The amount of bytes to read passed to AUD_read() should never surpass the maximum available buffer length. Tighten the current amount by MIN(<amount>, max_size - <existing size>).
Cc: [email protected] Fixes: 98e77e3dd8dd6e7aa9a7dffa60f49c8c8a49d4e3 ("virtio-snd: add max size bounds check in input cb") Reported-by: DARKNAVY <[email protected]> Signed-off-by: Manos Pitsidianakis <[email protected]> --- hw/audio/virtio-snd.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c index 3437211f7904ac77265d8ace8c1a5a582c0be96d..fc0781ae9a3564f547e0295a95d8f71fb5426aa9 100644 --- a/hw/audio/virtio-snd.c +++ b/hw/audio/virtio-snd.c @@ -1240,7 +1240,7 @@ static void virtio_snd_pcm_in_cb(void *data, int available) { VirtIOSoundPCMStream *stream = data; VirtIOSoundPCMBuffer *buffer; - size_t size, max_size; + size_t size, max_size, to_read; WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) { while (!QSIMPLEQ_EMPTY(&stream->queue)) { @@ -1266,10 +1266,12 @@ static void virtio_snd_pcm_in_cb(void *data, int available) return_rx_buffer(stream, buffer); break; } + to_read = stream->params.period_bytes - buffer->size; + to_read = MIN(to_read, available); + to_read = MIN(to_read, max_size - buffer->size); size = AUD_read(stream->voice.in, - buffer->data + buffer->size, - MIN(available, (stream->params.period_bytes - - buffer->size))); + buffer->data + buffer->size, + to_read); if (!size) { available = 0; break; -- 2.47.3
