| Summary: | Some audio channel count converters corrupt floating point audio and overflow buffer | ||
|---|---|---|---|
| Product: | SDL | Reporter: | James Legg <jlegg> |
| Component: | audio | Assignee: | Ryan C. Gordon <icculus> |
| Status: | RESOLVED FIXED | QA Contact: | Sam Lantinga <slouken> |
| Severity: | normal | ||
| Priority: | P2 | ||
| Version: | HG 2.1 | ||
| Hardware: | All | ||
| OS: | All | ||
| Attachments: | patch | ||
Looks good, thanks! https://hg.libsdl.org/SDL/rev/cc1d377f014a |
Created attachment 1570 [details] patch For some channel count on floating point audio, SDL_ConvertAudio will corrupt the audio. In some cases it overflows the audio buffer as well. In src/audio/SDL_audiocvt.c, functions SDL_ConvertMono, SDL_ConvertSurround, and SDL_ConvertSurround_4, treat the input as a 32 bit signed integer when the converter was set up to change the channel count of floating point audio. They each contain a switch statement that checks the format with the SDL_AUDIO_MASK_DATATYPE bit masked out, so the AUDIO_F32 case provided in SDL_ConvertMono and SDL_ConvertSurround is unreachable dead code. SDL_ConvertSurround_4 doesn't have a separate float case, but it needs one as it does arithmetic on the values in the audio buffer. There are pointer arithmetic errors in SDL_ConvertSurround causing buffer overflows on the converted audio buffer when using 4 byte formats (the AUDIO_S32 and unreachable AUDIO_F32 cases of the switch statement). Both the src and dst pointers use the wrong location. The output is written at a location which can be beyond the allocated size of the buffer through dst. I've attached a patch which might fix these errors (I haven't tested all combinations, but the case I was using that caused me to find this bug sounds less painful with the patch applied).