We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Created attachment 1570 [details]
patch

For some channel count on floating point audio, SDL_ConvertAudio will corrupt the audio. In some cases it overflows the audio buffer as well.

In src/audio/SDL_audiocvt.c, functions SDL_ConvertMono, SDL_ConvertSurround, and SDL_ConvertSurround_4, treat the input as a 32 bit signed integer when the converter was set up to change the channel count of floating point audio. They each contain a switch statement that checks the format with the SDL_AUDIO_MASK_DATATYPE bit masked out, so the AUDIO_F32 case provided in SDL_ConvertMono and SDL_ConvertSurround is unreachable dead code.

SDL_ConvertSurround_4 doesn't have a separate float case, but it needs one as it does arithmetic on the values in the audio buffer.

There are pointer arithmetic errors in SDL_ConvertSurround causing buffer overflows on the converted audio buffer when using 4 byte formats (the AUDIO_S32 and unreachable AUDIO_F32 cases of the switch statement). Both the src and dst pointers use the wrong location. The output is written at a location which can be beyond the allocated size of the buffer through dst.

I've attached a patch which might fix these errors (I haven't tested all combinations, but the case I was using that caused me to find this bug sounds less painful with the patch applied).