From 7ebe7b8a35ad70f611bc08229b1beae1afaf6e00 Mon Sep 17 00:00:00 2001 From: Denis Shulyaka Date: Sun, 30 Jul 2017 23:40:19 +0300 Subject: [PATCH] pacat: fix a memory issue If only part of the buffer is written into stdout by stdout_callback, the buffer_index variable is increased by the number of written bytes, buffer_length variable is decreased while the allocated buffer size remains the same. That suggests that the current allocated size is calculated as (buffer_index + buffer_length). However the current stream_read_callback implementation writes new data to the start of the buffer and allocates too little space, so that (buffer + buffer_index + buffer_length - 1) could actully point outside of the allocated buffer. --- src/utils/pacat.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/utils/pacat.c b/src/utils/pacat.c index 4e1bbfc6b..6c4db4bb0 100644 --- a/src/utils/pacat.c +++ b/src/utils/pacat.c @@ -251,11 +251,11 @@ static void stream_read_callback(pa_stream *s, size_t length, void *userdata) { /* If there is a hole in the stream, we generate silence, except * if it's a passthrough stream in which case we skip the hole. */ if (data || !(flags & PA_STREAM_PASSTHROUGH)) { - buffer = pa_xrealloc(buffer, buffer_length + length); + buffer = pa_xrealloc(buffer, buffer_index + buffer_length + length); if (data) - memcpy((uint8_t *) buffer + buffer_length, data, length); + memcpy((uint8_t *) buffer + buffer_index + buffer_length, data, length); else - pa_silence_memory((uint8_t *) buffer + buffer_length, length, &sample_spec); + pa_silence_memory((uint8_t *) buffer + buffer_index + buffer_length, length, &sample_spec); buffer_length += length; }