diff options
author | Denis Shulyaka <shulyaka@gmail.com> | 2017-07-30 23:40:19 +0300 |
---|---|---|
committer | Tanu Kaskinen <tanuk@iki.fi> | 2017-07-31 04:41:10 +0300 |
commit | 7ebe7b8a35ad70f611bc08229b1beae1afaf6e00 (patch) | |
tree | d95719c18f345f64a64ab82df33ede7a8d80772d | |
parent | c2dd53f79c817f0c2b4657299ef3a189920e38ab (diff) | |
download | pulseaudio-7ebe7b8a35ad70f611bc08229b1beae1afaf6e00.tar.gz |
pacat: fix a memory issue
If only part of the buffer is written into stdout by stdout_callback,
the buffer_index variable is increased by the number of written bytes,
buffer_length variable is decreased while the allocated buffer size
remains the same. That suggests that the current allocated size is
calculated as (buffer_index + buffer_length). However the current
stream_read_callback implementation writes new data to the start of the
buffer and allocates too little space, so that (buffer + buffer_index +
buffer_length - 1) could actully point outside of the allocated buffer.
-rw-r--r-- | src/utils/pacat.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/utils/pacat.c b/src/utils/pacat.c index 4e1bbfc6b..6c4db4bb0 100644 --- a/src/utils/pacat.c +++ b/src/utils/pacat.c @@ -251,11 +251,11 @@ static void stream_read_callback(pa_stream *s, size_t length, void *userdata) { /* If there is a hole in the stream, we generate silence, except * if it's a passthrough stream in which case we skip the hole. */ if (data || !(flags & PA_STREAM_PASSTHROUGH)) { - buffer = pa_xrealloc(buffer, buffer_length + length); + buffer = pa_xrealloc(buffer, buffer_index + buffer_length + length); if (data) - memcpy((uint8_t *) buffer + buffer_length, data, length); + memcpy((uint8_t *) buffer + buffer_index + buffer_length, data, length); else - pa_silence_memory((uint8_t *) buffer + buffer_length, length, &sample_spec); + pa_silence_memory((uint8_t *) buffer + buffer_index + buffer_length, length, &sample_spec); buffer_length += length; } |