From c2f4683bf57f61451d14d219fdb25cf9f29cb7fe Mon Sep 17 00:00:00 2001
From: Foster McLane <fkmclane@gmail.com>
Date: Wed, 13 Nov 2019 15:13:54 -0500
Subject: [PATCH] Fix undefined behaviour in get_num_outputs in CoreAudio
 driver (#594)

See discussion in #591 for details. Basically an incorrect size was
being allocated for the CoreAudio buffer list for a device. It was being
allocated by a VLA (which already did not quite fit the semantics of the
list) and the length calculated could be 0 (instead of the size of the
struct with no buffers elements) causing undefined behaviour.

This corrects it to allocate the amount of memory required by the
CoreAudio framework function and adds a check for the size retrieval and
for the dynamic allocation. This change passed UBSan in my test where
before the change it did not.

Fixes #591
---
 src/drivers/fluid_coreaudio.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/drivers/fluid_coreaudio.c b/src/drivers/fluid_coreaudio.c
index baeada53..6812c5bb 100644
--- a/src/drivers/fluid_coreaudio.c
+++ b/src/drivers/fluid_coreaudio.c
@@ -83,10 +83,15 @@ get_num_outputs(AudioDeviceID deviceID)
     pa.mScope = kAudioDevicePropertyScopeOutput;
     pa.mElement = kAudioObjectPropertyElementMaster;
 
-    if(OK(AudioObjectGetPropertyDataSize(deviceID, &pa, 0, 0, &size)))
+    if(OK(AudioObjectGetPropertyDataSize(deviceID, &pa, 0, 0, &size)) && size > 0)
     {
-        int num = size / (int) sizeof(AudioBufferList);
-        AudioBufferList bufList[num];
+        AudioBufferList *bufList = FLUID_MALLOC(size);
+
+        if(bufList == NULL)
+        {
+            FLUID_LOG(FLUID_ERR, "Out of memory");
+            return 0;
+        }
 
         if(OK(AudioObjectGetPropertyData(deviceID, &pa, 0, 0, &size, bufList)))
         {
@@ -98,6 +103,8 @@ get_num_outputs(AudioDeviceID deviceID)
                 total += b.mNumberChannels;
             }
         }
+
+        FLUID_FREE(bufList);
     }
 
     return total;