Date: Thu, 27 Nov 2003 17:30:59 +0100 From: "Daan Vreeken [PA4DAN]" <Danovitsch@Vitsch.net> To: Jay Cornwall <jay@evilrealms.net> Cc: imp@FreeBSD.org Subject: Re: Panic with ugen Message-ID: <200311271730.59498.Danovitsch@Vitsch.net> In-Reply-To: <3FC60B3B.2000403@evilrealms.net> References: <1069874342.704.18.camel@klotz.local> <200311270856.44214.Danovitsch@Vitsch.net> <3FC60B3B.2000403@evilrealms.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 27 November 2003 15:33, Jay Cornwall wrote: > Daan Vreeken [PA4DAN] wrote: > > If you have time left, could you perhaps also have a look at kern/511= 86? > > I have filed it back in March and it's still open. (Fixes a memory > > corruption bug in ugen). > > I'm not a committer, I'm afraid, so it's probably best to get in touch = with > the code maintainer. (imp@freebsd.org, if the PR is correct - he did re= ply > at the bottom of the PR) > > But from a brief look at the code, I can't see anything getting past th= is > line: if(sce->fill < sce->cur && sce->cur <=3D sce->fill + count) > > If sce->fill is less than sce->cur, then sce->cur can only be <=3D (sce= ->fill > + count) if count is negative. But I haven't studied the code that clos= ely, > so maybe I'm just missing something obvious. :) It can. Imagine a buffer of 1000 bytes. sce->fill=3D980 and sce->cur=3D990. If we have to store 40 bytes, sce->fill (980) is smaller than sce->cur (9= 90). And sce->cur (990) is smaller or equal to sce->fill + count (980+40=3D102= 0). After that count gets added to sce->cur ( sce->cur=3D990+40=3D1030). Now sce->cur is bigger than sce->limit so this line of code get execute : sce->cur =3D sce->ibuf + (sce->limit - sce->cur); Leading to : sce->cur =3D sce->ibuf + ( 1000 - 1030 ) =3D beginning-of-buffer - 30 ! In stead of : sce->cur =3D sce->ibuf + ( 1030 - 1000 ) =3D beginning-of-buffer + 30 grtz, Daan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311271730.59498.Danovitsch>