asgardius/alsa-utils
1
0
Fork 0
mirror of https://github.com/alsa-project/alsa-utils synced 2024-11-09 17:05:41 +01:00
Code Issues Projects Releases Packages Wiki Activity

aplay: fix buffer overflow and tainted format string

Browse source 
Prior this commit, memcpy from names[0] to format[] will overwrite if
strlen(names[0]) is greater than 1024. Also, the length of malloc()ed
names[channel] is insufficient, leading to another buffer overwriting
when calling sprintf(). Moreover, the format string of sprintf()
can be controlled by user input. An attacker can exploit this weakness
to crash the program, disclose information or even execute arbitrary
code.

Fix by allocating enough space for arrays and using constant expressions
as the format strings.

Fixes: https://github.com/alsa-project/alsa-utils/pull/246/
Signed-off-by: Mingjie Shen <shen497@purdue.edu>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
This commit is contained in:
Mingjie Shen 2023-12-06 16:09:58 -05:00 committed by Jaroslav Kysela
parent 004d085c67
commit 4ce6a0a4af
1 changed files with 10 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
aplay/aplay.c
View file

@ -3436,14 +3436,14 @@ static void playbackv(char **names, unsigned int count)
if (count == 1 && channels > 1) { if (count == 1 && channels > 1) {
size_t len = strlen(names[0]); size_t len = strlen(names[0]);
char format[1024]; char buf[len + 1];
memcpy(format, names[0], len); strcpy(buf, names[0]);
strcpy(format + len, ".%d"); /* 1 for "." + 3 for channel (<= 256) + 1 for null terminator */
len += 4; len += 5;
names = malloc(sizeof(*names) * channels); names = malloc(sizeof(*names) * channels);
for (channel = 0; channel < channels; ++channel) { for (channel = 0; channel < channels; ++channel) {
names[channel] = malloc(len); names[channel] = malloc(len);
sprintf(names[channel], format, channel); snprintf(names[channel], len, "%s.%d", buf, channel);
} }
alloced = 1; alloced = 1;
} else if (count != channels) { } else if (count != channels) {
@ -3489,14 +3489,14 @@ static void capturev(char **names, unsigned int count)
if (count == 1) { if (count == 1) {
size_t len = strlen(names[0]); size_t len = strlen(names[0]);
char format[1024]; char buf[len + 1];
memcpy(format, names[0], len); strcpy(buf, names[0]);
strcpy(format + len, ".%d"); /* 1 for "." + 3 for channel (<= 256) + 1 for null terminator */
len += 4; len += 5;
names = malloc(sizeof(*names) * channels); names = malloc(sizeof(*names) * channels);
for (channel = 0; channel < channels; ++channel) { for (channel = 0; channel < channels; ++channel) {
names[channel] = malloc(len); names[channel] = malloc(len);
sprintf(names[channel], format, channel); snprintf(names[channel], len, "%s.%d", buf, channel);
} }
alloced = 1; alloced = 1;
} else if (count != channels) { } else if (count != channels) {