Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
5.5.1, 5.8.0
-
None
-
Kubuntu 14.04
Description
In QAudioHelperInternal::qMultiplySamples, when format.sampleSize() returns 24, adjustSamples is called with 4-byte template parameter. Since in this case samplesCount=len/3, and adjustSamples casts src and dst to pointers to its template parameter, subsequent indexing of pDst and pSrc leads to overshooting by samples*4/3 bytes.
To reproduce, have QSoundEffect emit some 24-bit PCM data with non-unit volume. For large enough data size this will lead to stack smashing due to overflowing local array out in QAlsaAudioOutput::write, to which qMultiplySamples writes.
The code is still in this state in current master (v5.8.0-29-gd5d7dcf).
Here's an example code which will reproduce the problem if supplied with a 24-bit PCM wav file:
#include <QCoreApplication>
#include <QSoundEffect>
#include <iostream>
int main(int argc, char **argv)
{
if(argc!=2)
{
std::cerr << "Usage: " << argv[0] << " sound-file.wav\n";
return 1;
}
QCoreApplication app(argc, argv);
QSoundEffect sound;
sound.setSource(QUrl::fromLocalFile(argv[1]));
sound.setVolume(0.8); // no crash without this line
QObject::connect(&sound,
&QSoundEffect::playingChanged,
&app,
[&app, &sound]() { if (!sound.isPlaying()) app.quit(); },
Qt::QueuedConnection);
sound.play();
return app.exec();
}