blob: dca2f90a49d08057a26b3ee70ce496ae9c6c6953 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
From 7a4ede0047a8613b0e3b72c9d351038f013dd357 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 20 Jan 2020 11:18:04 +0100
Subject: [PATCH] audio/oss: fix buffer pos calculation
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit
Fixes: 3ba4066d085f ("ossaudio: port to the new audio backend api")
Reported-by: ziming zhang <ezrakiez@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-Id: <20200120101804.29578-1-kraxel@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=7a4ede0047a8613b0e3b72c9d351038f013dd357]
CVE: CVE-2020-14415
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
audio/ossaudio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/audio/ossaudio.c b/audio/ossaudio.c
index c43faee..9456491 100644
--- a/audio/ossaudio.c
+++ b/audio/ossaudio.c
@@ -420,7 +420,7 @@ static size_t oss_write(HWVoiceOut *hw, void *buf, size_t len)
size_t to_copy = MIN(len, hw->size_emul - hw->pos_emul);
memcpy(hw->buf_emul + hw->pos_emul, buf, to_copy);
- hw->pos_emul = (hw->pos_emul + to_copy) % hw->pos_emul;
+ hw->pos_emul = (hw->pos_emul + to_copy) % hw->size_emul;
buf += to_copy;
len -= to_copy;
}
--
1.8.3.1
|
