If for some reason there is not enough data provided to the function
bluetooth_a2dp_write() and there are leftovers to handle, the ALSA
module will segfault.
---
audio/pcm_bluetooth.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/audio/pcm_bluetooth.c b/audio/pcm_bluetooth.c
index 4c0ab6f..ff463fe 100644
--- a/audio/pcm_bluetooth.c
+++ b/audio/pcm_bluetooth.c
@@ -1050,8 +1050,11 @@ static snd_pcm_sframes_t bluetooth_a2dp_write(snd_pcm_ioplug_t *io,
}
/* Check if we have any left over data from the last write */
- if (data->count > 0 && (bytes_left - data->count) >= a2dp->codesize) {
- int additional_bytes_needed = a2dp->codesize - data->count;
+ if (data->count > 0) {
+ unsigned int additional_bytes_needed =
+ a2dp->codesize - data->count;
+ if (additional_bytes_needed > bytes_left)
+ goto out;
memcpy(data->buffer + data->count, buff,
additional_bytes_needed);
@@ -1122,6 +1125,7 @@ static snd_pcm_sframes_t bluetooth_a2dp_write(snd_pcm_ioplug_t *io,
}
}
+out:
/* Copy the extra to our temp buffer for the next write */
if (bytes_left > 0) {
memcpy(data->buffer + data->count, buff, bytes_left);
--
1.7.1
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
