From b98698567bb342a6926a75620d0695cad09f7bb8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anthony=20L=C3=A9onard?= <anthony.leonard@savoirfairelinux.com> Date: Wed, 31 May 2017 11:20:36 -0400 Subject: [PATCH] coreaudio: fix buffer overflow on silence writing The count argument passed to std::fill_n was in bytes instead of element's count (which are of Float32 type) so zeroes were written outside the scope of the audio buffer. This was causing crashes not on this instruction but anywhere in the application when a malloc call was checking for memory sanity (which isn't done on every allocation). Change-Id: Iec6fa9d3b00b828c6bf798c77419b8bad970d6e1 Reviewed-by: Guillaume Roguez <guillaume.roguez@savoirfairelinux.com> --- src/media/audio/coreaudio/corelayer.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/media/audio/coreaudio/corelayer.cpp b/src/media/audio/coreaudio/corelayer.cpp index e3f8f52338..8571a5b418 100644 --- a/src/media/audio/coreaudio/corelayer.cpp +++ b/src/media/audio/coreaudio/corelayer.cpp @@ -312,7 +312,7 @@ CoreLayer::write(AudioUnitRenderActionFlags* ioActionFlags, if (toPlay.frames() == 0) { for (int i = 0; i < audioFormat_.nb_channels; ++i) std::fill_n(reinterpret_cast<Float32*>(ioData->mBuffers[i].mData), - ioData->mBuffers[i].mDataByteSize, 0); + ioData->mBuffers[i].mDataByteSize/sizeof(Float32), 0); } else { for (int i = 0; i < audioFormat_.nb_channels; ++i) toPlay.channelToFloat(reinterpret_cast<Float32*>(ioData->mBuffers[i].mData), i); -- GitLab