pcm: ioplug: Limit transfer size to buffer boundary

Commit 1714332 introduced 2nd transfer()
call to transfer all remaining available frames.
If the prior calculated avail value exceeds the buffer size a too large size value
is passed to the underlaying plugin and results in memory corruption if not blocked by plugin internally.
Avail values > buffer size can happen if e.g. xrun detection is disabled,
as avail is calculated by pure difference between hw and app position.
This patch limits 2nd transfer call to remaining rest of a buffer size.

Signed-off-by: Andreas Pape <apape@de.adit-jv.com>

src/pcm/pcm_ioplug.c

@@ -727,7 +727,12 @@ static snd_pcm_sframes_t snd_pcm_ioplug_avail_update(snd_pcm_t *pcm)
 			const snd_pcm_channel_area_t *areas;
 			snd_pcm_uframes_t offset, size = UINT_MAX;
 			snd_pcm_sframes_t result;
+			/* avail may be > buffer_size and thus must be manually limited if used for 2nd transfer() call
+			   w/o another mmap_commit() plus mmap_begin() issued after 1st transfer() */
+			snd_pcm_uframes_t avail_part = avail % pcm->buffer_size;
 
+			if (avail && !avail_part) /*avail = (n*buffer_size) results in buffer_size */
+				avail_part = pcm->buffer_size;
 			__snd_pcm_mmap_begin(pcm, &areas, &offset, &size);
 			result = io->data->callback->transfer(io->data, areas, offset, size);
 			if (result < 0)
@@ -737,9 +742,9 @@ static snd_pcm_sframes_t snd_pcm_ioplug_avail_update(snd_pcm_t *pcm)
 			   contiguous area at the end of the mmap we
 			   must transfer the remaining data to the
 			   beginning of the mmap. */
-			if (size < avail) {
+			if (size < avail_part) {
 				result = io->data->callback->transfer(io->data, areas,
-								      0, avail - size);
+								      0, avail_part - size);
 				if (result < 0)
 					return result;
 			}