Hacky patch for buffer overflow issues

I ran into a case where this 1024-entry buffer was indexed with 1388.

The chosen value for the buffer size is based on the following:

* In pcm8(), the parameter 'buffer_size' is used as the buffer's length.

* The source of that parameter ends up being 'len' in mdx_calc_sample(),
  which in turn is at most '(data->mdx->dsp_speed * frame)/1000000'.

* 'dsp_speed' is a user-settable parameter defaulting to 44100; let's
  assume that nobody will want to use a value greater than 192000 and
  add a check in mdx_set_rate() just in case.

* 'frame' comes from mdx_parse_mml_get_tempo(). When 'self->mdx->tempo'
  is 0 (I assume it can never be negative), the function computes the
  maximum possible value: 65536.

Thus we get 65536 * 192000 / 1000000 = 12582.912, which we round up to
the next multiple of 1024 for some extra safety. Note that even with the
default 44100 we get 2890.1376 so the overflow was possible even without
using mdx_set_rate().

1 files changed, 26 insertions, 0 deletions

diff --git a/buffer-size.patch b/buffer-size.patch
new file mode 100644
index 000000000000..229de32d526c
--- /dev/null
+++ b/buffer-size.patch
@@ -0,0 +1,26 @@
+diff --git i/jni/mdxmini/src/mdxmini.c w/jni/mdxmini/src/mdxmini.c
+index a5bb8e3..dd7a89e 100755
+--- i/jni/mdxmini/src/mdxmini.c
++++ w/jni/mdxmini/src/mdxmini.c
+@@ -199,7 +199,7 @@ void mdx_set_dir ( t_mdxmini *data , char  * dir )
+ 
+ void mdx_set_rate( int freq )
+ {
+-	dsp_speed = freq;
++	dsp_speed = freq > 192000 ? 192000 : freq;
+ }
+ 
+ void mdx_set_max_loop(t_mdxmini *data , int loop)
+diff --git i/jni/mdxmini/src/pcm8.c w/jni/mdxmini/src/pcm8.c
+index 940f90a..f7c8003 100755
+--- i/jni/mdxmini/src/pcm8.c
++++ w/jni/mdxmini/src/pcm8.c
+@@ -199,7 +199,7 @@ int pcm8_open( MDX_DATA *mdx, songdata *data )
+   self->pcm_buffer = NULL;
+ 
+ 
+-  self->sample_buffer_size = 1024;
++  self->sample_buffer_size = 13312;
+   //  self->dsp_speed * PCM8_SYSTEM_RATE / 1000;
+ 
+   if ( self->is_encoding_stereo == FLAG_TRUE ) {