asgardius/alsa-utils
1
0
Fork 0
mirror of https://github.com/alsa-project/alsa-utils synced 2024-11-09 17:35:42 +01:00
Code Issues Projects Releases Packages Wiki Activity

aseqdump: Avoid OOB access with broken SysEx UMP packets

Browse source 
UMP SysEx messages have length field to specify the contained data
bytes, but they can be over the actual packet size.  Add the proper
size limit checks for avoiding the access overflow.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
This commit is contained in:
Takashi Iwai 2024-07-24 14:05:55 +02:00
parent df736ad67a
commit 02b0c3af56
1 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
seq/aseqdump/aseqdump.c
View file

@ -698,6 +698,8 @@ static void dump_ump_sysex_event(const unsigned int *ump)
dump_ump_sysex_status("SysEx", snd_ump_sysex_msg_status(ump)); dump_ump_sysex_status("SysEx", snd_ump_sysex_msg_status(ump));
length = snd_ump_sysex_msg_length(ump); length = snd_ump_sysex_msg_length(ump);
printf(" length %d ", length); printf(" length %d ", length);
if (length > 14)
length = 14;
for (i = 0; i < length; i++) for (i = 0; i < length; i++)
printf("%s%02x", i ? ":" : "", ump_sysex7_data(ump, i)); printf("%s%02x", i ? ":" : "", ump_sysex7_data(ump, i));
printf("\n"); printf("\n");
@ -719,6 +721,8 @@ static void dump_ump_sysex8_event(const unsigned int *ump)
length = snd_ump_sysex_msg_length(ump); length = snd_ump_sysex_msg_length(ump);
printf(" length %d ", length); printf(" length %d ", length);
printf(" stream %d ", (ump[0] >> 8) & 0xff); printf(" stream %d ", (ump[0] >> 8) & 0xff);
if (length > 13)
length = 13;
for (i = 0; i < length; i++) for (i = 0; i < length; i++)
printf("%s%02x", i ? ":" : "", ump_sysex8_data(ump, i)); printf("%s%02x", i ? ":" : "", ump_sysex8_data(ump, i));
printf("\n"); printf("\n");