From ab2d4171666b8778ac53b54438e5f0d4262778de Mon Sep 17 00:00:00 2001
From: Daniel Estévez <daniel@destevez.net>
Date: Fri, 20 Dec 2019 15:22:22 +0100
Subject: Fix heap corruption bug in async_decoder

When using async_decoder with a CC decoder with k = 7 and no input byte packing,
the frame size of the underlying FEC decoder is set incorrectly to a too large
value. This causes out of bounds accesses which corrupt the heap.
---
 gr-fec/lib/async_decoder_impl.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'gr-fec/lib/async_decoder_impl.cc')

diff --git a/gr-fec/lib/async_decoder_impl.cc b/gr-fec/lib/async_decoder_impl.cc
index 790cd58a4b..d417da3129 100644
--- a/gr-fec/lib/async_decoder_impl.cc
+++ b/gr-fec/lib/async_decoder_impl.cc
@@ -116,7 +116,7 @@ void async_decoder_impl::decode_unpacked(pmt::pmt_t msg)
     size_t nbits_in = pmt::length(bits);
     size_t nbits_out = 0;
     size_t nblocks = 1;
-    bool variable_frame_size = d_decoder->set_frame_size(nbits_in * d_decoder->rate());
+    bool variable_frame_size = d_decoder->set_frame_size(nbits_in * d_decoder->rate() - diff);
 
     // Check here if the frame size is larger than what we've
     // allocated for in the constructor.
-- 
cgit v1.2.3