From c85b570ad78a0185f45a08e63fefc667c4f056f7 Mon Sep 17 00:00:00 2001
From: Max Kellermann <max@duempel.org>
Date: Mon, 29 Sep 2008 17:25:08 +0200
Subject: pcm_utils: pass only one buffer size to pcm_mix()

pcm_mix() might overflow the destination buffer if it is smaller than
the second buffer.  This is ok because the physical buffer size passed
by cross_fade_apply() is always big enough, but clutters pcm_mix()
with complicated length checks and contains a dangerous buffer
overflow pitfall.  Simplify pcm_mix()/pcm_add() and pass only the
smaller buffer size; let cross_fade_apply() do the memcpy().
---
 src/crossfade.c | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

(limited to 'src/crossfade.c')

diff --git a/src/crossfade.c b/src/crossfade.c
index b99b9f7f0..c4a26fa6b 100644
--- a/src/crossfade.c
+++ b/src/crossfade.c
@@ -49,14 +49,28 @@ void cross_fade_apply(ob_chunk * a, const ob_chunk * b,
 		      const struct audio_format *format,
 		      unsigned int current_chunk, unsigned int num_chunks)
 {
+	size_t size;
+
 	assert(current_chunk <= num_chunks);
 
+	size = b->chunkSize > a->chunkSize
+		? a->chunkSize
+		: b->chunkSize;
+
 	pcm_mix(a->data,
 		b->data,
-		a->chunkSize,
-		b->chunkSize,
+		size,
 		format,
 		((float)current_chunk) / num_chunks);
-	if (b->chunkSize > a->chunkSize)
+
+	if (b->chunkSize > a->chunkSize) {
+		/* the second buffer is larger than the first one:
+		   there is unmixed rest at the end.  Copy it over.
+		   The output buffer API guarantees that there is
+		   enough room in a->data. */
+		memcpy(a->data + a->chunkSize,
+		       b->data + a->chunkSize,
+		       b->chunkSize - a->chunkSize);
 		a->chunkSize = b->chunkSize;
+	}
 }
-- 
cgit v1.2.3