mirrors/alsa-lib
1
0
Fork 0
mirror of https://github.com/alsa-project/alsa-lib.git synced 2025-11-02 09:01:48 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

seq: Fix signedness in MIDI encoder/decoder

Browse source 
The qlen field of struct snd_midi_event was declared as size_t while
status_events[] assigns the qlen to -1 indicating to skip.  This leads
to the misinterpretation since size_t is unsigned, hence it passes the
check "dev.qlen > 0" incorrectly in snd_midi_event_encode_byte(),
which eventually results in a memory corruption.

Also, snd_midi_event_decode() doesn't consider about a negative qlen
value and tries to copy the size as is.

This patch fixes these issues: the first one is addressed by simply
replacing size_t with ssize_t in snd_midi_event struct.  For the
latter, a check "qlen <= 0" is added to bail out; this is also good as
a slight optimization.

Reported-by: Prashant Malani <pmalani@chromium.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
This commit is contained in:
Takashi Iwai 2018-08-23 08:34:37 +02:00
parent a84916364c
commit 7c5c050090
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/seq/seq_midi_event.c
View file

@ -35,7 +35,7 @@
/* midi status */ /* midi status */
struct snd_midi_event { struct snd_midi_event {
size_t qlen; /* queue length */ ssize_t qlen; /* queue length */
size_t read; /* chars read */ size_t read; /* chars read */
int type; /* current event type */ int type; /* current event type */
unsigned char lastcmd; unsigned char lastcmd;
@ -606,6 +606,8 @@ long snd_midi_event_decode(snd_midi_event_t *dev, unsigned char *buf, long count
status_event[type].decode(ev, xbuf + 0); status_event[type].decode(ev, xbuf + 0);
qlen = status_event[type].qlen; qlen = status_event[type].qlen;
} }
if (qlen <= 0)
return 0;
if (count < qlen) if (count < qlen)
return -ENOMEM; return -ENOMEM;
memcpy(buf, xbuf, qlen); memcpy(buf, xbuf, qlen);