Uploaded image for project: 'Qt Mobility'
  1. Qt Mobility
  2. QTMOBILITY-1293

buffer overflow in QPulseAudioInput::read()

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: P1: Critical P1: Critical
    • 1.1.2
    • 1.1.0, 1.1.x
    • Multimedia
    • None
    • 07b13b6c2401b9a419353b50ed48777a44c0c928

      consider the code:

      http://scm.dev.nokia.troll.no/projects/qtmobility/repos/qtm-maemo-pkg/blobs/harmattan-releases-1.2.0-staging/plugins/multimedia/pulseaudio/qaudioinput_pulse.cpp#line376

              if (pa_stream_peek(m_stream, &audioBuffer, &length) < 0) {
            qWarning() << QString("pa_stream_peek() failed: %1").arg(pa_strerror(pa_context_errno(pa_stream_get_context(m_stream))));
            pa_threaded_mainloop_unlock(pulseEngine->mainloop());
            return 0;
        }

        qint64 l = 0;
        if (m_pullMode) {
            l = m_audioSource->write((const char*)audioBuffer, length);
            length = l;
        } else {
            memcpy(data, audioBuffer, length);
        }

      The "length" parameter is set in pa_stream_peek(), and can be more than length of the buffer. Later, the memcpy() writes to data outside of buffer, corrupting client's data.

      This can be reproduced by reading from QAudioInput in push mode by small pieces.

        1. main_crash.cpp
          1 kB
        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            jorabbe Jonas Rabbe (closed Nokia identity) (Inactive)
            mkirillov Maksim Kirillov
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved:

                There are no open Gerrit changes