summaryrefslogtreecommitdiffstats
path: root/src/multimedia/audio
diff options
context:
space:
mode:
authorAndrew den Exter <andrew.den-exter@nokia.com>2010-11-09 06:42:10 (GMT)
committerAndrew den Exter <andrew.den-exter@nokia.com>2010-11-10 00:08:23 (GMT)
commitbfd87980bdc3d835723f429a3e4dbe2d884bca27 (patch)
treed02a89b209f4143b052672fcbdc68680c97df0e5 /src/multimedia/audio
parent75dc699c18ec8c665bb92685da38fbc2917f83e6 (diff)
downloadQt-bfd87980bdc3d835723f429a3e4dbe2d884bca27.zip
Qt-bfd87980bdc3d835723f429a3e4dbe2d884bca27.tar.gz
Qt-bfd87980bdc3d835723f429a3e4dbe2d884bca27.tar.bz2
Fix potential buffer overrun in QAudioInput windows implementation.
Don't write more than len bytes to the output buffer. Task-number: QTBUG-14549 QTBUG-8578 Reviewed-by: Derick Hawcroft
Diffstat (limited to 'src/multimedia/audio')
-rw-r--r--src/multimedia/audio/qaudioinput_win32_p.cpp11
1 files changed, 7 insertions, 4 deletions
diff --git a/src/multimedia/audio/qaudioinput_win32_p.cpp b/src/multimedia/audio/qaudioinput_win32_p.cpp
index 1cde159..0ec2492 100644
--- a/src/multimedia/audio/qaudioinput_win32_p.cpp
+++ b/src/multimedia/audio/qaudioinput_win32_p.cpp
@@ -400,9 +400,12 @@ qint64 QAudioInputPrivate::read(char* data, qint64 len)
resuming = false;
}
} else {
+ l = qMin<qint64>(len, waveBlocks[header].dwBytesRecorded);
// push mode
- memcpy(p,waveBlocks[header].lpData,waveBlocks[header].dwBytesRecorded);
- l = waveBlocks[header].dwBytesRecorded;
+ memcpy(p, waveBlocks[header].lpData, l);
+
+ len -= l;
+
#ifdef DEBUG_AUDIO
qDebug()<<"IN: "<<waveBlocks[header].dwBytesRecorded<<", OUT: "<<l;
#endif
@@ -457,7 +460,7 @@ qint64 QAudioInputPrivate::read(char* data, qint64 len)
mutex.lock();
if(!pullMode) {
- if(l+period_size > len && waveFreeBlockCount == buffer_size/period_size)
+ if(len < period_size || waveFreeBlockCount == buffer_size/period_size)
done = true;
} else {
if(waveFreeBlockCount == buffer_size/period_size)
@@ -568,7 +571,7 @@ bool QAudioInputPrivate::deviceReady()
if(pullMode) {
// reads some audio data and writes it to QIODevice
- read(0,0);
+ read(0, buffer_size);
} else {
// emits readyRead() so user will call read() on QIODevice to get some audio data
InputPrivate* a = qobject_cast<InputPrivate*>(audioSource);