aseqdump: Avoid OOB access with broken SysEx UMP packets

UMP SysEx messages have length field to specify the contained data
bytes, but they can be over the actual packet size.  Add the proper
size limit checks for avoiding the access overflow.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
This commit is contained in:
Takashi Iwai 2024-07-24 14:05:55 +02:00
parent df736ad67a
commit 02b0c3af56

View file

@ -698,6 +698,8 @@ static void dump_ump_sysex_event(const unsigned int *ump)
dump_ump_sysex_status("SysEx", snd_ump_sysex_msg_status(ump)); dump_ump_sysex_status("SysEx", snd_ump_sysex_msg_status(ump));
length = snd_ump_sysex_msg_length(ump); length = snd_ump_sysex_msg_length(ump);
printf(" length %d ", length); printf(" length %d ", length);
if (length > 14)
length = 14;
for (i = 0; i < length; i++) for (i = 0; i < length; i++)
printf("%s%02x", i ? ":" : "", ump_sysex7_data(ump, i)); printf("%s%02x", i ? ":" : "", ump_sysex7_data(ump, i));
printf("\n"); printf("\n");
@ -719,6 +721,8 @@ static void dump_ump_sysex8_event(const unsigned int *ump)
length = snd_ump_sysex_msg_length(ump); length = snd_ump_sysex_msg_length(ump);
printf(" length %d ", length); printf(" length %d ", length);
printf(" stream %d ", (ump[0] >> 8) & 0xff); printf(" stream %d ", (ump[0] >> 8) & 0xff);
if (length > 13)
length = 13;
for (i = 0; i < length; i++) for (i = 0; i < length; i++)
printf("%s%02x", i ? ":" : "", ump_sysex8_data(ump, i)); printf("%s%02x", i ? ":" : "", ump_sysex8_data(ump, i));
printf("\n"); printf("\n");