Wim Taymans 4c9ec363a3 security: fix inverted overflow check in RTP MIDI message size parsing ... Memory Safety: High In get_midi_size(), the overflow check for SysEx and meta-event message sizes has the comparison operator inverted. The check (unsigned int)(INT_MAX - size - 1) > value rejects small (safe) payload sizes and accepts large sizes that cause signed integer overflow in the subsequent size += (int)value + 1. This means all SysEx messages (0xF0, 0xF7) and system reset/meta events (0xFF) with valid payloads are incorrectly rejected, while crafted packets with very large variable-length values bypass the check. Although the caller has a secondary bounds check that mitigates most exploitation, the inverted check is both a functional bug (breaks SysEx over RTP) and a defense-in-depth failure. Fix by swapping the operands so that the check correctly rejects values that would overflow: value > (unsigned int)(INT_MAX - size - 1). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>		2026-04-24 15:55:35 +02:00
..
apple-midi.h	Merge branch 'master' into 'fix_san_build'	2023-03-10 10:10:25 +00:00
audio.c	module-rtp: Lower missing timeout log line from warn to trace	2026-03-30 23:45:34 +02:00
midi.c	security: fix inverted overflow check in RTP MIDI message size parsing	2026-04-24 15:55:35 +02:00
opus.c	module-rtp: handle the send_packet/feedback as callbacks	2026-03-26 09:34:45 +01:00
ptp.h	module-rtp-sap: review	2024-01-22 16:41:06 +00:00
rtp.h	module-rtp: Fix bounds checks in MIDI parsing	2025-07-15 10:46:10 +02:00
sap.h
stream.c	module-rtp: handle the send_packet/feedback as callbacks	2026-03-26 09:34:45 +01:00
stream.h	modules: support audio.layout where we can	2025-10-30 12:29:31 +01:00