[pulseaudio-discuss] [PATCH] Fix pacat memory issue

[Denis Shulyaka]

If only part of the buffer is written into stdout by stdout_callback, the buffer_index variable is increased by the number of written bytes, buffer_length variable is decreased while the allocated buffer size remains the same. That suggests that the current allocated size is calculated as (buffer_index + buffer_length). However the current stream_read_callback implementation writes new data to the start of the buffer and allocates too little space, so that (buffer + buffer_index + buffer_length - 1) could actully point outside of the allocated buffer.
---
 src/utils/pacat.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/utils/pacat.c b/src/utils/pacat.c
index 4e1bbfc..6c4db4b 100644
--- a/src/utils/pacat.c
+++ b/src/utils/pacat.c
@@ -251,11 +251,11 @@ static void stream_read_callback(pa_stream *s, size_t length, void *userdata) {
             /* If there is a hole in the stream, we generate silence, except
              * if it's a passthrough stream in which case we skip the hole. */
             if (data || !(flags & PA_STREAM_PASSTHROUGH)) {
-                buffer = pa_xrealloc(buffer, buffer_length + length);
+                buffer = pa_xrealloc(buffer, buffer_index + buffer_length + length);
                 if (data)
-                    memcpy((uint8_t *) buffer + buffer_length, data, length);
+                    memcpy((uint8_t *) buffer + buffer_index + buffer_length, data, length);
                 else
-                    pa_silence_memory((uint8_t *) buffer + buffer_length, length, &sample_spec);
+                    pa_silence_memory((uint8_t *) buffer + buffer_index + buffer_length, length, &sample_spec);
 
                 buffer_length += length;
             }
-- 
2.9.4