Return-Path: <cyrus@holtmann.org>
From: Andrei Emeltchenko <Andrei.Emeltchenko.news@gmail.com>
To: linux-bluetooth@vger.kernel.org
Subject: [RFC] android/hal-audio: Fix wrong memory access
Date: Thu, 22 May 2014 16:07:02 +0300
Message-Id: <1400764022-26666-1-git-send-email-Andrei.Emeltchenko.news@gmail.com>
Sender: linux-bluetooth-owner@vger.kernel.org
List-ID: <linux-bluetooth.vger.kernel.org>

From: Andrei Emeltchenko <andrei.emeltchenko@intel.com>

downmix_buf is allocated to have buffer size FIXED_BUFFER_SIZE / 2, when
we access it as (int16_t *) we shall device index by 2.
---
 android/hal-audio.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/android/hal-audio.c b/android/hal-audio.c
index 7305bb6..96fa5c3 100644
--- a/android/hal-audio.c
+++ b/android/hal-audio.c
@@ -984,7 +984,7 @@ static void downmix_to_mono(struct a2dp_stream_out *out, const uint8_t *buffer,
 	int16_t *output = (void *) out->downmix_buf;
 	size_t i;
 
-	for (i = 0; i < bytes / 2; i++) {
+	for (i = 0; i < bytes / (2 * sizeof(int16_t)); i++) {
 		int16_t l = le16_to_cpu(get_unaligned(&input[i * 2]));
 		int16_t r = le16_to_cpu(get_unaligned(&input[i * 2 + 1]));
 
-- 
1.8.3.2