Fix potential buffer overrun in QAudioInput windows implementation.

Don't write more than len bytes to the output buffer.

Task-number: QTBUG-14549 QTBUG-8578
Reviewed-by: Derick Hawcroft

1 files changed, 7 insertions, 4 deletions

diff --git a/src/multimedia/audio/qaudioinput_win32_p.cpp b/src/multimedia/audio/qaudioinput_win32_p.cpp
index 1cde159..0ec2492 100644
--- a/src/multimedia/audio/qaudioinput_win32_p.cpp
+++ b/src/multimedia/audio/qaudioinput_win32_p.cpp
@@ -400,9 +400,12 @@ qint64 QAudioInputPrivate::read(char* data, qint64 len)
 		    resuming = false;
                 }
             } else {
+                l = qMin<qint64>(len, waveBlocks[header].dwBytesRecorded);
                 // push mode
-                memcpy(p,waveBlocks[header].lpData,waveBlocks[header].dwBytesRecorded);
-                l = waveBlocks[header].dwBytesRecorded;
+                memcpy(p, waveBlocks[header].lpData, l);
+
+                len -= l;
+
 #ifdef DEBUG_AUDIO
                 qDebug()<<"IN: "<<waveBlocks[header].dwBytesRecorded<<", OUT: "<<l;
 #endif
@@ -457,7 +460,7 @@ qint64 QAudioInputPrivate::read(char* data, qint64 len)
 
         mutex.lock();
         if(!pullMode) {
-	    if(l+period_size > len && waveFreeBlockCount == buffer_size/period_size)
+            if(len < period_size || waveFreeBlockCount == buffer_size/period_size)
 	        done = true;
 	} else {
 	    if(waveFreeBlockCount == buffer_size/period_size)
@@ -568,7 +571,7 @@ bool QAudioInputPrivate::deviceReady()
 
     if(pullMode) {
         // reads some audio data and writes it to QIODevice
-        read(0,0);
+        read(0, buffer_size);
     } else {
         // emits readyRead() so user will call read() on QIODevice to get some audio data
 	InputPrivate* a = qobject_cast<InputPrivate*>(audioSource);