Out of bounds array reference aplay.c playbackv_go function #70
Description
I was looking through the aplay source file and came across an out of bounds reference. The reason I was looking through the code is that I am using an i2s amp and there is this code:
/usr/bin/aplay -D default -t raw -r 44100 -c 2 -f S16_LE /dev/zero /dev/zero
The reason for it is:
We've added an extra helper systemd script that will play quiet audio when the I2S peripheral isn't in use. This removes popping when playback starts or stops. It uses a tiny amount of CPU time (on a Pi Zero, 5%, on a Pi 2 or 3 its negligible).
I thought there must be a way to just open the device and not have to use any CPU time actually playing nothing.
If anyone knows if this is possible then let me know. Thanks.
Any way back to the out of bounds.
In the function playbackv_go function of aplay.c there is a call to perror(names[channel]). However, instead of channel being equal to zero it is equal to channels which is 1 + the number of names being passed to the function.
while (count > 0 && !in_aborting) {
size_t c = 0;
size_t expected = count / channels;
if (expected > vsize)
expected = vsize;
do {
channel = 0; // Code to fix out of bound
r = safe_read(fds[0], bufs[0], expected);
if (r < 0) {
perror(names[channel]); // Out of bounds reference
prg_exit(EXIT_FAILURE);
}
for (channel = 1; channel < channels; ++channel) {
if (safe_read(fds[channel], bufs[channel], r) != r) {
perror(names[channel]);
prg_exit(EXIT_FAILURE);
}
}
if (r == 0)
break;
c += r;
} while (c < expected);