From f6af357763a13fe7d1f2a8997dae8004796c430a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?kleines=20Filmr=C3=B6llchen?= Date: Wed, 15 Jun 2022 21:35:02 +0200 Subject: Kernel/Audio: Fix buffer size underflow for non-page-aligned sizes When the size of the audio data was not a multiple of a page size, subtracting the page size from this unsigned variable would underflow it close to 2^32 and be clamped to the page size again. This would lead to writes into garbage addresses because of an incorrect write size, interestingly only causing the write() call to error out. Using saturating math neatly fixes this problem and allows buffer lengths that are not a multiple of a page size. --- Kernel/Devices/Audio/AC97.cpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Kernel/Devices/Audio/AC97.cpp b/Kernel/Devices/Audio/AC97.cpp index 70326df7e4..85c5dda52b 100644 --- a/Kernel/Devices/Audio/AC97.cpp +++ b/Kernel/Devices/Audio/AC97.cpp @@ -207,12 +207,12 @@ ErrorOr AC97::write(size_t channel_index, UserOrKernelBuffer const& data m_buffer_descriptor_list = TRY(MM.allocate_dma_buffer_pages(buffer_descriptor_list_size, "AC97 Buffer Descriptor List"sv, Memory::Region::Access::Write)); } - auto remaining = length; + Checked remaining = length; size_t offset = 0; - while (remaining > 0) { - TRY(write_single_buffer(data, offset, min(remaining, PAGE_SIZE))); + while (remaining > static_cast(0)) { + TRY(write_single_buffer(data, offset, min(remaining.value(), PAGE_SIZE))); offset += PAGE_SIZE; - remaining -= PAGE_SIZE; + remaining.saturating_sub(PAGE_SIZE); } return length; -- cgit v1.2.3