diff options
| author | Sam Lantinga <slouken@libsdl.org> | 2012-01-08 17:20:33 -0500 |
|---|---|---|
| committer | Sam Lantinga <slouken@libsdl.org> | 2012-01-08 17:20:33 -0500 |
| commit | 0e2f2bcab0282bb81933debb2b32cef65d82c0e8 (patch) | |
| tree | 02e912073023e38bd0ecfec5ca3cd9f2706df034 /src | |
| parent | 64ae43880f92a5bcb11145dac9322a291563b632 (diff) | |
Fixed bug 1091 - Hardcoded size in SDL_audiocvt.c may lead to heap/stack corruption
Markovtsev Vadim 2011-01-18 22:00:16 PST
SDL_audiocvt.c:
static void SDLCALL
SDL_ConvertStereo(SDL_AudioCVT * cvt, SDL_AudioFormat format):
#define dup_chans_1_to_2(type) \
{ \
const type *src = (const type *) (cvt->buf + cvt->len_cvt); \
type *dst = (type *) (cvt->buf + cvt->len_cvt * 2); \
for (i = cvt->len_cvt / 2; i; --i, --src) { \
const type val = *src; \
dst -= 2; \
dst[0] = dst[1] = val; \
} \
}
Pay attention to cvt->len_cvt / 2. 2 is the sizeof(Uint16), hovewer, below we
see that the conversion function supports Uint8 and Uint32:
switch (SDL_AUDIO_BITSIZE(format)) {
case 8:
dup_chans_1_to_2(Uint8);
break;
case 16:
dup_chans_1_to_2(Uint16);
break;
case 32:
dup_chans_1_to_2(Uint32);
break;
}
If type is Uint32, src will be decreased twice as it should be, memory being
written before the cvt->buf. If type is Uint8, the conversion will not be
complete. I suggest to change that define to
#define dup_chans_1_to_2(type) \
{ \
const type *src = (const type *) (cvt->buf + cvt->len_cvt); \
type *dst = (type *) (cvt->buf + cvt->len_cvt * 2); \
for (i = cvt->len_cvt / sizeof(type); i; --i, --src) { \
const type val = *src; \
dst -= 2; \
dst[0] = dst[1] = val; \
} \
}
I tested that and now it's working fine. I did not consider the similar defines
in functions nearby.
Diffstat (limited to 'src')
| -rwxr-xr-x | src/audio/SDL_audiocvt.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/audio/SDL_audiocvt.c b/src/audio/SDL_audiocvt.c index 0594df53..dbae813a 100755 --- a/src/audio/SDL_audiocvt.c +++ b/src/audio/SDL_audiocvt.c @@ -295,7 +295,7 @@ SDL_ConvertStereo(SDL_AudioCVT * cvt, SDL_AudioFormat format) { \ const type *src = (const type *) (cvt->buf + cvt->len_cvt); \ type *dst = (type *) (cvt->buf + cvt->len_cvt * 2); \ - for (i = cvt->len_cvt / 2; i; --i, --src) { \ + for (i = cvt->len_cvt / sizeof(type); i; --i, --src) { \ const type val = *src; \ dst -= 2; \ dst[0] = dst[1] = val; \ |