Arun Raghavan pushed to branch master at PulseAudio / pulseaudio Commits: 1fbc6b0e by Jonathan Marler at 2025-09-13T12:19:35-06:00 stream: fix array out-of-bounds in stream_get_timing_info_callback This issue was found by enabling ubsan. For me it consistently triggered after about 28 seconds running a simple example that plays a sine wave via the mainloop api. I added a log and confirmed that before the ubsan is triggered the index variable j is indeed 32 which is out-of-bounds. Co-authored-by: Arun Raghavan <[email protected]> - - - - - 1 changed file: - src/pulse/stream.c Changes: ===================================== src/pulse/stream.c ===================================== @@ -1917,7 +1917,10 @@ static void stream_get_timing_info_callback(pa_pdispatch *pd, uint32_t command, * total correction.*/ for (n = 0, j = o->stream->current_write_index_correction+1; n < PA_MAX_WRITE_INDEX_CORRECTIONS; - n++, j = (j + 1) % PA_MAX_WRITE_INDEX_CORRECTIONS) { + n++, j++) { + + /* First fix up the index to be within the array */ + j = j % PA_MAX_WRITE_INDEX_CORRECTIONS; /* Step over invalid data or out-of-date data */ if (!o->stream->write_index_corrections[j].valid || View it on GitLab: https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/commit/1fbc6b0e0e796ea1e78825fce4ca815475d30294 -- View it on GitLab: https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/commit/1fbc6b0e0e796ea1e78825fce4ca815475d30294 You're receiving this email because of your account on gitlab.freedesktop.org.
