From 96c8fcafa7325cd0e8a23a743a55f0ad0aa9f79b Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Thu, 18 Mar 2021 09:13:42 -0400 Subject: [PATCH 5/5] audio: audio_generic_get_buffer_in should honor *size MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RH-Author: Gerd Hoffmann Message-id: <20210318091342.3232471-2-kraxel@redhat.com> Patchwork-id: 101352 O-Subject: [RHEL-8.4.0 qemu-kvm PATCH 1/1] audio: audio_generic_get_buffer_in should honor *size Bugzilla: 1932823 RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Danilo de Paula RH-Acked-by: Philippe Mathieu-Daudé From: Volker Rümelin The function generic_get_buffer_in currently ignores the *size parameter and may return a buffer larger than *size. As a result the variable samples in function audio_pcm_hw_run_in may underflow. The while loop then most likely will never termiate. Buglink: http://bugs.debian.org/948658 Signed-off-by: Volker Rümelin Message-Id: <20200123074943.6699-9-vr_qemu@t-online.de> Signed-off-by: Gerd Hoffmann (cherry picked from commit 599eac4e5a41e828645594097daee39373acc3c0) Signed-off-by: Danilo C. L. de Paula --- audio/audio.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/audio/audio.c b/audio/audio.c index 56fae55047..39a62fc62a 100644 --- a/audio/audio.c +++ b/audio/audio.c @@ -1402,7 +1402,8 @@ void *audio_generic_get_buffer_in(HWVoiceIn *hw, size_t *size) } assert(start >= 0 && start < hw->size_emul); - *size = MIN(hw->pending_emul, hw->size_emul - start); + *size = MIN(*size, hw->pending_emul); + *size = MIN(*size, hw->size_emul - start); return hw->buf_emul + start; } -- 2.27.0