From f661dc596e4c1b7d2d6479afbf4cb4690d6d3a7b Mon Sep 17 00:00:00 2001
From: Aidan MacDonald <amachronic@protonmail.com>
Date: Sat, 7 May 2022 15:52:26 +0100
Subject: pictureflow: fix bug in calculation of album art buf size

I intended to check for enough space in buffer but this isn't
really doing it and it is making aa_bufsz slightly too big so
it's a possible buffer overflow.

Restore the old ALIGN_DOWN(..., 4) rounding in case it's important,
if not, then no harm done.

Change-Id: I904f255ac79a77d5328b44667502ceae8308e659
---
 apps/plugins/pictureflow/pictureflow.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/plugins/pictureflow/pictureflow.c b/apps/plugins/pictureflow/pictureflow.c
index 83d4bb5a59..b2d170329e 100644
--- a/apps/plugins/pictureflow/pictureflow.c
+++ b/apps/plugins/pictureflow/pictureflow.c
@@ -4303,7 +4303,7 @@ static int pictureflow_main(const char* selected_file)
 
     number_of_slides = pf_idx.album_ct;
 
-    size_t aa_bufsz = pf_idx.buf_sz / 4 + sizeof(long) - 1;
+    size_t aa_bufsz = ALIGN_DOWN(pf_idx.buf_sz / 4, sizeof(long));
     if (aa_bufsz < DISPLAY_WIDTH * DISPLAY_HEIGHT * sizeof(pix_t))
     {
         error_wait("Not enough memory for album art cache");
@@ -4313,6 +4313,7 @@ static int pictureflow_main(const char* selected_file)
     ALIGN_BUFFER(pf_idx.buf, pf_idx.buf_sz, sizeof(long));
     aa_cache.buf = (char*) pf_idx.buf;
     aa_cache.buf_sz = aa_bufsz;
+
     pf_idx.buf += aa_bufsz;
     pf_idx.buf_sz -= aa_bufsz;
 
-- 
cgit v1.2.3