diff options
author | James McDonnell <jmcdonnell@blackberry.com> | 2017-02-21 15:32:08 -0500 |
---|---|---|
committer | James McDonnell <jmcdonnell@blackberry.com> | 2017-03-07 14:17:36 +0000 |
commit | a25d3a245b802f8fa2da7f381fabd887bfa985dd (patch) | |
tree | 7cbbb0adcc2bbca2da869b807d5862939f740104 | |
parent | ed8f90d0e47bd4ade7be3852627395ac66ba32ea (diff) | |
download | qtmultimedia-a25d3a245b802f8fa2da7f381fabd887bfa985dd.tar.gz |
Limit the size of the QnxAudioOutput stack buffer
QnxAudioOutput allocates a buffer on the stack based on the free value
from snd_pcm_plugin_status, but the way that QnxAudioOutput configures
the stream, how QnxAudioOutput currently pauses playback, and a bug in
io-audio combine to cause io-audio to produce very large free values
when resuming playback after a long pause. As a result, QnxAudioOutput
allocates a stack buffer that causes a stack overflow. Allocating
a buffer on the stack with a size that isn't restrained in any way
isn't a good idea. Put some constraints on the size.
Change-Id: I2b72e72504041f0caeb591912662fb9bed931b21
Reviewed-by: Dan Cape <dcape@qnx.com>
Reviewed-by: Yoann Lopes <yoann.lopes@qt.io>
-rw-r--r-- | src/plugins/qnx-audio/audio/qnxaudiooutput.cpp | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/src/plugins/qnx-audio/audio/qnxaudiooutput.cpp b/src/plugins/qnx-audio/audio/qnxaudiooutput.cpp index d5805c2bd..5cfffe990 100644 --- a/src/plugins/qnx-audio/audio/qnxaudiooutput.cpp +++ b/src/plugins/qnx-audio/audio/qnxaudiooutput.cpp @@ -223,7 +223,10 @@ void QnxAudioOutput::pullData() if (frames == 0 || bytesAvailable < periodSize()) return; - const int bytesRequested = m_format.bytesForFrames(frames); + // The buffer is placed on the stack so no more than 64K or 1 frame + // whichever is larger. + const int maxFrames = qMax(m_format.framesForBytes(64 * 1024), 1); + const int bytesRequested = m_format.bytesForFrames(qMin(frames, maxFrames)); char buffer[bytesRequested]; const int bytesRead = m_source->read(buffer, bytesRequested); |