ioquake/ioq3
0
0
Fork 0
mirror of https://github.com/ioquake/ioq3.git synced 2025-04-20 15:30:48 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fix memory corruption in S_TransferPaintBuffer

Browse source 
When using a non-default sound configuration (such as 6 channels), after
a long time (about 4.5hours for 6 channels at 22050 Hz) an overflow will
occur in `S_TransferPaintBuffer`, causing an out of bounds write into
the dma buffer.

The problematic line is:
```
out_idx = (s_paintedtime * dma.channels) % dma.samples;
```

With `s_paintedtime` large enough, the result of the multiplication will
overflow to a negative number (since `s_paintedtime` is signed), and the
index into the output buffer will be negative.
This commit is contained in:
Mickaël Thomas 2021-12-08 19:11:30 +01:00 committed by Tim Angus
parent 9543cf24df
commit 84daa28267
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
code/client/snd_mix.c
View file

@ -175,7 +175,7 @@ void S_TransferPaintBuffer(int endtime)
{ // general case
p = (int *) paintbuffer;
count = (endtime - s_paintedtime) * dma.channels;
out_idx = (s_paintedtime * dma.channels) % dma.samples;
out_idx = ((unsigned int)s_paintedtime * dma.channels) % dma.samples;
step = 3 - MIN(dma.channels, 2);
if ((dma.isfloat) && (dma.samplebits == 32))