From 949f9e6051b76f44e6156e032d7edaa2b1edb90c Mon Sep 17 00:00:00 2001
From: Robin Gareus <robin@gareus.org>
Date: Sun, 13 Nov 2022 00:23:12 +0100
Subject: [PATCH] Fix LV2 Atom ringbuffer overflow/corruption

Writing partial messages will lead to undefined behavior.
This does not generally happen (LV2 forge prevents overflow
of the Atom buffer itself), however if the GUI is frozen messages
may accumulate in Ardour's Ringbuffer.
---
 libs/ardour/lv2_plugin.cc | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/libs/ardour/lv2_plugin.cc b/libs/ardour/lv2_plugin.cc
index a415323261..165ae371da 100644
--- a/libs/ardour/lv2_plugin.cc
+++ b/libs/ardour/lv2_plugin.cc
@@ -1742,8 +1742,13 @@ LV2Plugin::write_to(RingBuffer<uint8_t>* dest,
                     const uint8_t*       body)
 {
 	const uint32_t  buf_size = sizeof(UIMessage) + size;
-	vector<uint8_t> buf(buf_size);
 
+	if (dest->write_space () < buf_size) {
+		/* Do not write partial message */
+		return false;
+	}
+
+	vector<uint8_t> buf(buf_size);
 	UIMessage* msg = (UIMessage*)&buf[0];
 	msg->index    = index;
 	msg->protocol = protocol;
@@ -1781,6 +1786,11 @@ LV2Plugin::write_from_ui(uint32_t       index,
 		_from_ui = new RingBuffer<uint8_t>(rbs);
 	}
 
+	if (_from_ui->write_space () < size) {
+		error << string_compose (_("LV2<%1>: Error writing from UI to plugin"), name()) << endmsg;
+		return false;
+	}
+
 	if (!write_to(_from_ui, index, protocol, size, body)) {
 		error << string_compose (_("LV2<%1>: Error writing from UI to plugin"), name()) << endmsg;
 		return false;