[quake3-commits] [ioquake/ioq3] 84daa2: Fix memory corruption in S_TransferPaintBuffer
Mickaël Thomas
noreply at github.com
Wed Dec 8 13:47:10 EST 2021
Branch: refs/heads/main
Home: https://github.com/ioquake/ioq3
Commit: 84daa2826798a84627f7f93f721182028ed007e3
https://github.com/ioquake/ioq3/commit/84daa2826798a84627f7f93f721182028ed007e3
Author: Mickaël Thomas <mickael9 at gmail.com>
Date: 2021-12-08 (Wed, 08 Dec 2021)
Changed paths:
M code/client/snd_mix.c
Log Message:
-----------
Fix memory corruption in S_TransferPaintBuffer
When using a non-default sound configuration (such as 6 channels), after
a long time (about 4.5hours for 6 channels at 22050 Hz) an overflow will
occur in `S_TransferPaintBuffer`, causing an out of bounds write into
the dma buffer.
The problematic line is:
```
out_idx = (s_paintedtime * dma.channels) % dma.samples;
```
With `s_paintedtime` large enough, the result of the multiplication will
overflow to a negative number (since `s_paintedtime` is signed), and the
index into the output buffer will be negative.
More information about the quake3-commits
mailing list