mirrors/pulseaudio
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pulseaudio/pulseaudio.git synced 2025-10-28 05:40:21 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

stream: fix array out-of-bounds in stream_get_timing_info_callback

Browse source 
This issue was found by enabling ubsan. For me it consistently triggered
after about 28 seconds running a simple example that plays a sine wave
via the mainloop api.

I added a log and confirmed that before the ubsan is triggered the
index variable j is indeed 32 which is out-of-bounds.

Co-authored-by: Arun Raghavan <arun@asymptotic.io>
This commit is contained in:
Jonathan Marler 2025-08-07 15:45:26 -06:00
parent 98c7c9eafb
commit 1fbc6b0e0e
1 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/pulse/stream.c
View file

@ -1917,7 +1917,10 @@ static void stream_get_timing_info_callback(pa_pdispatch *pd, uint32_t command,
* total correction.*/
for (n = 0, j = o->stream->current_write_index_correction+1;
n < PA_MAX_WRITE_INDEX_CORRECTIONS;
n++, j = (j + 1) % PA_MAX_WRITE_INDEX_CORRECTIONS) {
n++, j++) {
/* First fix up the index to be within the array */
j = j % PA_MAX_WRITE_INDEX_CORRECTIONS;
/* Step over invalid data or out-of-date data */
if (!o->stream->write_index_corrections[j].valid ||