ossaudio: fix out of bounds write

Volker Rümelin · kraxel · commit 4f50d4a48e0c · 2020-07-13T11:38:40.000+02:00
In function oss_read() a read error currently does not exit the read loop. With no data to read the variable pos will quickly underflow and a subsequent successful read overwrites memory outside the buffer. This patch adds the missing break statement to the error path of the function. To reproduce start qemu with -audiodev oss,id=audio0 and in the guest start audio recording. After some time this will trigger an exception. Fixes: 3ba4066 "ossaudio: port to the new audio backend api" Signed-off-by: Volker Rümelin <vr_qemu@t-online.de> Message-id: 20200707180836.5435-1-vr_qemu@t-online.de Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
diff --git a/audio/ossaudio.c b/audio/ossaudio.c
@@ -691,6 +691,7 @@ static size_t oss_read(HWVoiceIn *hw, void *buf, size_t len)
                            len, dst);
                 break;
             }
+            break;
         }
 
         pos += nread;

Original file line number	Diff line number	Diff line change
`@@ -691,6 +691,7 @@ static size_t oss_read(HWVoiceIn hw, void buf, size_t len)`
`691`	`691`	`len, dst);`
`692`	`692`	`break;`
`693`	`693`	`}`
	`694`	`+ break;`
`694`	`695`	`}`
`695`	`696`
`696`	`697`	`pos += nread;`