On 7/7/20 8:08 PM, Volker Rümelin wrote: > In function oss_read() a read error currently does not exit the > read loop. With no data to read the variable pos will quickly > underflow and a subsequent successful read overwrites memory > outside the buffer. This patch adds the missing break statement > to the error path of the function.
Correct, but ... > > To reproduce start qemu with -audiodev oss,id=audio0 and in the > guest start audio recording. After some time this will trigger > an exception. > > Fixes: 3ba4066d08 "ossaudio: port to the new audio backend api" > > Signed-off-by: Volker Rümelin <vr_q...@t-online.de> > --- > audio/ossaudio.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/audio/ossaudio.c b/audio/ossaudio.c > index f88d076ec2..a7dcaa31ad 100644 > --- a/audio/ossaudio.c > +++ b/audio/ossaudio.c > @@ -691,6 +691,7 @@ static size_t oss_read(HWVoiceIn *hw, void *buf, size_t > len) > len, dst); > break; > } > + break; > } > > pos += nread; ... now pos += -1, then the size returned misses the last byte.
