From bfd87980bdc3d835723f429a3e4dbe2d884bca27 Mon Sep 17 00:00:00 2001
From: Andrew den Exter <andrew.den-exter@nokia.com>
Date: Tue, 9 Nov 2010 16:42:10 +1000
Subject: Fix potential buffer overrun in QAudioInput windows implementation.

Don't write more than len bytes to the output buffer.

Task-number: QTBUG-14549 QTBUG-8578
Reviewed-by: Derick Hawcroft
---
 src/multimedia/audio/qaudioinput_win32_p.cpp | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/multimedia/audio/qaudioinput_win32_p.cpp b/src/multimedia/audio/qaudioinput_win32_p.cpp
index 1cde159..0ec2492 100644
--- a/src/multimedia/audio/qaudioinput_win32_p.cpp
+++ b/src/multimedia/audio/qaudioinput_win32_p.cpp
@@ -400,9 +400,12 @@ qint64 QAudioInputPrivate::read(char* data, qint64 len)
 		    resuming = false;
                 }
             } else {
+                l = qMin<qint64>(len, waveBlocks[header].dwBytesRecorded);
                 // push mode
-                memcpy(p,waveBlocks[header].lpData,waveBlocks[header].dwBytesRecorded);
-                l = waveBlocks[header].dwBytesRecorded;
+                memcpy(p, waveBlocks[header].lpData, l);
+
+                len -= l;
+
 #ifdef DEBUG_AUDIO
                 qDebug()<<"IN: "<<waveBlocks[header].dwBytesRecorded<<", OUT: "<<l;
 #endif
@@ -457,7 +460,7 @@ qint64 QAudioInputPrivate::read(char* data, qint64 len)
 
         mutex.lock();
         if(!pullMode) {
-	    if(l+period_size > len && waveFreeBlockCount == buffer_size/period_size)
+            if(len < period_size || waveFreeBlockCount == buffer_size/period_size)
 	        done = true;
 	} else {
 	    if(waveFreeBlockCount == buffer_size/period_size)
@@ -568,7 +571,7 @@ bool QAudioInputPrivate::deviceReady()
 
     if(pullMode) {
         // reads some audio data and writes it to QIODevice
-        read(0,0);
+        read(0, buffer_size);
     } else {
         // emits readyRead() so user will call read() on QIODevice to get some audio data
 	InputPrivate* a = qobject_cast<InputPrivate*>(audioSource);
-- 
cgit v0.12


From e3f1268e63064a54215051cf91d5f6b8c8bd4f0f Mon Sep 17 00:00:00 2001
From: Andrew den Exter <andrew.den-exter@nokia.com>
Date: Tue, 9 Nov 2010 16:30:32 +1000
Subject: Fix potential buffer overrun in ALSA QAudioInput implementation.

Don't write more than the supplied max buffer size to the output buffer.

Task-number: QTBUG-14549 QTBUG-8578
Reviewed-by: Derick Hawcroft
---
 src/multimedia/audio/qaudioinput_alsa_p.cpp | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/src/multimedia/audio/qaudioinput_alsa_p.cpp b/src/multimedia/audio/qaudioinput_alsa_p.cpp
index ddafa3d..5265915 100644
--- a/src/multimedia/audio/qaudioinput_alsa_p.cpp
+++ b/src/multimedia/audio/qaudioinput_alsa_p.cpp
@@ -482,19 +482,18 @@ int QAudioInputPrivate::bytesReady() const
 
 qint64 QAudioInputPrivate::read(char* data, qint64 len)
 {
-    Q_UNUSED(len)
-
     // Read in some audio data and write it to QIODevice, pull mode
     if ( !handle )
         return 0;
 
-    bytesAvailable = checkBytesReady();
+    // bytesAvaiable is saved as a side effect of checkBytesReady().
+    int bytesToRead = checkBytesReady();
 
-    if (bytesAvailable < 0) {
+    if (bytesToRead < 0) {
         // bytesAvailable as negative is error code, try to recover from it.
-        xrun_recovery(bytesAvailable);
-        bytesAvailable = checkBytesReady();
-        if (bytesAvailable < 0) {
+        xrun_recovery(bytesToRead);
+        bytesToRead = checkBytesReady();
+        if (bytesToRead < 0) {
             // recovery failed must stop and set error.
             close();
             errorState = QAudio::IOError;
@@ -504,9 +503,11 @@ qint64 QAudioInputPrivate::read(char* data, qint64 len)
         }
     }
 
+    bytesToRead = qMin<qint64>(len, bytesToRead);
+    bytesToRead -= bytesToRead % period_size;
     int count=0, err = 0;
     while(count < 5) {
-        int chunks = bytesAvailable/period_size;
+        int chunks = bytesToRead/period_size;
         int frames = chunks*period_frames;
         if(frames > (int)buffer_frames)
             frames = buffer_frames;
@@ -554,6 +555,7 @@ qint64 QAudioInputPrivate::read(char* data, qint64 len)
                     emit stateChanged(deviceState);
                 }
             } else {
+                bytesAvailable -= err;
                 totalTimeValue += err;
                 resuming = false;
                 if (deviceState != QAudio::ActiveState) {
@@ -566,6 +568,7 @@ qint64 QAudioInputPrivate::read(char* data, qint64 len)
 
         } else {
             memcpy(data,audioBuffer,err);
+            bytesAvailable -= err;
             totalTimeValue += err;
             resuming = false;
             if (deviceState != QAudio::ActiveState) {
@@ -661,7 +664,7 @@ bool QAudioInputPrivate::deviceReady()
 {
     if(pullMode) {
         // reads some audio data and writes it to QIODevice
-        read(0,0);
+        read(0, buffer_size);
     } else {
         // emits readyRead() so user will call read() on QIODevice to get some audio data
         InputPrivate* a = qobject_cast<InputPrivate*>(audioSource);
-- 
cgit v0.12