Doppler effect sound effects cause buffer overread

Sounds that use dopplerScale (e.g., rocket launcher) exhibited a buffer over-read. S_PaintChannelFrom16's ofst reads past end of sfx->pSoundData buffer. To resolve this, take dopplerScale increments of ofst into consideration when calculating count, which controls the loop for ofst. Resolves: #1038 See also: 69800e8
JACoders · Jun 9, 2020 · 0218d2d · 0218d2d
1 parent 4974446
commit 0218d2d
Showing 1 changed file with 14 additions and 5 deletions.
diff --git a/codemp/client/snd_mix.cpp b/codemp/client/snd_mix.cpp
@@ -281,9 +281,6 @@ static void S_PaintChannelFrom16( channel_t *ch, const sfx_t *sfx, int count, in
 
 	for ( int i=0 ; i<count ; i++ )
 	{
-		// have we run off the end?
-		if ((int)ofst >= sfx->iSoundLengthInSamples)
-			break;
 		iData = sfx->pSoundData[ (int)ofst ];
 
 		pSamplesDest[i].left  += (iData * iLeftVol )>>8;
@@ -446,8 +443,20 @@ void S_PaintChannels( int endtime ) {
 				}
 
 				count = end - ltime;
-				if ( sampleOffset + count > sc->iSoundLengthInSamples ) {
-					count = sc->iSoundLengthInSamples - sampleOffset;
+				if ( ch->doppler && ch->dopplerScale > 1 ) {
+					if ( sampleOffset + (count * ch->dopplerScale) > sc->iSoundLengthInSamples ) {
+						count = (sc->iSoundLengthInSamples - sampleOffset) / ch->dopplerScale;
+
+						// avoid infinite loop once length of remaining pSoundData (numerator)
+						//	is smaller than dopplerScale (denominator), resulting in 0.
+						if ( count == 0 ) {
+							break;
+						}
+					}
+				} else {
+					if ( sampleOffset + count > sc->iSoundLengthInSamples ) {
+						count = sc->iSoundLengthInSamples - sampleOffset;
+					}
 				}
 
 				if ( count > 0 ) {