...
This patch addresses those possible buffer overflow accesses by simply setting the upper limit per the given buffer size for each plugin before src_frames() and after dst_frames() calls.
Hi!
This patch breaks any output via oss interface, as evident by "mpv --ao=oss somefile.mp3" or "mpg123 -o oss somefile.mp3" or just "cat /dev/urandom > /dev/dsp", which worked previously in kernel version 5.5 but not any longer starting with 5.6.
It appears here that plugin->buf_frames is zero which results in ENXIO returned to userspace.
... --- a/sound/core/oss/pcm_plugin.c +++ b/sound/core/oss/pcm_plugin.c @@ -209,6 +209,8 @@ snd_pcm_sframes_t snd_pcm_plug_client_size(struct snd_pcm_substream *plug, snd_p if (stream == SNDRV_PCM_STREAM_PLAYBACK) { plugin = snd_pcm_plug_last(plug); while (plugin && drv_frames > 0) {
if (drv_frames > plugin->buf_frames)drv_frames = plugin->buf_frames; plugin_prev = plugin->prev; if (plugin->src_frames) drv_frames = plugin->src_frames(plugin, drv_frames);...