From 0bd9a4d033c9bf5e691bc01dd153b5a5a4d1e3dd Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Mon, 27 Apr 2026 11:27:34 +0200 Subject: [PATCH] security: use overflow-safe arithmetic for NetJack2 MIDI buffer sizes Memory Safety: High The recv_midi function calculated MIDI buffer usage from network packet fields (event_count, write_pos) using plain arithmetic that could overflow on 32-bit platforms. A crafted NetJack2 packet with a large event_count could wrap the size_t multiplication, bypassing the bounds check and causing out-of-bounds memory access. Replaced with spa_overflow_mul/spa_overflow_add to detect overflow before use. Co-Authored-By: Claude Opus 4.6 --- src/modules/module-netjack2/peer.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/modules/module-netjack2/peer.c b/src/modules/module-netjack2/peer.c index 254bca17f..55a7b7a28 100644 --- a/src/modules/module-netjack2/peer.c +++ b/src/modules/module-netjack2/peer.c @@ -815,13 +815,14 @@ static int netjack2_recv_midi(struct netjack2_peer *peer, struct nj2_packet_head for (i = 0; i < active_ports; i++) { struct nj2_midi_buffer *mbuf = (struct nj2_midi_buffer *)midi_data; + size_t used, events_size; nj2_midi_buffer_ntoh(mbuf, mbuf); - size_t used = sizeof(*mbuf) - + mbuf->event_count * sizeof(struct nj2_midi_event) - + mbuf->write_pos; - if (used < sizeof(*mbuf) || used > midi_size) + if (spa_overflow_mul((size_t)mbuf->event_count, sizeof(struct nj2_midi_event), &events_size) || + spa_overflow_add(events_size, (size_t)mbuf->write_pos, &used) || + spa_overflow_add(used, sizeof(*mbuf), &used) || + used > midi_size) break; if (i < n_info && info[i].data != NULL) {