pandory500/SDL-mirror
2
0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fixed bug 1091 - Hardcoded size in SDL_audiocvt.c may lead to heap/stack corruption

Browse source 
Markovtsev Vadim 2011-01-18 22:00:16 PST

SDL_audiocvt.c:

static void SDLCALL
SDL_ConvertStereo(SDL_AudioCVT * cvt, SDL_AudioFormat format):

#define dup_chans_1_to_2(type) \
    { \
        const type *src = (const type *) (cvt->buf + cvt->len_cvt); \
        type *dst = (type *) (cvt->buf + cvt->len_cvt * 2); \
        for (i = cvt->len_cvt / 2; i; --i, --src) { \
            const type val = *src; \
            dst -= 2; \
            dst[0] = dst[1] = val; \
        } \
    }

Pay attention to cvt->len_cvt / 2. 2 is the sizeof(Uint16), hovewer, below we
see that the conversion function supports Uint8 and Uint32:

switch (SDL_AUDIO_BITSIZE(format)) {
    case 8:
        dup_chans_1_to_2(Uint8);
        break;
    case 16:
        dup_chans_1_to_2(Uint16);
        break;
    case 32:
        dup_chans_1_to_2(Uint32);
        break;
    }

If type is Uint32, src will be decreased twice as it should be, memory being
written before the cvt->buf. If type is Uint8, the conversion will not be
complete. I suggest to change that define to

#define dup_chans_1_to_2(type) \
    { \
        const type *src = (const type *) (cvt->buf + cvt->len_cvt); \
        type *dst = (type *) (cvt->buf + cvt->len_cvt * 2); \
        for (i = cvt->len_cvt / sizeof(type); i; --i, --src) { \
            const type val = *src; \
            dst -= 2; \
            dst[0] = dst[1] = val; \
        } \
    }

I tested that and now it's working fine. I did not consider the similar defines
in functions nearby.
This commit is contained in:
Sam Lantinga 2012-01-08 17:20:33 -05:00
parent a9bcdb83a9
commit 7e2e5d34e6
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/audio/SDL_audiocvt.c
View file

@ -295,7 +295,7 @@ SDL_ConvertStereo(SDL_AudioCVT * cvt, SDL_AudioFormat format)
{ \ { \
const type *src = (const type *) (cvt->buf + cvt->len_cvt); \ const type *src = (const type *) (cvt->buf + cvt->len_cvt); \
type *dst = (type *) (cvt->buf + cvt->len_cvt * 2); \ type *dst = (type *) (cvt->buf + cvt->len_cvt * 2); \
for (i = cvt->len_cvt / 2; i; --i, --src) { \ for (i = cvt->len_cvt / sizeof(type); i; --i, --src) { \
const type val = *src; \ const type val = *src; \
dst -= 2; \ dst -= 2; \
dst[0] = dst[1] = val; \ dst[0] = dst[1] = val; \