fix(audio): keep the data pointed to by tmpDevName in scope

Fix the use after free in Audio::initInput and Audio::initOutput by storing the buffer returned by QString::toUtf8 (which contains data pointed to by tmpDevName) in an intermediate variable, preventing the buffer from falling out of scope for the duration of the function. Fixes #3786
9 years ago · af37fa7b20
1 changed files with 8 additions and 2 deletions
--- a/src/audio/audio.cpp
+++ b/src/audio/audio.cpp
@ -352,9 +352,12 @@ bool Audio::initInput(const QString& deviceName)
				@@ -352,9 +352,12 @@ bool Audio::initInput(const QString& deviceName)
    const uint32_t chnls = AUDIO_CHANNELS;
    const ALCsizei bufSize = (frameDuration * sampleRate * 4) / 1000 * chnls;

+    const QByteArray qDevName = deviceName.isEmpty()
+                                ? nullptr
+                                : deviceName.toUtf8();
    const ALchar* tmpDevName = deviceName.isEmpty()
                               ? nullptr
-                               : deviceName.toUtf8().constData();
+                               : qDevName.constData();
    alInDev = alcCaptureOpenDevice(tmpDevName, sampleRate, stereoFlag, bufSize);

    // Restart the capture if necessary
@ -386,9 +389,12 @@ bool Audio::initOutput(const QString& deviceName)
				@@ -386,9 +389,12 @@ bool Audio::initOutput(const QString& deviceName)
    qDebug() << "Opening audio output" << deviceName;
    assert(!alOutDev);

+    const QByteArray qDevName = deviceName.isEmpty()
+                                ? nullptr
+                                : deviceName.toUtf8();
    const ALchar* tmpDevName = deviceName.isEmpty()
                               ? nullptr
-                               : deviceName.toUtf8().constData();
+                               : qDevName.constData();
    alOutDev = alcOpenDevice(tmpDevName);

    if (!alOutDev)