audio: fix invalid malloc size in audio_create_pdos

The code used sizeof(AudiodevAlsaPerDirectionOptions) instead of the
appropriate per direction options for the audio backend.  If the size of
the actual audiodev's per direction options are larger than alsa's, it
could cause a buffer overflow.

However, alsa has three fields in per direction options: a string, an
uint32 and a bool.  Oss has the same fields, coreaudio has a single
uint32, paaudio has a string and an uint32, all other backends only use
the common options, so currently no per direction options struct should
be larger than alsa's.

Signed-off-by: Kővágó, Zoltán <DirtY.iCE.hu@gmail.com>
Message-Id: <7808bc816ba7da8b8de8a214713444d85f7af3c6.1566847960.git.DirtY.iCE.hu@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

diff --git a/audio/audio.c b/audio/audio.c
index 7d715332c993754d661af6f5065d4e78463a380a..ae335dbebb1ea2a848a9aa308fb2a2192c3afce2 100644 (file)
--- a/audio/audio.c
+++ b/audio/audio.c
@@ -1685,7 +1685,7 @@ void audio_create_pdos(Audiodev *dev)
         }                                                           \
         if (!dev->u.driver.has_out) {                               \
             dev->u.driver.out = g_malloc0(                          \
-                sizeof(AudiodevAlsaPerDirectionOptions));           \
+                sizeof(Audiodev##pdo_name##PerDirectionOptions));   \
             dev->u.driver.has_out = true;                           \
         }                                                           \
         break