bpmdetect: Pass at most 2048 samples to SoundTouch's BPMDetect

Internally BPMDetect assumes that at most 2048 samples are passed
to it at once and stores those in a stack allocated static sized
array. If we pass too many samples this will result in a buffer overflow
resulting in heavy stack corruption and a crash. Fixes bug #570996.

1 files changed, 16 insertions, 4 deletions

diff --git a/ext/soundtouch/gstbpmdetect.cc b/ext/soundtouch/gstbpmdetect.cc
index 8b1d7f1f..04f26bb8 100644
--- a/ext/soundtouch/gstbpmdetect.cc
+++ b/ext/soundtouch/gstbpmdetect.cc
@@ -207,12 +207,24 @@ gst_bpm_detect_transform_ip (GstBaseTransform * trans, GstBuffer * in)
    * data but our buffer data shouldn't be modified.
    */
   if (filter->format.channels == 1) {
-    bpm_detect->priv->detect->inputSamples ((gfloat *) GST_BUFFER_DATA (in),
-        nsamples);
+    gfloat *inbuf = (gfloat *) GST_BUFFER_DATA (in);
+
+    while (nsamples > 0) {
+      bpm_detect->priv->detect->inputSamples (inbuf, MIN (nsamples, 2048));
+      nsamples -= 2048;
+      inbuf += 2048;
+    }
   } else {
-    gfloat *data =
+    gfloat *data, *inbuf;
+
+    data = inbuf =
         (gfloat *) g_memdup (GST_BUFFER_DATA (in), GST_BUFFER_SIZE (in));
-    bpm_detect->priv->detect->inputSamples (data, nsamples);
+
+    while (nsamples > 0) {
+      bpm_detect->priv->detect->inputSamples (inbuf, MIN (nsamples, 2048));
+      nsamples -= 2048;
+      inbuf += 2048 * 2;
+    }
     g_free (data);
   }