[9/9] audio: audio_generic_get_buffer_in should honor *size

Message ID	20200123074943.6699-9-vr_qemu@t-online.de
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> From: =?utf-8?q?Volker_R=C3=BCmelin?= <vr_qemu@t-online.de> To: Gerd Hoffmann <kraxel@redhat.com> Subject: [PATCH 9/9] audio: audio_generic_get_buffer_in should honor *size Date: Thu, 23 Jan 2020 08:49:43 +0100 Message-Id: <20200123074943.6699-9-vr_qemu@t-online.de> In-Reply-To: <1e29e1d3-b59b-fcd6-cdff-a680bcdbffa4@t-online.de> References: <1e29e1d3-b59b-fcd6-cdff-a680bcdbffa4@t-online.de> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Precedence: list Cc: QEMU <qemu-devel@nongnu.org>, =?utf-8?b?Wm9sdMOhbiBLxZF2w6Fnw7M=?= <dirty.ice.hu@gmail.com> Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
Series	more audio fixes and improvements \| expand [0/9] more audio fixes and improvements [1/9] audio: fix audio_generic_write [2/9] audio: fix audio_generic_read [3/9] paaudio: remove unused variables [4/9] audio: prevent SIGSEGV in AUD_get_buffer_size_out [5/9] audio: fix bug 1858488 [6/9] ossaudio: prevent SIGSEGV in oss_enable_out [7/9] ossaudio: prevent SIGPFE in oss_write [8/9] ossaudio: disable poll mode can't be reached [9/9] audio: audio_generic_get_buffer_in should honor *size

Message ID

20200123074943.6699-9-vr_qemu@t-online.de

State

New

Headers

From: =?utf-8?q?Volker_R=C3=BCmelin?= <vr_qemu@t-online.de>
To: Gerd Hoffmann <kraxel@redhat.com>
Subject: [PATCH 9/9] audio: audio_generic_get_buffer_in should honor *size
Date: Thu, 23 Jan 2020 08:49:43 +0100
Message-Id: <20200123074943.6699-9-vr_qemu@t-online.de>
In-Reply-To: <1e29e1d3-b59b-fcd6-cdff-a680bcdbffa4@t-online.de>
References: <1e29e1d3-b59b-fcd6-cdff-a680bcdbffa4@t-online.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Precedence: list
Cc: QEMU <qemu-devel@nongnu.org>, =?utf-8?b?Wm9sdMOhbiBLxZF2w6Fnw7M=?=
	<dirty.ice.hu@gmail.com>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

Series

more audio fixes and improvements | expand

Commit Message

Volker Rümelin Jan. 23, 2020, 7:49 a.m. UTC

The function generic_get_buffer_in currently ignores the *size
parameter and may return a buffer larger than *size.

As a result the variable samples in function
audio_pcm_hw_run_in may underflow. The while loop then most
likely will never termiate.

This bug was reported at http://bugs.debian.org/948658.

Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
---
 audio/audio.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/audio/audio.c b/audio/audio.c
index 81822bfec9..f5fb6cbf53 100644
--- a/audio/audio.c
+++ b/audio/audio.c
@@ -1406,7 +1406,8 @@  void *audio_generic_get_buffer_in(HWVoiceIn *hw, size_t *size)
     }
     assert(start >= 0 && start < hw->size_emul);
 
-    *size = MIN(hw->pending_emul, hw->size_emul - start);
+    *size = MIN(*size, hw->pending_emul);
+    *size = MIN(*size, hw->size_emul - start);
     return hw->buf_emul + start;
 }

[9/9] audio: audio_generic_get_buffer_in should honor *size

Commit Message

Patch