Source Code Project Mantis - FSSCP
View Issue Details
0002314FSSCPsoundpublic2010-09-26 11:092010-09-26 12:02
Assigned ToEchelon9 
PlatformOSOS Version
Product Version3.6.13 
Target VersionFixed in Version3.6.13 
Summary0002314: Write outside the aav_data[3] array via an off-by-one
DescriptionPossible problem with the adjust-audio-volume SEXP code is that the snd_adjust_audio_volume(int type, float percent, int time) function can currently attempt to write outside the aav_data[3] array via an off-by-one. The debug Assert() check is for an index into that array of less than 4, although as an array starting at zero the three elements have indices 0, 1 and 2.

The one call to snd_adjust_audio_volume() in sexp_adjust_audio_volume() uses the audio_volume_option_lookup() function to pick the 'type'. This has a comment "\t1:\tSound Type to adjust, either Master, Music, Voice or Effects\r\n" i.e. 4 elements even though the SEXP doesn't appear to offer the ability to adjust the Master volume, which may be the cause of the confusion.

audio_volume_option_lookup() can also return -1, which is an error code not checked for (on non-Debug), and would have likewise lead to an out of bounds write to the aav_data array.
Additional InformationIntroduction of the SEXP here
TagsNo tags attached.
Attached Filespatch mantis-2314.patch (538) 2010-09-26 11:10

2010-09-26 11:10   
Proposed patch attached.
2010-09-26 11:38   
Yeah, sorry, my bad. Forgot to remove some bits from when I was still developing this.
2010-09-26 11:58   
Fixed in revision 6524
2010-09-26 12:02   
Resolved, with slightly modified patch in r6524

Issue History
2010-09-26 11:09Echelon9New Issue
2010-09-26 11:09Echelon9Statusnew => assigned
2010-09-26 11:09Echelon9Assigned To => Echelon9
2010-09-26 11:10Echelon9File Added: mantis-2314.patch
2010-09-26 11:10Echelon9Note Added: 0012363
2010-09-26 11:38The_ENote Added: 0012364
2010-09-26 11:58The_ENote Added: 0012365
2010-09-26 11:59The_EStatusassigned => resolved
2010-09-26 11:59The_EFixed in Version => 3.6.13
2010-09-26 11:59The_EResolutionopen => fixed
2010-09-26 12:02Echelon9Note Added: 0012366