Uploaded image for project: 'Qt Mobility'
  1. Qt Mobility
  2. QTMOBILITY-1293

buffer overflow in QPulseAudioInput::read()

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P1: Critical
    • 1.1.2
    • 1.1.0, 1.1.x
    • Multimedia
    • None
    • 07b13b6c2401b9a419353b50ed48777a44c0c928

    Description

      consider the code:

      http://scm.dev.nokia.troll.no/projects/qtmobility/repos/qtm-maemo-pkg/blobs/harmattan-releases-1.2.0-staging/plugins/multimedia/pulseaudio/qaudioinput_pulse.cpp#line376

              if (pa_stream_peek(m_stream, &audioBuffer, &length) < 0) {
            qWarning() << QString("pa_stream_peek() failed: %1").arg(pa_strerror(pa_context_errno(pa_stream_get_context(m_stream))));
            pa_threaded_mainloop_unlock(pulseEngine->mainloop());
            return 0;
        }

        qint64 l = 0;
        if (m_pullMode) {
            l = m_audioSource->write((const char*)audioBuffer, length);
            length = l;
        } else {
            memcpy(data, audioBuffer, length);
        }

      The "length" parameter is set in pa_stream_peek(), and can be more than length of the buffer. Later, the memcpy() writes to data outside of buffer, corrupting client's data.

      This can be reproduced by reading from QAudioInput in push mode by small pieces.

      Attachments

        1. main_crash.cpp
          1 kB
          Maksim Kirillov

        Activity

          People

            jorabbe Jonas Rabbe (closed Nokia identity) (Inactive)
            mkirillov Maksim Kirillov
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: