Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Fix crash when using the VoiceRecorder with voice target shortcuts #2864
This patch series fixes #2863 (Mumble segfaults during recording.)
During a VoiceRecorder session, when pressing a voice target shortcut, it was possible to set iPrevTarget to -1. That, combined with the fact that flushCheck() in AudioInput didn't properly check whether the values for iTarget and iPrevTarget were valid. This caused a voice packet with the an invalid flag byte to generated. This caused a crash in AudioOutputSpeech's needSamples(), because it would treat the bad packet as a Speex packet. Basically -- the logic was that anything that isn't CELT or Opus must be Speex -- which obviously isn't true: invalid packets would be treated as Speex.
The first commit in this series fixes the problem with missing validation for iTarget/iPrevTarget.
The second commit fixes the crash-site: When a bad packet was generated by the VoiceRecorder due to iPrevTarget being -1, AudioOutputSpeech::needSamples() would treat the bad packet as Speex, and would try to decode it, and fail. We now explicitly check whether the message type is Speex, before treating a packet as Speex.
The final commit adds an additional guard to AudioOutputSpeech, to catch invalid voice packets before they get into the audio subsystem.
4 times, most recently
Feb 22, 2017
Kissaki left a comment
I’m not sure I’m that qualified, but anyway.
Commit 1 looks plausible
Commit 2 makes sense. Is silently ignoring the else case what we want though? There's some followup code as well, and we won't notice unexpected message types.
Commit 3 has a typo "we check they they're". Also I would simplify "However, some packets, we generate ourselves" to "However, we generate some packets ourselves".
Commit 3 seems plausible.
Since packets from the server will never reach this place, I think you're right.