Limit the size of the QnxAudioOutput stack buffer

QnxAudioOutput allocates a buffer on the stack based on the free value
from snd_pcm_plugin_status, but the way that QnxAudioOutput configures
the stream, how QnxAudioOutput currently pauses playback, and a bug in
io-audio combine to cause io-audio to produce very large free values
when resuming playback after a long pause.  As a result, QnxAudioOutput
allocates a stack buffer that causes a stack overflow.  Allocating
a buffer on the stack with a size that isn't restrained in any way
isn't a good idea.  Put some constraints on the size.

Change-Id: I2b72e72504041f0caeb591912662fb9bed931b21
Reviewed-by: Dan Cape <dcape@qnx.com>
Reviewed-by: Yoann Lopes <yoann.lopes@qt.io>

1 files changed, 4 insertions, 1 deletions

diff --git a/src/plugins/qnx-audio/audio/qnxaudiooutput.cpp b/src/plugins/qnx-audio/audio/qnxaudiooutput.cpp
index d5805c2bd..5cfffe990 100644
--- a/src/plugins/qnx-audio/audio/qnxaudiooutput.cpp
+++ b/src/plugins/qnx-audio/audio/qnxaudiooutput.cpp
@@ -223,7 +223,10 @@ void QnxAudioOutput::pullData()
     if (frames == 0 || bytesAvailable < periodSize())
         return;
 
-    const int bytesRequested = m_format.bytesForFrames(frames);
+    // The buffer is placed on the stack so no more than 64K or 1 frame
+    // whichever is larger.
+    const int maxFrames = qMax(m_format.framesForBytes(64 * 1024), 1);
+    const int bytesRequested = m_format.bytesForFrames(qMin(frames, maxFrames));
 
     char buffer[bytesRequested];
     const int bytesRead = m_source->read(buffer, bytesRequested);