Skip to content

Commit

Permalink
Fix memory corruption in S_TransferPaintBuffer
Browse files Browse the repository at this point in the history 
When using a non-default sound configuration (such as 6 channels), after
a long time (about 4.5hours for 6 channels at 22050 Hz) an overflow will
occur in `S_TransferPaintBuffer`, causing an out of bounds write into
the dma buffer.

The problematic line is:
```
out_idx = (s_paintedtime * dma.channels) % dma.samples;
```

With `s_paintedtime` large enough, the result of the multiplication will
overflow to a negative number (since `s_paintedtime` is signed), and the
index into the output buffer will be negative.
  • Loading branch information
@mickael9 @timangus
mickael9 authored and timangus committed Dec 8, 2021
1 parent 9543cf2 commit 84daa28
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion code/client/snd_mix.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@ void S_TransferPaintBuffer(int endtime)
{ // general case
p = (int *) paintbuffer;
count = (endtime - s_paintedtime) * dma.channels;
out_idx = (s_paintedtime * dma.channels) % dma.samples;
out_idx = ((unsigned int)s_paintedtime * dma.channels) % dma.samples;
step = 3 - MIN(dma.channels, 2);

if ((dma.isfloat) && (dma.samplebits == 32))
Expand Down

0 comments on commit 84daa28

Please sign in to comment.