 		/* mark bits until encoding breaks */
-		for ( ; i < len; i+=2, i2++) {
+		for ( ; i < maximum_i; i+=2, i2++) {
 			bit = single_manchester(a, b, buf[i], buf[i+1]);
 			a = buf[i];
 			b = buf[i+1];
-- 
1.8.3.4




More information about the osmocom-sdr mailing list