> On 7/7/20 8:08 PM, Volker Rümelin wrote: >> In function oss_read() a read error currently does not exit the >> read loop. With no data to read the variable pos will quickly >> underflow and a subsequent successful read overwrites memory >> outside the buffer. This patch adds the missing break statement >> to the error path of the function. > Correct, but ... > >> To reproduce start qemu with -audiodev oss,id=audio0 and in the >> guest start audio recording. After some time this will trigger >> an exception. >> >> Fixes: 3ba4066d08 "ossaudio: port to the new audio backend api" >> >> Signed-off-by: Volker Rümelin <vr_q...@t-online.de> >> --- >> audio/ossaudio.c | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/audio/ossaudio.c b/audio/ossaudio.c >> index f88d076ec2..a7dcaa31ad 100644 >> --- a/audio/ossaudio.c >> +++ b/audio/ossaudio.c >> @@ -691,6 +691,7 @@ static size_t oss_read(HWVoiceIn *hw, void *buf, size_t >> len) >> len, dst); >> break; >> } >> + break; >> } >> >> pos += nread; > ... now pos += -1, then the size returned misses the last byte. > Hi Philippe,
no, the added break breaks the while loop. The next executed instruction after this break is the return pos statement not pos += nread. With best regards, Volker
