Call to snd_pcm_hw_params_get_buffer_size causes memory corruption in calling program

23 Jun 2025


      alsa-project/alsa-lib issue #461 was opened from harryrowe01:
Calling snd_pcm_hw_params_get_buffer_size is causing memory corruption in the calling program.
The following C program demonstrates the issue.
/*
This example opens the default PCM device, sets
some parameters, and then displays the value
of some of the hardware parameters. It does not
perform any sound playback or recording.
*/
/* Use the newer ALSA API */
#define ALSA_PCM_NEW_HW_PARAMS_API
/* All of the ALSA library API is defined
 * in this header */
#include <alsa/asoundlib.h>
int main() {
  int rc;
  snd_pcm_t *handle;
  snd_pcm_hw_params_t *params, *save_params;
  unsigned int val, val2;
  int dir;
  snd_pcm_uframes_t frames;
/* Open PCM device for playback. */
  rc = snd_pcm_open(&handle, "default",
                    SND_PCM_STREAM_PLAYBACK, 0);
  if (rc < 0) {
    fprintf(stderr,
            "unable to open pcm device: %s\n",
            snd_strerror(rc));
    exit(1);
  }
/* Allocate a hardware parameters object. */
  snd_pcm_hw_params_alloca(&params);
/* Fill it in with default values. */
  snd_pcm_hw_params_any(handle, params);
/* Set the desired hardware parameters. */
/* Interleaved mode */
  snd_pcm_hw_params_set_access(handle, params,
                      SND_PCM_ACCESS_RW_INTERLEAVED);
/* Signed 16-bit little-endian format */
  snd_pcm_hw_params_set_format(handle, params,
                              SND_PCM_FORMAT_S16_LE);
/* Two channels (stereo) */
  snd_pcm_hw_params_set_channels(handle, params, 2);
/* 44100 bits/second sampling rate (CD quality) */
  val = 44100;
//  val = 8000;
  snd_pcm_hw_params_set_rate_near(handle,
                                 params, &val, &dir);
/* Write the parameters to the driver */
  rc = snd_pcm_hw_params(handle, params);
  if (rc < 0) {
    fprintf(stderr,
            "unable to set hw parameters: %s\n",
            snd_strerror(rc));
    exit(1);
  }
/* Display information about the PCM interface */
// Before calling snd_pcm_hw_params_get_buffer_size, save
// a copy of params which points to the parameter block.
  save_params = params;
// This call to snd_pcm_hw_params_get_buffer_size causes
// the value of params in main to be corrupted.
// Since the params argument to the function is passed
// by value, the function itself should not have access to
// the original variable in main.
snd_pcm_hw_params_get_buffer_size(params,
                         (snd_pcm_uframes_t *)&val);
// Then if the pointer has been modified, flag the problem and
// restore the pointer from the saved value.
  if( params != save_params )
  {
     printf( "The pointer to the parameter block has been corrupted!\n" );
     printf( "was %lx \n", save_params );
     printf( "is now %lx \n", params );
     printf( "So I'm fixing it.\n" );
     params = save_params;
  }
printf("buffer size = %u frames\n", val);
snd_pcm_close(handle);
return 0;
}
Compiled and run as follows:
harry@idun:~/Documents/morse$ cc bad_alsa.c -lasound -o bad_alsa
harry@idun:~/Documents/morse$ ./bad_alsa
The pointer to the parameter block has been corrupted!
was 7ffcd2011610 
is now 7ffc00000000 
So I'm fixing it.
buffer size = 1048576 frames
harry@idun:~/Documents/morse$ cc bad_alsa.c -lasound -o bad_alsa
harry@idun:~/Documents/morse$ ./bad_alsa
The pointer to the parameter block has been corrupted!
was 7fffc7483030 
is now 7fff00000000 
So I'm fixing it.
buffer size = 1048576 frames
harry@idun:~/Documents/morse$
Host is an AMD64 version of Debian 12. Installed version of ALSA library is libasound2 1.2.8-1+b1
Issue URL     : https://github.com/alsa-project/alsa-lib/issues/461
Repository URL: https://github.com/alsa-project/alsa-lib

GitHub issues - opened

tags (0)

participants (1)