From af6f663e6aca0e57017db693cf3dda95fc2cfb48 Mon Sep 17 00:00:00 2001
From: Andre Noll <maan@systemlinux.org>
Date: Mon, 22 Oct 2007 23:53:53 +0200
Subject: [PATCH] Fix off-by-one bug in chunktable saving.

Chunk table indices go from 0 to num_chunks, so the size is
(num_chunks + 1) * 4.
---
 aft.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/aft.c b/aft.c
index ff2691f9..b0974554 100644
--- a/aft.c
+++ b/aft.c
@@ -349,11 +349,13 @@ static void load_afhi(const char *buf, struct audio_format_info *afhi)
 	strcpy(afhi->info_string, buf + AFHI_INFO_STRING_OFFSET);
 }
 
+//#define SIZEOF_CHUNK_TABLE(afhi) (((afhi)->chunks_total + 1) * sizeof(uint32_t))
+
 static unsigned sizeof_chunk_info_buf(struct audio_format_info *afhi)
 {
 	if (!afhi)
 		return 0;
-	return 4 * afhi->chunks_total + 20;
+	return 4 * (afhi->chunks_total + 1) + 20;
 
 }
 
@@ -376,14 +378,16 @@ enum chunk_info_offsets{
 static void save_chunk_table(struct audio_format_info *afhi, char *buf)
 {
 	int i;
-	for (i = 0; i < afhi->chunks_total; i++)
+
+	PARA_NOTICE_LOG("%lu chunks\n", afhi->chunks_total);
+	for (i = 0; i <= afhi->chunks_total; i++)
 		write_u32(buf + 4 * i, afhi->chunk_table[i]);
 }
 
 static void load_chunk_table(struct audio_format_info *afhi, char *buf)
 {
 	int i;
-	for (i = 0; i < afhi->chunks_total; i++)
+	for (i = 0; i <= afhi->chunks_total; i++)
 		afhi->chunk_table[i] = read_u32(buf + 4 * i);
 }
 
@@ -413,9 +417,9 @@ static int load_chunk_info(struct osl_object *obj, struct audio_format_info *afh
 	afhi->chunk_tv.tv_sec = read_u32(buf + CHUNK_TV_TV_SEC_OFFSET);
 	afhi->chunk_tv.tv_usec = read_u32(buf + CHUNK_TV_TV_USEC);
 
-	if (afhi->chunks_total * 4 + CHUNK_TABLE_OFFSET > obj->size)
+	if ((afhi->chunks_total + 1) * 4 + CHUNK_TABLE_OFFSET > obj->size)
 		return -E_BAD_DATA_SIZE;
-	afhi->chunk_table = para_malloc(afhi->chunks_total * sizeof(size_t));
+	afhi->chunk_table = para_malloc((afhi->chunks_total + 1) * 4);
 	load_chunk_table(afhi, buf + CHUNK_TABLE_OFFSET);
 	return 1;
 }
@@ -620,7 +624,7 @@ static int save_afd(struct audio_file_data *afd)
 {
 	size_t path_size = strlen(afd->path) + 1;
 	size_t size = sizeof(*afd) + path_size
-		+ 4 * afd->afhi.chunks_total;
+		+ 4 * (afd->afhi.chunks_total + 1);
 
 	PARA_NOTICE_LOG("size: %zu\n", size);
 	int shmid, ret = shm_new(size);
@@ -660,7 +664,7 @@ int load_afd(int shmid, struct audio_file_data *afd)
 	buf += sizeof(*afd);
 	afd->path = para_strdup(buf);
 	buf += strlen(buf) + 1;
-	afd->afhi.chunk_table = para_malloc(afd->afhi.chunks_total * sizeof(size_t));
+	afd->afhi.chunk_table = para_malloc((afd->afhi.chunks_total + 1) * 4);
 	load_chunk_table(&afd->afhi, buf);
 	shm_detach(shm_afd);
 	return 1;
-- 
2.39.2