[PULL 12/26] audio: prevent an integer overflow in resampling code

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: "David Hildenbrand" <david@redhat.com>,
	"Gerd Hoffmann" <kraxel@redhat.com>,
	"Kashyap Chamarthy" <kchamart@redhat.com>,
	"Marc-André Lureau" <marcandre.lureau@redhat.com>,
	"Markus Armbruster" <armbru@redhat.com>,
	"Eric Auger" <eric.auger@redhat.com>,
	"Christian Schoenebeck" <qemu_oss@crudebyte.com>,
	"Daniel P. Berrangé" <berrange@redhat.com>,
	"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
	"Marcel Apfelbaum" <marcel.apfelbaum@gmail.com>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	"Eric Blake" <eblake@redhat.com>,
	"Volker Rümelin" <vr_qemu@t-online.de>
Subject: [PULL 12/26] audio: prevent an integer overflow in resampling code
Date: Thu, 13 Oct 2022 08:52:10 +0200	[thread overview]
Message-ID: <20221013065224.1864145-13-kraxel@redhat.com> (raw)
In-Reply-To: <20221013065224.1864145-1-kraxel@redhat.com>

From: Volker Rümelin <vr_qemu@t-online.de>

There are corner cases where rate->opos can overflow. For
example, if QEMU is started with -audiodev pa,id=audio0,
out.frequency=11025 -device ich9-intel-hda -device hda-duplex,
audiodev=audio0 and the guest plays audio with a sampling
frequency of 44100Hz, rate->opos will overflow after 27.05h
and the audio stream will be silent for a long time.

To prevent a rate->opos and also a rate->ipos overflow, both
are wrapped around after a short time. The wrap around point
rate->ipos >= 0x10001 is an arbitrarily selected value and can
be any small value, 0 and 1 included.

The comment that an ipos overflow will result in an infinite
loop has been removed, because in this case the resampling code
only generates no more output samples and the audio stream stalls.
However, there is no infinite loop.

Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
Message-Id: <20220923183640.8314-12-vr_qemu@t-online.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 audio/rate_template.h | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/audio/rate_template.h b/audio/rate_template.h
index f94c940c61b1..b432719ebbaa 100644
--- a/audio/rate_template.h
+++ b/audio/rate_template.h
@@ -72,11 +72,6 @@ void NAME (void *opaque, struct st_sample *ibuf, struct st_sample *obuf,
             ilast = *ibuf++;
             rate->ipos++;
 
-            /* if ipos overflow, there is  a infinite loop */
-            if (rate->ipos == 0xffffffff) {
-                rate->ipos = 1;
-                rate->opos = rate->opos & 0xffffffff;
-            }
             /* See if we finished the input buffer yet */
             if (ibuf >= iend) {
                 goto the_end;
@@ -85,6 +80,12 @@ void NAME (void *opaque, struct st_sample *ibuf, struct st_sample *obuf,
 
         icur = *ibuf;
 
+        /* wrap ipos and opos around long before they overflow */
+        if (rate->ipos >= 0x10001) {
+            rate->ipos = 1;
+            rate->opos &= 0xffffffff;
+        }
+
         /* interpolate */
 #ifdef FLOAT_MIXENG
 #ifdef RECIPROCAL
-- 
2.37.3

next prev parent reply	other threads:[~2022-10-13  7:59 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-13  6:51 [PULL 00/26] Kraxel 20221013 patches Gerd Hoffmann
2022-10-13  6:51 ` [PULL 01/26] audio: refactor code in audio_run_out() Gerd Hoffmann
2022-10-13  6:52 ` [PULL 02/26] audio: fix GUS audio playback with out.mixing-engine=off Gerd Hoffmann
2022-10-13  6:52 ` [PULL 03/26] audio: run downstream playback queue unconditionally Gerd Hoffmann
2022-10-13  6:52 ` [PULL 04/26] alsaaudio: reduce playback latency Gerd Hoffmann
2022-10-13  6:52 ` [PULL 05/26] audio: add more audio rate control functions Gerd Hoffmann
2022-10-13  6:52 ` [PULL 06/26] spiceaudio: add a pcm_ops buffer_get_free function Gerd Hoffmann
2022-10-13  6:52 ` [PULL 07/26] spiceaudio: update comment Gerd Hoffmann
2022-10-13  6:52 ` [PULL 08/26] audio: swap audio_rate_get_bytes() function parameters Gerd Hoffmann
2022-10-13  6:52 ` [PULL 09/26] audio: rename audio_sw_bytes_free() Gerd Hoffmann
2022-10-13  6:52 ` [PULL 10/26] audio: refactor audio_get_avail() Gerd Hoffmann
2022-10-13  6:52 ` [PULL 11/26] audio: fix sw->buf size for audio recording Gerd Hoffmann
2022-10-13  6:52 ` Gerd Hoffmann [this message]
2022-10-13  6:52 ` [PULL 13/26] ui/vnc-clipboard: fix integer underflow in vnc_client_cut_text_ext Gerd Hoffmann
2022-10-13  6:52 ` [PULL 14/26] ui/gtk-egl: egl context needs to be unbound in the end of gd_egl_switch Gerd Hoffmann
2022-10-13  6:52 ` [PULL 15/26] cirrus_vga: fix potential memory overflow Gerd Hoffmann
2022-10-13  6:52 ` [PULL 16/26] docs: add firmware feature flags Gerd Hoffmann
2022-10-13  6:52 ` [PULL 17/26] pci-ids: drop PCI_DEVICE_ID_VIRTIO_IOMMU Gerd Hoffmann
2022-10-13  6:52 ` [PULL 18/26] pci-ids: drop PCI_DEVICE_ID_VIRTIO_MEM Gerd Hoffmann
2022-10-13  6:52 ` [PULL 19/26] pci-ids: drop PCI_DEVICE_ID_VIRTIO_PMEM Gerd Hoffmann
2022-10-13  6:52 ` [PULL 20/26] pci-ids: drop list of modern virtio devices Gerd Hoffmann
2022-10-13  6:52 ` [PULL 21/26] pci-ids: document modern virtio-pci ids in pci.h too Gerd Hoffmann
2022-10-13  6:52 ` [PULL 22/26] ui/gtk: Fix the implicit mouse ungrabbing logic Gerd Hoffmann
2022-10-13  6:52 ` [PULL 23/26] qemu-edid: Restrict input parameter -d to avoid division by zero Gerd Hoffmann
2022-10-13  6:52 ` [PULL 24/26] gtk: Add show_menubar=on|off command line option Gerd Hoffmann
2022-10-13  6:52 ` [PULL 25/26] audio: fix in.voices test Gerd Hoffmann
2022-10-13  6:52 ` [PULL 26/26] audio: improve out.voices test Gerd Hoffmann
2022-10-13 20:29 ` [PULL 00/26] Kraxel 20221013 patches Stefan Hajnoczi

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f94c940c61b dfblob:b432719ebba )
 OR (
bs:"[PULL 12/26] audio: prevent an integer overflow in resampling code" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221013065224.1864145-13-kraxel@redhat.com \
    --to=kraxel@redhat.com \
    --cc=armbru@redhat.com \
    --cc=berrange@redhat.com \
    --cc=david@redhat.com \
    --cc=eblake@redhat.com \
    --cc=eric.auger@redhat.com \
    --cc=f4bug@amsat.org \
    --cc=kchamart@redhat.com \
    --cc=marcandre.lureau@redhat.com \
    --cc=marcel.apfelbaum@gmail.com \
    --cc=mst@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu_oss@crudebyte.com \
    --cc=vr_qemu@t-online.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).