The qlen field of struct snd_midi_event was declared as size_t while
status_events[] assigns the qlen to -1 indicating to skip. This leads
to the misinterpretation since size_t is unsigned, hence it passes the
check "dev.qlen > 0" incorrectly in snd_midi_event_encode_byte(),
which eventually results in a memory corruption.
Also, snd_midi_event_decode() doesn't consider about a negative qlen
value and tries to copy the size as is.
This patch fixes these issues: the first one is addressed by simply
replacing size_t with ssize_t in snd_midi_event struct. For the
latter, a check "qlen <= 0" is added to bail out; this is also good as
a slight optimization.
git://git.alsa-project.org / alsa-lib.git / commit