summaryrefslogtreecommitdiffstats
path: root/apps/playlist.c
diff options
context:
space:
mode:
authorWilliam Wilgus <me.theuser@yahoo.com>2018-12-13 10:39:49 -0600
committerWilliam Wilgus <me.theuser@yahoo.com>2018-12-14 01:28:17 -0600
commit3f110daf3032187c052a6e3c1b05d01d1a4582d0 (patch)
treed2fcb43e9010dd7f5b414b68d23448dfcccd8513 /apps/playlist.c
parentce0b31d87db3c4c1c1bfb535c50770d33e9c4aaf (diff)
downloadrockbox-3f110daf3032187c052a6e3c1b05d01d1a4582d0.tar.gz
rockbox-3f110daf3032187c052a6e3c1b05d01d1a4582d0.tar.bz2
rockbox-3f110daf3032187c052a6e3c1b05d01d1a4582d0.zip
Fix tree.c->tree_get_entry_at() buffer overflow
I observed a crash on buflib>move_block after dumping ram I noticed that the buffer for filetypes was being corrupted tree_get_entry_at returns a entry from the buflib 'tree entry' buffer filetree.c->ft_load writes data to this buffer before checking if it has reached the last entry resulting in buffer overflow that overwrites the next entry in the buffer ['filetypes'] Patch checks that the index passed to tree_get_entry_at() is in range otherwise it returns NULL Added checks + panic in other functions using tree_get_entry_at() Fixed tree_lock_cache() calls in playlist and filetree Change-Id: Ibf9e65652b4e00445e8e509629aebbcddffcfd4d
Diffstat (limited to 'apps/playlist.c')
-rw-r--r--apps/playlist.c11
1 files changed, 7 insertions, 4 deletions
diff --git a/apps/playlist.c b/apps/playlist.c
index f566999212..7420b0afad 100644
--- a/apps/playlist.c
+++ b/apps/playlist.c
@@ -1573,10 +1573,10 @@ static int get_next_dir(char *dir, bool is_forward)
break;
}
+ tree_lock_cache(tc);
files = tree_get_entries(tc);
num_files = tc->filesindir;
- tree_lock_cache(tc);
for (i=0; i<num_files; i++)
{
/* user abort */
@@ -1666,9 +1666,10 @@ static int check_subdir_for_music(char *dir, const char *subdir, bool recurse)
return -2;
}
+ tree_lock_cache(tc);
files = tree_get_entries(tc);
num_files = tc->filesindir;
-
+
for (i=0; i<num_files; i++)
{
if (files[i].attr & ATTR_DIRECTORY)
@@ -1681,9 +1682,11 @@ static int check_subdir_for_music(char *dir, const char *subdir, bool recurse)
}
if (has_music)
+ {
+ tree_unlock_cache(tc);
return 0;
-
- tree_lock_cache(tc);
+ }
+
if (has_subdir && recurse)
{
for (i=0; i<num_files; i++)