http://bugs.winehq.org/show_bug.cgi?id=12349
--- Comment #2 from Jörg Höhle hoehle@users.sourceforge.net 2008-04-04 05:43:48 --- Fix heap off by one error as "for (i = 0; i < len; i+=2)" loops once with len=1 even though it must not. This is exactly what happened in this trace (with 16 bits per sample): trace:dsound:DSOUND_MixerVol (0x1359528,2048) trace:dsound:DSOUND_MixerVol (0x1359528,2050) Program ran was fine as long as len was a multiple of 4, not just 2.
This patch code is put under the same copyright as wine as of version 0.9.58, c.f. src/git/wine/{LICENSE,COPYING.LIB}
2008-04-03 Jörg Höhle hoehle@users.sourceforge.net
* dlls/dsound/mixer.c: dound: fix heap off by one overflow in DSOUND_MixerVol.
--- dlls/dsound/mixer.c.orig 2008-01-17 10:14:34.000000000 +0100 +++ dlls/dsound/mixer.c 2008-04-03 22:26:33.000000000 +0200 @@ -444,7 +444,7 @@ case 8: /* 8-bit WAV is unsigned, but we need to operate */ /* on signed data for this to work properly */ - for (i = 0; i < len; i+=2) { + for (i = 1; i < len; i+=2) { *(bpc++) = (((*(mem++) - 128) * vLeft) >> 16) + 128; *(bpc++) = (((*(mem++) - 128) * vRight) >> 16) + 128; } @@ -453,7 +453,7 @@ break; case 16: /* 16-bit WAV is signed -- much better */ - for (i = 0; i < len; i += 4) { + for (i = 3; i < len; i += 4) { *(bps++) = (*(mems++) * vLeft) >> 16; *(bps++) = (*(mems++) * vRight) >> 16; }