sound: Fix buffer overflow in square wave generation
authorAndrew Scull <ascull@google.com>
Sun, 3 Apr 2022 10:39:13 +0000 (10:39 +0000)
committerTom Rini <trini@konsulko.com>
Fri, 29 Apr 2022 15:11:36 +0000 (11:11 -0400)
Data is written for each channel but is only tracked as having one
channel written. This resulted in a buffer overflow and corruption of
the allocator's metadata which caused further problems when the buffer
was later freed. This could be observed with sandbox unit tests.

Resolve the overflow by tracking the writes for each channel.

Fixes: f987177db9 ("dm: sound: Use the correct number of channels for sound")
Signed-off-by: Andrew Scull <ascull@google.com>
Cc: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
drivers/sound/sound.c

index b0eab233916b14e6b771ca34a9f7ad0df2883bcd..041dfdccfebb3315ca04898b2aa056bf32540234 100644 (file)
@@ -25,13 +25,11 @@ void sound_create_square_wave(uint sample_rate, unsigned short *data, int size,
                int i, j;
 
                for (i = 0; size && i < half; i++) {
-                       size -= 2;
-                       for (j = 0; j < channels; j++)
+                       for (j = 0; size && j < channels; j++, size -= 2)
                                *data++ = amplitude;
                }
                for (i = 0; size && i < period - half; i++) {
-                       size -= 2;
-                       for (j = 0; j < channels; j++)
+                       for (j = 0; size && j < channels; j++, size -= 2)
                                *data++ = -amplitude;
                }
        }