Return-Path: <cyrus@holtmann.org>
From: Szymon Janc <szymon.janc@tieto.com>
To: Andrei Emeltchenko <Andrei.Emeltchenko.news@gmail.com>
Cc: linux-bluetooth@vger.kernel.org
Subject: Re: [RFC] android/hal-audio: Fix wrong memory access
Date: Mon, 26 May 2014 14:39:09 +0200
Message-ID: <1891719.cXgZzUXdHp@uw000953>
In-Reply-To: <1400764022-26666-1-git-send-email-Andrei.Emeltchenko.news@gmail.com>
References: <1400764022-26666-1-git-send-email-Andrei.Emeltchenko.news@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Sender: linux-bluetooth-owner@vger.kernel.org
List-ID: <linux-bluetooth.vger.kernel.org>

Hi Andrei,

On Thursday 22 of May 2014 16:07:02 Andrei Emeltchenko wrote:
> From: Andrei Emeltchenko <andrei.emeltchenko@intel.com>
> 
> downmix_buf is allocated to have buffer size FIXED_BUFFER_SIZE / 2, when
> we access it as (int16_t *) we shall device index by 2.
> ---
>  android/hal-audio.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/android/hal-audio.c b/android/hal-audio.c
> index 7305bb6..96fa5c3 100644
> --- a/android/hal-audio.c
> +++ b/android/hal-audio.c
> @@ -984,7 +984,7 @@ static void downmix_to_mono(struct a2dp_stream_out *out, const uint8_t *buffer,
>  	int16_t *output = (void *) out->downmix_buf;
>  	size_t i;
>  
> -	for (i = 0; i < bytes / 2; i++) {
> +	for (i = 0; i < bytes / (2 * sizeof(int16_t)); i++) {
>  		int16_t l = le16_to_cpu(get_unaligned(&input[i * 2]));
>  		int16_t r = le16_to_cpu(get_unaligned(&input[i * 2 + 1]));
>  

Although RFC I've applied this patch but modified commit message and added
a local 'frames' variable with comment where this calculation comes from.
Thanks.

-- 
Best regards, 
Szymon Janc