aseqdump: Avoid OOB access with broken SysEx UMP packets

UMP SysEx messages have length field to specify the contained data
bytes, but they can be over the actual packet size.  Add the proper
size limit checks for avoiding the access overflow.

Signed-off-by: Takashi Iwai <tiwai@suse.de>

diff --git a/seq/aseqdump/aseqdump.c b/seq/aseqdump/aseqdump.c
index 3630941cd86a5f8c9e8e5b2d6c82e1d6a1564b85..85230dffe7c01d77284f3aec6078a3b2d8a50011 100644 (file)
--- a/seq/aseqdump/aseqdump.c
+++ b/seq/aseqdump/aseqdump.c
@@ -698,6 +698,8 @@ static void dump_ump_sysex_event(const unsigned int *ump)
        dump_ump_sysex_status("SysEx", snd_ump_sysex_msg_status(ump));
        length = snd_ump_sysex_msg_length(ump);
        printf(" length %d ", length);
+       if (length > 14)
+               length = 14;
        for (i = 0; i < length; i++)
                printf("%s%02x", i ? ":" : "", ump_sysex7_data(ump, i));
        printf("\n");
@@ -719,6 +721,8 @@ static void dump_ump_sysex8_event(const unsigned int *ump)
        length = snd_ump_sysex_msg_length(ump);
        printf(" length %d ", length);
        printf(" stream %d ", (ump[0] >> 8) & 0xff);
+       if (length > 13)
+               length = 13;
        for (i = 0; i < length; i++)
                printf("%s%02x", i ? ":" : "", ump_sysex8_data(ump, i));
        printf("\n");