From 49209da54f9580c80e96b5a33351d24d59599926 Mon Sep 17 00:00:00 2001
From: Andrew Scull <ascull@google.com>
Date: Sun, 3 Apr 2022 10:39:13 +0000
Subject: [PATCH] sound: Fix buffer overflow in square wave generation

Data is written for each channel but is only tracked as having one
channel written. This resulted in a buffer overflow and corruption of
the allocator's metadata which caused further problems when the buffer
was later freed. This could be observed with sandbox unit tests.

Resolve the overflow by tracking the writes for each channel.

Fixes: f987177db9 ("dm: sound: Use the correct number of channels for sound")
Signed-off-by: Andrew Scull <ascull@google.com>
Cc: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 drivers/sound/sound.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/drivers/sound/sound.c b/drivers/sound/sound.c
index b0eab23..041dfdc 100644
--- a/drivers/sound/sound.c
+++ b/drivers/sound/sound.c
@@ -25,13 +25,11 @@ void sound_create_square_wave(uint sample_rate, unsigned short *data, int size,
 		int i, j;
 
 		for (i = 0; size && i < half; i++) {
-			size -= 2;
-			for (j = 0; j < channels; j++)
+			for (j = 0; size && j < channels; j++, size -= 2)
 				*data++ = amplitude;
 		}
 		for (i = 0; size && i < period - half; i++) {
-			size -= 2;
-			for (j = 0; j < channels; j++)
+			for (j = 0; size && j < channels; j++, size -= 2)
 				*data++ = -amplitude;
 		}
 	}
-- 
2.7.4