pacat: fix a memory issue

If only part of the buffer is written into stdout by stdout_callback,
the buffer_index variable is increased by the number of written bytes,
buffer_length variable is decreased while the allocated buffer size
remains the same. That suggests that the current allocated size is
calculated as (buffer_index + buffer_length). However the current
stream_read_callback implementation writes new data to the start of the
buffer and allocates too little space, so that (buffer + buffer_index +
buffer_length - 1) could actully point outside of the allocated buffer.

1 files changed, 3 insertions, 3 deletions

diff --git a/src/utils/pacat.c b/src/utils/pacat.c
index 4e1bbfc6b..6c4db4bb0 100644
--- a/src/utils/pacat.c
+++ b/src/utils/pacat.c
@@ -251,11 +251,11 @@ static void stream_read_callback(pa_stream *s, size_t length, void *userdata) {
             /* If there is a hole in the stream, we generate silence, except
              * if it's a passthrough stream in which case we skip the hole. */
             if (data || !(flags & PA_STREAM_PASSTHROUGH)) {
-                buffer = pa_xrealloc(buffer, buffer_length + length);
+                buffer = pa_xrealloc(buffer, buffer_index + buffer_length + length);
                 if (data)
-                    memcpy((uint8_t *) buffer + buffer_length, data, length);
+                    memcpy((uint8_t *) buffer + buffer_index + buffer_length, data, length);
                 else
-                    pa_silence_memory((uint8_t *) buffer + buffer_length, length, &sample_spec);
+                    pa_silence_memory((uint8_t *) buffer + buffer_index + buffer_length, length, &sample_spec);
 
                 buffer_length += length;
             }