| Summary: | Hardcoded size in SDL_audiocvt.c may lead to heap/stack corruption | ||
|---|---|---|---|
| Product: | SDL | Reporter: | Markovtsev Vadim <gmarkhor> |
| Component: | audio | Assignee: | Ryan C. Gordon <icculus> |
| Status: | RESOLVED FIXED | QA Contact: | Sam Lantinga <slouken> |
| Severity: | normal | ||
| Priority: | P2 | ||
| Version: | HG 2.0 | ||
| Hardware: | All | ||
| OS: | All | ||
Nice catch, thanks! http://hg.libsdl.org/SDL/rev/9ee905f656b2 |
SDL_audiocvt.c: static void SDLCALL SDL_ConvertStereo(SDL_AudioCVT * cvt, SDL_AudioFormat format): #define dup_chans_1_to_2(type) \ { \ const type *src = (const type *) (cvt->buf + cvt->len_cvt); \ type *dst = (type *) (cvt->buf + cvt->len_cvt * 2); \ for (i = cvt->len_cvt / 2; i; --i, --src) { \ const type val = *src; \ dst -= 2; \ dst[0] = dst[1] = val; \ } \ } Pay attention to cvt->len_cvt / 2. 2 is the sizeof(Uint16), hovewer, below we see that the conversion function supports Uint8 and Uint32: switch (SDL_AUDIO_BITSIZE(format)) { case 8: dup_chans_1_to_2(Uint8); break; case 16: dup_chans_1_to_2(Uint16); break; case 32: dup_chans_1_to_2(Uint32); break; } If type is Uint32, src will be decreased twice as it should be, memory being written before the cvt->buf. If type is Uint8, the conversion will not be complete. I suggest to change that define to #define dup_chans_1_to_2(type) \ { \ const type *src = (const type *) (cvt->buf + cvt->len_cvt); \ type *dst = (type *) (cvt->buf + cvt->len_cvt * 2); \ for (i = cvt->len_cvt / sizeof(type); i; --i, --src) { \ const type val = *src; \ dst -= 2; \ dst[0] = dst[1] = val; \ } \ } I tested that and now it's working fine. I did not consider the similar defines in functions nearby.