From b98698567bb342a6926a75620d0695cad09f7bb8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Anthony=20L=C3=A9onard?=
 <anthony.leonard@savoirfairelinux.com>
Date: Wed, 31 May 2017 11:20:36 -0400
Subject: [PATCH] coreaudio: fix buffer overflow on silence writing

The count argument passed to std::fill_n was in bytes instead of
element's count (which are of Float32 type) so zeroes were written
outside the scope of the audio buffer.

This was causing crashes not on this instruction but anywhere in the
application when a malloc call was checking for memory sanity (which
isn't done on every allocation).

Change-Id: Iec6fa9d3b00b828c6bf798c77419b8bad970d6e1
Reviewed-by: Guillaume Roguez <guillaume.roguez@savoirfairelinux.com>
---
 src/media/audio/coreaudio/corelayer.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/media/audio/coreaudio/corelayer.cpp b/src/media/audio/coreaudio/corelayer.cpp
index e3f8f52338..8571a5b418 100644
--- a/src/media/audio/coreaudio/corelayer.cpp
+++ b/src/media/audio/coreaudio/corelayer.cpp
@@ -312,7 +312,7 @@ CoreLayer::write(AudioUnitRenderActionFlags* ioActionFlags,
     if (toPlay.frames() == 0) {
         for (int i = 0; i < audioFormat_.nb_channels; ++i)
             std::fill_n(reinterpret_cast<Float32*>(ioData->mBuffers[i].mData),
-                        ioData->mBuffers[i].mDataByteSize, 0);
+                        ioData->mBuffers[i].mDataByteSize/sizeof(Float32), 0);
     } else {
         for (int i = 0; i < audioFormat_.nb_channels; ++i)
             toPlay.channelToFloat(reinterpret_cast<Float32*>(ioData->mBuffers[i].mData), i);
-- 
GitLab