From 8544171a849a3f75152888011d46985b8822429b Mon Sep 17 00:00:00 2001
From: "Unknown W. Brackets" <checkins@unknownbrackets.org>
Date: Thu, 16 May 2013 00:06:54 -0700
Subject: [PATCH] Validate the sample count in SRC and Output2.

---
 Core/HLE/sceAudio.cpp | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/Core/HLE/sceAudio.cpp b/Core/HLE/sceAudio.cpp
index ae4a027e87..ce4d741060 100644
--- a/Core/HLE/sceAudio.cpp
+++ b/Core/HLE/sceAudio.cpp
@@ -271,9 +271,12 @@ u32 sceAudioEnd(){
 	return 0;
 }
 
-u32 sceAudioOutput2Reserve(u32 sampleCount){
-	if (chans[PSP_AUDIO_CHANNEL_OUTPUT2].reserved) {
-		DEBUG_LOG(HLE, "sceAudioOutput2Reserve(%08x) - channel already reserved ", sampleCount);
+u32 sceAudioOutput2Reserve(u32 sampleCount) {
+	if (sampleCount < 17 || sampleCount > 4111) {
+		DEBUG_LOG(HLE, "sceAudioOutput2Reserve(%08x) - invalid sample count", sampleCount);
+		return SCE_KERNEL_ERROR_INVALID_SIZE;
+	} else if (chans[PSP_AUDIO_CHANNEL_OUTPUT2].reserved) {
+		DEBUG_LOG(HLE, "sceAudioOutput2Reserve(%08x) - channel already reserved", sampleCount);
 		return SCE_ERROR_AUDIO_CHANNEL_ALREADY_RESERVED;
 	} else {
 		DEBUG_LOG(HLE,"sceAudioOutput2Reserve(%08x)", sampleCount);
@@ -339,7 +342,10 @@ u32 sceAudioSetVolumeOffset() {
 }
 
 u32 sceAudioSRCChReserve(u32 sampleCount, u32 freq, u32 format) {
-	if (chans[PSP_AUDIO_CHANNEL_SRC].reserved) {
+	if (sampleCount < 17 || sampleCount > 4111) {
+		DEBUG_LOG(HLE, "sceAudioSRCChReserve(%08x, %08x, %08x) - invalid sample count", sampleCount, freq, format);
+		return SCE_KERNEL_ERROR_INVALID_SIZE;
+	} else if (chans[PSP_AUDIO_CHANNEL_SRC].reserved) {
 		DEBUG_LOG(HLE, "sceAudioSRCChReserve(%08x, %08x, %08x) - channel already reserved ", sampleCount, freq, format);
 		return SCE_ERROR_AUDIO_CHANNEL_ALREADY_RESERVED;
 	} else {