From bf4ed63eac2a84a58900e74799446dd61d2c88e3 Mon Sep 17 00:00:00 2001
From: "Tux3 / Mlkj / !Lev.uXFMLA" <barrdetwix@gmail.com>
Date: Sat, 15 Nov 2014 17:04:09 +0100
Subject: [PATCH] Fix buffer overflow with >1 audio input channel

Fixes #760
---
 src/coreav.cpp | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/coreav.cpp b/src/coreav.cpp
index 75733b2d8..969b49f02 100644
--- a/src/coreav.cpp
+++ b/src/coreav.cpp
@@ -223,15 +223,16 @@ void Core::sendCallAudio(int callId, ToxAv* toxav)
         return;
     }
 
-    int framesize = (calls[callId].codecSettings.audio_frame_duration * calls[callId].codecSettings.audio_sample_rate) / 1000 * av_DefaultSettings.audio_channels;
-    uint8_t buf[framesize*2], dest[framesize*2];
+    const int framesize = (calls[callId].codecSettings.audio_frame_duration * calls[callId].codecSettings.audio_sample_rate) / 1000 * av_DefaultSettings.audio_channels;
+    const int bufsize = framesize * 2 * av_DefaultSettings.audio_channels;
+    uint8_t buf[bufsize], dest[bufsize];
 
     bool frame = false;
     ALint samples;
     alcGetIntegerv(alInDev, ALC_CAPTURE_SAMPLES, sizeof(samples), &samples);
     if(samples >= framesize)
     {
-        memset(buf, 0, framesize*2); // Avoid uninitialized values (Valgrind)
+        memset(buf, 0, bufsize); // Avoid uninitialized values (Valgrind)
         alcCaptureSamples(alInDev, buf, framesize);
         frame = 1;
     }
@@ -653,15 +654,16 @@ void Core::sendGroupCallAudio(int groupId, ToxAv* toxav)
         return;
     }
 
-    int framesize = (groupCalls[groupId].codecSettings.audio_frame_duration * groupCalls[groupId].codecSettings.audio_sample_rate) / 1000 * av_DefaultSettings.audio_channels;
-    uint8_t buf[framesize*2];
+    const int framesize = (groupCalls[groupId].codecSettings.audio_frame_duration * groupCalls[groupId].codecSettings.audio_sample_rate) / 1000 * av_DefaultSettings.audio_channels;
+    const int bufsize = framesize * 2 * av_DefaultSettings.audio_channels;
+    uint8_t buf[bufsize];
 
     bool frame = false;
     ALint samples;
     alcGetIntegerv(alInDev, ALC_CAPTURE_SAMPLES, sizeof(samples), &samples);
     if(samples >= framesize)
     {
-        memset(buf, 0, framesize*2); // Avoid uninitialized values (Valgrind)
+        memset(buf, 0, bufsize); // Avoid uninitialized values (Valgrind)
         alcCaptureSamples(alInDev, buf, framesize);
         frame = 1;
     }