aboutsummaryrefslogtreecommitdiff
path: root/audio/audio.c
diff options
context:
space:
mode:
authorKővágó, Zoltán <dirty.ice.hu@gmail.com>2019-08-26 21:59:01 +0200
committerGerd Hoffmann <kraxel@redhat.com>2019-08-28 11:56:56 +0200
commit725662d6dbfbbc536bb4006fbd93bcc6e82c8a34 (patch)
tree24f70c9a6de4e249968733d861bfaa05f8e2b6d2 /audio/audio.c
parent23919ddfd56135cad3cb468a8f54d5a595f024f4 (diff)
downloadqemu-725662d6dbfbbc536bb4006fbd93bcc6e82c8a34.zip
qemu-725662d6dbfbbc536bb4006fbd93bcc6e82c8a34.tar.gz
qemu-725662d6dbfbbc536bb4006fbd93bcc6e82c8a34.tar.bz2
audio: fix invalid malloc size in audio_create_pdos
The code used sizeof(AudiodevAlsaPerDirectionOptions) instead of the appropriate per direction options for the audio backend. If the size of the actual audiodev's per direction options are larger than alsa's, it could cause a buffer overflow. However, alsa has three fields in per direction options: a string, an uint32 and a bool. Oss has the same fields, coreaudio has a single uint32, paaudio has a string and an uint32, all other backends only use the common options, so currently no per direction options struct should be larger than alsa's. Signed-off-by: Kővágó, Zoltán <DirtY.iCE.hu@gmail.com> Message-Id: <7808bc816ba7da8b8de8a214713444d85f7af3c6.1566847960.git.DirtY.iCE.hu@gmail.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Diffstat (limited to 'audio/audio.c')
-rw-r--r--audio/audio.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/audio/audio.c b/audio/audio.c
index 7d71533..ae335db 100644
--- a/audio/audio.c
+++ b/audio/audio.c
@@ -1685,7 +1685,7 @@ void audio_create_pdos(Audiodev *dev)
} \
if (!dev->u.driver.has_out) { \
dev->u.driver.out = g_malloc0( \
- sizeof(AudiodevAlsaPerDirectionOptions)); \
+ sizeof(Audiodev##pdo_name##PerDirectionOptions)); \
dev->u.driver.has_out = true; \
} \
break