QPulseAudioSource: fix UB (memcpy() called with nullptr dest) in read()

deviceReady() calls read(nullptr, 0), but calling memcpy() with a
nullpt destination is UB, even if the length is simulateneously zero.

Ditto applyVolume() (called from read()).

Fix by guarding the memcpy() calls.

Add assertions to indicate that for these functions, nullptr is valid
input iff length is zero.

Found by clangsa's core.NonNullParamChecker.

Change-Id: I9006b0e933e196a7a212e0ebe2bd27f6b9552518
Reviewed-by: Rafael Roquetto <rafael.roquetto@qt.io>
(cherry picked from commit 8df415d5bcf23462bedb4cb7601b909851ee15dd)

1 files changed, 6 insertions, 2 deletions

diff --git a/src/multimedia/platform/pulseaudio/qpulseaudiosource.cpp b/src/multimedia/platform/pulseaudio/qpulseaudiosource.cpp
index 8aaaba550..19e82c092 100644
--- a/src/multimedia/platform/pulseaudio/qpulseaudiosource.cpp
+++ b/src/multimedia/platform/pulseaudio/qpulseaudiosource.cpp
@@ -406,6 +406,8 @@ qsizetype QPulseAudioSource::bytesReady() const
 
 qint64 QPulseAudioSource::read(char *data, qint64 len)
 {
+    Q_ASSERT(data != nullptr || len == 0);
+
     m_bytesAvailable = checkBytesReady();
 
     setError(QAudio::NoError);
@@ -416,7 +418,8 @@ qint64 QPulseAudioSource::read(char *data, qint64 len)
 
     if (!m_pullMode && !m_tempBuffer.isEmpty()) {
         readBytes = qMin(static_cast<int>(len), m_tempBuffer.size());
-        memcpy(data, m_tempBuffer.constData(), readBytes);
+        if (readBytes)
+            memcpy(data, m_tempBuffer.constData(), readBytes);
         m_totalTimeValue += readBytes;
 
         if (readBytes < m_tempBuffer.size()) {
@@ -502,9 +505,10 @@ qint64 QPulseAudioSource::read(char *data, qint64 len)
 
 void QPulseAudioSource::applyVolume(const void *src, void *dest, int len)
 {
+    Q_ASSERT((src && dest) || len == 0);
     if (m_volume < 1.f)
         QAudioHelperInternal::qMultiplySamples(m_volume, m_format, src, dest, len);
-    else
+    else if (len)
         memcpy(dest, src, len);
 }