mirror of
https://github.com/alsa-project/alsa-utils
synced 2025-01-03 05:39:47 +01:00
aseqdump: Avoid OOB access with broken SysEx UMP packets
UMP SysEx messages have length field to specify the contained data bytes, but they can be over the actual packet size. Add the proper size limit checks for avoiding the access overflow. Signed-off-by: Takashi Iwai <tiwai@suse.de>
This commit is contained in:
parent
df736ad67a
commit
02b0c3af56
1 changed files with 4 additions and 0 deletions
|
@ -698,6 +698,8 @@ static void dump_ump_sysex_event(const unsigned int *ump)
|
||||||
dump_ump_sysex_status("SysEx", snd_ump_sysex_msg_status(ump));
|
dump_ump_sysex_status("SysEx", snd_ump_sysex_msg_status(ump));
|
||||||
length = snd_ump_sysex_msg_length(ump);
|
length = snd_ump_sysex_msg_length(ump);
|
||||||
printf(" length %d ", length);
|
printf(" length %d ", length);
|
||||||
|
if (length > 14)
|
||||||
|
length = 14;
|
||||||
for (i = 0; i < length; i++)
|
for (i = 0; i < length; i++)
|
||||||
printf("%s%02x", i ? ":" : "", ump_sysex7_data(ump, i));
|
printf("%s%02x", i ? ":" : "", ump_sysex7_data(ump, i));
|
||||||
printf("\n");
|
printf("\n");
|
||||||
|
@ -719,6 +721,8 @@ static void dump_ump_sysex8_event(const unsigned int *ump)
|
||||||
length = snd_ump_sysex_msg_length(ump);
|
length = snd_ump_sysex_msg_length(ump);
|
||||||
printf(" length %d ", length);
|
printf(" length %d ", length);
|
||||||
printf(" stream %d ", (ump[0] >> 8) & 0xff);
|
printf(" stream %d ", (ump[0] >> 8) & 0xff);
|
||||||
|
if (length > 13)
|
||||||
|
length = 13;
|
||||||
for (i = 0; i < length; i++)
|
for (i = 0; i < length; i++)
|
||||||
printf("%s%02x", i ? ":" : "", ump_sysex8_data(ump, i));
|
printf("%s%02x", i ? ":" : "", ump_sysex8_data(ump, i));
|
||||||
printf("\n");
|
printf("\n");
|
||||||
|
|
Loading…
Reference in a new issue