[vlc-devel] [PATCH 3/4] directsound: fix a possible data read beyond the end of a buffer
Ludovic Fauvet
etix at videolan.org
Sat Jul 20 01:50:51 CEST 2013
---
modules/audio_output/directx.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/modules/audio_output/directx.c b/modules/audio_output/directx.c
index 20fb8bb..438ff12 100644
--- a/modules/audio_output/directx.c
+++ b/modules/audio_output/directx.c
@@ -666,7 +666,7 @@ static int FillBuffer( audio_output_t *p_aout, block_t *p_buffer )
{
aout_sys_t *p_sys = p_aout->sys;
- size_t towrite = (p_buffer)?p_buffer->i_buffer:DS_BUF_SIZE;
+ size_t i_size, towrite = (p_buffer)?p_buffer->i_buffer:DS_BUF_SIZE;
void *p_write_position, *p_wrap_around;
unsigned long l_bytes1, l_bytes2;
HRESULT dsresult;
@@ -714,9 +714,13 @@ static int FillBuffer( audio_output_t *p_aout, block_t *p_buffer )
p_sys->chans_to_reorder, p_sys->chan_table,
p_sys->format );
- memcpy( p_write_position, p_buffer->p_buffer, l_bytes1 );
+ i_size = ( p_buffer->i_buffer < l_bytes1 ) ? p_buffer->i_buffer : l_bytes1;
+ memcpy( p_write_position, p_buffer->p_buffer, i_size );
if( l_bytes1 < p_buffer->i_buffer)
- memcpy(p_wrap_around, p_buffer->p_buffer + l_bytes1, l_bytes2);
+ {
+ i_size = ( p_buffer->i_buffer - l_bytes1 < l_bytes2 ) ? p_buffer->i_buffer - l_bytes1 : l_bytes2;
+ memcpy( p_wrap_around, p_buffer->p_buffer + l_bytes1, i_size );
+ }
block_Release( p_buffer );
}
--
1.8.3.3
More information about the vlc-devel
mailing list