Skip to content
This repository has been archived by the owner. It is now read-only.
Permalink
Browse files

Fixed bug 1091 - Hardcoded size in SDL_audiocvt.c may lead to heap/st…

…ack corruption

Markovtsev Vadim 2011-01-18 22:00:16 PST

SDL_audiocvt.c:

static void SDLCALL
SDL_ConvertStereo(SDL_AudioCVT * cvt, SDL_AudioFormat format):

#define dup_chans_1_to_2(type) \
    { \
        const type *src = (const type *) (cvt->buf + cvt->len_cvt); \
        type *dst = (type *) (cvt->buf + cvt->len_cvt * 2); \
        for (i = cvt->len_cvt / 2; i; --i, --src) { \
            const type val = *src; \
            dst -= 2; \
            dst[0] = dst[1] = val; \
        } \
    }

Pay attention to cvt->len_cvt / 2. 2 is the sizeof(Uint16), hovewer, below we
see that the conversion function supports Uint8 and Uint32:

switch (SDL_AUDIO_BITSIZE(format)) {
    case 8:
        dup_chans_1_to_2(Uint8);
        break;
    case 16:
        dup_chans_1_to_2(Uint16);
        break;
    case 32:
        dup_chans_1_to_2(Uint32);
        break;
    }

If type is Uint32, src will be decreased twice as it should be, memory being
written before the cvt->buf. If type is Uint8, the conversion will not be
complete. I suggest to change that define to

#define dup_chans_1_to_2(type) \
    { \
        const type *src = (const type *) (cvt->buf + cvt->len_cvt); \
        type *dst = (type *) (cvt->buf + cvt->len_cvt * 2); \
        for (i = cvt->len_cvt / sizeof(type); i; --i, --src) { \
            const type val = *src; \
            dst -= 2; \
            dst[0] = dst[1] = val; \
        } \
    }

I tested that and now it's working fine. I did not consider the similar defines
in functions nearby.
  • Loading branch information
slouken committed Jan 8, 2012
1 parent 9c0bcc8 commit 0927f88df36a28b75da3af72bb29f42b60343cf6
Showing with 1 addition and 1 deletion.
  1. +1 −1 src/audio/SDL_audiocvt.c
@@ -295,7 +295,7 @@ SDL_ConvertStereo(SDL_AudioCVT * cvt, SDL_AudioFormat format)
{ \
const type *src = (const type *) (cvt->buf + cvt->len_cvt); \
type *dst = (type *) (cvt->buf + cvt->len_cvt * 2); \
for (i = cvt->len_cvt / 2; i; --i, --src) { \
for (i = cvt->len_cvt / sizeof(type); i; --i, --src) { \
const type val = *src; \
dst -= 2; \
dst[0] = dst[1] = val; \

0 comments on commit 0927f88

Please sign in to comment.