[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v2 1/4] audio: fix invalid malloc size in audio_crea
|
From: |
Kővágó, Zoltán |
|
Subject: |
[Qemu-devel] [PATCH v2 1/4] audio: fix invalid malloc size in audio_create_pdos |
|
Date: |
Mon, 26 Aug 2019 21:59:01 +0200 |
The code used sizeof(AudiodevAlsaPerDirectionOptions) instead of the
appropriate per direction options for the audio backend. If the size of
the actual audiodev's per direction options are larger than alsa's, it
could cause a buffer overflow.
However, alsa has three fields in per direction options: a string, an
uint32 and a bool. Oss has the same fields, coreaudio has a single
uint32, paaudio has a string and an uint32, all other backends only use
the common options, so currently no per direction options struct should
be larger than alsa's.
Signed-off-by: Kővágó, Zoltán <address@hidden>
---
audio/audio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/audio/audio.c b/audio/audio.c
index 7d715332c9..ae335dbebb 100644
--- a/audio/audio.c
+++ b/audio/audio.c
@@ -1685,7 +1685,7 @@ void audio_create_pdos(Audiodev *dev)
} \
if (!dev->u.driver.has_out) { \
dev->u.driver.out = g_malloc0( \
- sizeof(AudiodevAlsaPerDirectionOptions)); \
+ sizeof(Audiodev##pdo_name##PerDirectionOptions)); \
dev->u.driver.has_out = true; \
} \
break
--
2.22.0
- [Qemu-devel] [PATCH v2 0/4] Audio: misc fixes for "Audio 20190821 patches", Kővágó, Zoltán, 2019/08/26
- [Qemu-devel] [PATCH v2 1/4] audio: fix invalid malloc size in audio_create_pdos,
Kővágó, Zoltán <=
- [Qemu-devel] [PATCH v2 3/4] audio: paaudio: fix client name, Kővágó, Zoltán, 2019/08/26
- [Qemu-devel] [PATCH v2 2/4] audio: omitting audiodev= parameter is only deprecated, Kővágó, Zoltán, 2019/08/26
- [Qemu-devel] [PATCH v2 4/4] audio: paaudio: ability to specify stream name, Kővágó, Zoltán, 2019/08/26