From 41989f4889648ecd31845bf1287c0f577673bd33 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Mon, 24 Feb 2020 15:08:27 +0100 Subject: [PATCH] client-node: don't overwrite the chunk memory pointer When the client uploads a buffer, copy all data fields except for the chunk memory that we configured before. If we overwrite the chunk memory, the users of the buffer would not be able to find the chunk memory anymore and crash or fail. --- src/modules/module-client-node/client-node.c | 14 +++++++++++--- src/modules/module-client-node/protocol-native.c | 4 +--- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/src/modules/module-client-node/client-node.c b/src/modules/module-client-node/client-node.c index 9fb5d300a..74b1491bb 100644 --- a/src/modules/module-client-node/client-node.c +++ b/src/modules/module-client-node/client-node.c @@ -1024,11 +1024,19 @@ static int client_node_port_buffers(void *data, return -EINVAL; for (j = 0; j < newbuf->n_datas; j++) { - oldbuf->datas[j] = newbuf->datas[j]; + struct spa_chunk *oldchunk = oldbuf->datas[j].chunk; - spa_log_debug(this->log, " data %d type:%d fd:%d", j, + /* overwrite everything except the chunk */ + oldbuf->datas[j] = newbuf->datas[j]; + oldbuf->datas[j].chunk = oldchunk; + + spa_log_debug(this->log, " data %d type:%d fl:%08x fd:%d, offs:%d max:%d", + j, newbuf->datas[j].type, - (int) newbuf->datas[j].fd); + newbuf->datas[j].flags, + (int) newbuf->datas[j].fd, + newbuf->datas[j].mapoffset, + newbuf->datas[j].maxsize); } } mix->n_buffers = n_buffers; diff --git a/src/modules/module-client-node/protocol-native.c b/src/modules/module-client-node/protocol-native.c index 3a3a5d95e..4eab88fa3 100644 --- a/src/modules/module-client-node/protocol-native.c +++ b/src/modules/module-client-node/protocol-native.c @@ -1062,9 +1062,7 @@ static int client_node_demarshal_port_buffers(void *object, const struct pw_prot for (i = 0; i < n_buffers; i++) { struct spa_buffer *buf = buffers[i] = alloca(sizeof(struct spa_buffer)); - buf->n_metas = 0; - buf->metas = NULL; - + spa_zero(*buf); if (spa_pod_parser_get(&prs, SPA_POD_Int(&buf->n_datas), NULL) < 0) return -EINVAL;