pcm: dshare: Fix overflow when slave_hw_ptr rolls over boundary master
authorBrendan Shanks <brendan.shanks@teradek.com>
Mon, 11 Feb 2019 19:51:26 +0000 (11:51 -0800)
committerTakashi Iwai <tiwai@suse.de>
Tue, 12 Feb 2019 13:37:44 +0000 (14:37 +0100)
In snd_pcm_dshare_sync_area() when 'slave_hw_ptr' rolls over
'slave_boundary', the wrong variable is checked ('dshare->slave_hw_ptr' vs
the local 'slave_hw_ptr'). In some cases, this results in 'slave_hw_ptr'
not rolling over correctly. 'slave_size' and 'size' are then much too
large, and the for loop blocks for several minutes copying samples.

This was likely only triggered on 32-bit systems, since the PCM boundary
is computed based on LONG_MAX and is much larger on 64-bit systems.

This same change was made to pcm_dmix in commit
6c7f60f7a982fdba828e4530a9d7aa0aa2b704ae ("Fix boundary overlap”) from
June 2005.

Signed-off-by: Brendan Shanks <brendan.shanks@teradek.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

src/pcm/pcm_dshare.c

index 2bb735f..f135b5d 100644 (file)
@@ -121,7 +121,7 @@ static void snd_pcm_dshare_sync_area(snd_pcm_t *pcm)
         */
        slave_hw_ptr -= slave_hw_ptr % dshare->slave_period_size;
        slave_hw_ptr += dshare->slave_buffer_size;
-       if (dshare->slave_hw_ptr > dshare->slave_boundary)
+       if (slave_hw_ptr >= dshare->slave_boundary)
                slave_hw_ptr -= dshare->slave_boundary;
        if (slave_hw_ptr < dshare->slave_appl_ptr)
                slave_size = slave_hw_ptr + (dshare->slave_boundary - dshare->slave_appl_ptr);