[alsa-devel] [PATCH] pcm: dshare: Fix overflow when slave_hw_ptr rolls over boundary

[Brendan Shanks]

In snd_pcm_dshare_sync_area() when 'slave_hw_ptr' rolls over
'slave_boundary', the wrong variable is checked ('dshare->slave_hw_ptr' vs
the local 'slave_hw_ptr'). In some cases, this results in 'slave_hw_ptr'
not rolling over correctly. 'slave_size' and 'size' are then much too
large, and the for loop blocks for several minutes copying samples.

This was likely only triggered on 32-bit systems, since the PCM boundary
is computed based on LONG_MAX and is much larger on 64-bit systems.

This same change was made to pcm_dmix in commit
6c7f60f7a982fdba828e4530a9d7aa0aa2b704ae ("Fix boundary overlap”) from
June 2005.

Signed-off-by: Brendan Shanks <brendan.shanks at teradek.com>

diff --git a/src/pcm/pcm_dshare.c b/src/pcm/pcm_dshare.c
index 2bb735fe..f135b5df 100644
--- a/src/pcm/pcm_dshare.c
+++ b/src/pcm/pcm_dshare.c
@@ -121,7 +121,7 @@ static void snd_pcm_dshare_sync_area(snd_pcm_t *pcm)
 	 */
 	slave_hw_ptr -= slave_hw_ptr % dshare->slave_period_size;
 	slave_hw_ptr += dshare->slave_buffer_size;
-	if (dshare->slave_hw_ptr > dshare->slave_boundary)
+	if (slave_hw_ptr >= dshare->slave_boundary)
 		slave_hw_ptr -= dshare->slave_boundary;
 	if (slave_hw_ptr < dshare->slave_appl_ptr)
 		slave_size = slave_hw_ptr + (dshare->slave_boundary - dshare->slave_appl_ptr);
-- 
2.17.1