okseby/Quake-III-Arena
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix memory corruption in S_TransferPaintBuffer

Browse source 
When using a non-default sound configuration (such as 6 channels), after
a long time (about 4.5hours for 6 channels at 22050 Hz) an overflow will
occur in `S_TransferPaintBuffer`, causing an out of bounds write into
the dma buffer.

The problematic line is:
```
out_idx = (s_paintedtime * dma.channels) % dma.samples;
```

With `s_paintedtime` large enough, the result of the multiplication will
overflow to a negative number (since `s_paintedtime` is signed), and the
index into the output buffer will be negative.
This commit is contained in:
Mickaël Thomas 2021-12-08 19:11:30 +01:00 committed by Tim Angus
parent 9543cf24df
commit 84daa28267
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
code/client/snd_mix.c
View file

@ -175,7 +175,7 @@ void S_TransferPaintBuffer(int endtime)
{ // general case { // general case
p = (int *) paintbuffer; p = (int *) paintbuffer;
count = (endtime - s_paintedtime) * dma.channels; count = (endtime - s_paintedtime) * dma.channels;
out_idx = (s_paintedtime * dma.channels) % dma.samples; out_idx = ((unsigned int)s_paintedtime * dma.channels) % dma.samples;
step = 3 - MIN(dma.channels, 2); step = 3 - MIN(dma.channels, 2);
if ((dma.isfloat) && (dma.samplebits == 32)) if ((dma.isfloat) && (dma.samplebits == 32))