From bfd87980bdc3d835723f429a3e4dbe2d884bca27 Mon Sep 17 00:00:00 2001 From: Andrew den Exter Date: Tue, 9 Nov 2010 16:42:10 +1000 Subject: Fix potential buffer overrun in QAudioInput windows implementation. Don't write more than len bytes to the output buffer. Task-number: QTBUG-14549 QTBUG-8578 Reviewed-by: Derick Hawcroft --- src/multimedia/audio/qaudioinput_win32_p.cpp | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/multimedia/audio/qaudioinput_win32_p.cpp b/src/multimedia/audio/qaudioinput_win32_p.cpp index 1cde159..0ec2492 100644 --- a/src/multimedia/audio/qaudioinput_win32_p.cpp +++ b/src/multimedia/audio/qaudioinput_win32_p.cpp @@ -400,9 +400,12 @@ qint64 QAudioInputPrivate::read(char* data, qint64 len) resuming = false; } } else { + l = qMin(len, waveBlocks[header].dwBytesRecorded); // push mode - memcpy(p,waveBlocks[header].lpData,waveBlocks[header].dwBytesRecorded); - l = waveBlocks[header].dwBytesRecorded; + memcpy(p, waveBlocks[header].lpData, l); + + len -= l; + #ifdef DEBUG_AUDIO qDebug()<<"IN: "< len && waveFreeBlockCount == buffer_size/period_size) + if(len < period_size || waveFreeBlockCount == buffer_size/period_size) done = true; } else { if(waveFreeBlockCount == buffer_size/period_size) @@ -568,7 +571,7 @@ bool QAudioInputPrivate::deviceReady() if(pullMode) { // reads some audio data and writes it to QIODevice - read(0,0); + read(0, buffer_size); } else { // emits readyRead() so user will call read() on QIODevice to get some audio data InputPrivate* a = qobject_cast(audioSource); -- cgit v0.12