From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 84CADC433EF for ; Sun, 3 Apr 2022 10:41:20 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id A83F483B44; Sun, 3 Apr 2022 12:40:04 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="C/glaeBJ"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id F243583B0D; Sun, 3 Apr 2022 12:39:39 +0200 (CEST) Received: from mail-wr1-x44a.google.com (mail-wr1-x44a.google.com [IPv6:2a00:1450:4864:20::44a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 447BF83B19 for ; Sun, 3 Apr 2022 12:39:31 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=3YnlJYgYKBpMxFzH883BB381.zB9H-yBBG85FGF.01AK.01@flex--ascull.bounces.google.com Received: by mail-wr1-x44a.google.com with SMTP id s8-20020adfc548000000b00203eba1052eso1182494wrf.1 for ; Sun, 03 Apr 2022 03:39:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=EJ8I6f0Br8etdRgHnf4Em0J/7G61q4ypnZodg29bBUA=; b=C/glaeBJHXhEsRiR++24yBraEyh9NrzPuwinB3cTdo0Uzw/BYyKWOuvpnreiMhawTe jJXwZ17PD05q8mUYASu2JIXVJAG9geNDd3qkWjCnYTO98QLON0UPwXM3XOQBgEyw4yYa utQGjAC07zhDRQ/IkvrtfMMlj8nc/skKcDKfWemBcKO4/m+ysuTrGnpogJKajSLcJdTC iMA5tWc5eoKrxKmcBNt7KSIP7/OVrRE2e6nTOTfqgAa6J65rWa7YY4cS8R9L3E/zFEye e91H6s5owtm35YGBfGXDIHtlC07nq2mi1PktQ1+4OY0Yn4cNYb9dcfOOS5PVVChUkDYt 1ZEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=EJ8I6f0Br8etdRgHnf4Em0J/7G61q4ypnZodg29bBUA=; b=6ufsE283um8PRDWwsTe7EuuKbWmMEYF0OS/0zYMSQGdJ9bu0w1X2xDAnIHAGk11Oqz E6FYyz8n/m0wzbqYO11l88Du7uVHRaqGeFywtgPONrp5LM5n5LIHzz0NsXFoypvRM/Et OHuTbzt0bENoXEnSv+SQt+ynJYIsgzu7RwDvP2keVHOR9lledAPDNyOVl0nMUJYlPvit Ldqo47iIJXJC4xRZKrNg2CA1kb3dwlMCLKDliPZPnI15gKA785Gfri0MjzEyzXqkNZlw 01JG7+zgyedh1Sm/NKFZ/2HUur7CIjg+PBfNyFl6/U0/9nGravSuXPAY0KqB30pUsQO3 XQRg== X-Gm-Message-State: AOAM533IHBAk5ew0bDXytTsP4crjGvAirCRgiD3+Dw6QENtybgDeNCQE +BCV5SLHfOYWNk13cvCO79zoVCZDIEXLtF4aGgaujfLkr39xoESjuPy/4dbV4Ge/BWKZToareU1 NoIE7e1AZIGYMA7ae02VdwkL+9O0TLOpfVRMASYFhGmhgZepKYX7E7dR5LTI= X-Google-Smtp-Source: ABdhPJyO7IjlCH6JsnsDO/RZQpgdqcA8eRoJ3QJIEHBz5FoiepfKIoq/Tfjr6SnOc/h+6SLafALPmvQlN1k= X-Received: from ascull.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:1510]) (user=ascull job=sendgmr) by 2002:a05:600c:4ecc:b0:38e:354d:909 with SMTP id g12-20020a05600c4ecc00b0038e354d0909mr15653643wmq.33.1648982370851; Sun, 03 Apr 2022 03:39:30 -0700 (PDT) Date: Sun, 3 Apr 2022 10:39:13 +0000 In-Reply-To: <20220403103915.3338027-1-ascull@google.com> Message-Id: <20220403103915.3338027-7-ascull@google.com> Mime-Version: 1.0 References: <20220403103915.3338027-1-ascull@google.com> X-Mailer: git-send-email 2.35.1.1094.g7c7d902a7c-goog Subject: [PATCH 6/8] sound: Fix buffer overflow in square wave generation From: Andrew Scull To: u-boot@lists.denx.de Cc: sjg@chromium.org, seanga2@gmail.com, Andrew Scull Content-Type: text/plain; charset="UTF-8" X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean Data is written for each channel but is only tracked as having one channel written. This resulted in a buffer overflow and corruption of the allocator's metadata which caused further problems when the buffer was later freed. This could be observed with sandbox unit tests. Resolve the overflow by tracking the writes for each channel. Fixes: f987177db9 ("dm: sound: Use the correct number of channels for sound") Signed-off-by: Andrew Scull Cc: Simon Glass --- drivers/sound/sound.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/sound/sound.c b/drivers/sound/sound.c index b0eab23391..041dfdccfe 100644 --- a/drivers/sound/sound.c +++ b/drivers/sound/sound.c @@ -25,13 +25,11 @@ void sound_create_square_wave(uint sample_rate, unsigned short *data, int size, int i, j; for (i = 0; size && i < half; i++) { - size -= 2; - for (j = 0; j < channels; j++) + for (j = 0; size && j < channels; j++, size -= 2) *data++ = amplitude; } for (i = 0; size && i < period - half; i++) { - size -= 2; - for (j = 0; j < channels; j++) + for (j = 0; size && j < channels; j++, size -= 2) *data++ = -amplitude; } } -- 2.35.1.1094.g7c7d902a7c-goog