From a25d3a245b802f8fa2da7f381fabd887bfa985dd Mon Sep 17 00:00:00 2001
From: James McDonnell <jmcdonnell@blackberry.com>
Date: Tue, 21 Feb 2017 15:32:08 -0500
Subject: [PATCH] Limit the size of the QnxAudioOutput stack buffer

QnxAudioOutput allocates a buffer on the stack based on the free value
from snd_pcm_plugin_status, but the way that QnxAudioOutput configures
the stream, how QnxAudioOutput currently pauses playback, and a bug in
io-audio combine to cause io-audio to produce very large free values
when resuming playback after a long pause.  As a result, QnxAudioOutput
allocates a stack buffer that causes a stack overflow.  Allocating
a buffer on the stack with a size that isn't restrained in any way
isn't a good idea.  Put some constraints on the size.

Change-Id: I2b72e72504041f0caeb591912662fb9bed931b21
Reviewed-by: Dan Cape <dcape@qnx.com>
Reviewed-by: Yoann Lopes <yoann.lopes@qt.io>
---
 src/plugins/qnx-audio/audio/qnxaudiooutput.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/plugins/qnx-audio/audio/qnxaudiooutput.cpp b/src/plugins/qnx-audio/audio/qnxaudiooutput.cpp
index d5805c2bd..5cfffe990 100644
--- a/src/plugins/qnx-audio/audio/qnxaudiooutput.cpp
+++ b/src/plugins/qnx-audio/audio/qnxaudiooutput.cpp
@@ -223,7 +223,10 @@ void QnxAudioOutput::pullData()
     if (frames == 0 || bytesAvailable < periodSize())
         return;
 
-    const int bytesRequested = m_format.bytesForFrames(frames);
+    // The buffer is placed on the stack so no more than 64K or 1 frame
+    // whichever is larger.
+    const int maxFrames = qMax(m_format.framesForBytes(64 * 1024), 1);
+    const int bytesRequested = m_format.bytesForFrames(qMin(frames, maxFrames));
 
     char buffer[bytesRequested];
     const int bytesRead = m_source->read(buffer, bytesRequested);
-- 
GitLab