Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
1.1.0, 1.1.x
-
None
-
07b13b6c2401b9a419353b50ed48777a44c0c928
Description
consider the code:
if (pa_stream_peek(m_stream, &audioBuffer, &length) < 0) { qWarning() << QString("pa_stream_peek() failed: %1").arg(pa_strerror(pa_context_errno(pa_stream_get_context(m_stream)))); pa_threaded_mainloop_unlock(pulseEngine->mainloop()); return 0; } qint64 l = 0; if (m_pullMode) { l = m_audioSource->write((const char*)audioBuffer, length); length = l; } else { memcpy(data, audioBuffer, length); }
The "length" parameter is set in pa_stream_peek(), and can be more than length of the buffer. Later, the memcpy() writes to data outside of buffer, corrupting client's data.
This can be reproduced by reading from QAudioInput in push mode by small pieces.