RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 23:07:35 +00:00
Code Issues Activity Actions

Kernel/Audio: Fix buffer size underflow for non-page-aligned sizes

Browse source 
When the size of the audio data was not a multiple of a page size,
subtracting the page size from this unsigned variable would underflow it
close to 2^32 and be clamped to the page size again. This would lead to
writes into garbage addresses because of an incorrect write size,
interestingly only causing the write() call to error out.

Using saturating math neatly fixes this problem and allows buffer
lengths that are not a multiple of a page size.
This commit is contained in:
kleines Filmröllchen 2022-06-15 21:35:02 +02:00 committed by Linus Groh
parent 07d712ea00
commit f6af357763
1 changed files with 4 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Kernel/Devices/Audio/AC97.cpp
View file

@ -207,12 +207,12 @@ ErrorOr<size_t> AC97::write(size_t channel_index, UserOrKernelBuffer const& data
m_buffer_descriptor_list = TRY(MM.allocate_dma_buffer_pages(buffer_descriptor_list_size, "AC97 Buffer Descriptor List"sv, Memory::Region::Access::Write));
}
auto remaining = length;
Checked<size_t> remaining = length;
size_t offset = 0;
while (remaining > 0) {
TRY(write_single_buffer(data, offset, min(remaining, PAGE_SIZE)));
while (remaining > static_cast<size_t>(0)) {
TRY(write_single_buffer(data, offset, min(remaining.value(), PAGE_SIZE)));
offset += PAGE_SIZE;
remaining -= PAGE_SIZE;
remaining.saturating_sub(PAGE_SIZE);
}
return length;