From: Takashi Iwai <tiwai@suse.de>
Date: Wed, 24 Jul 2024 12:05:55 +0000 (+0200)
Subject: aseqdump: Avoid OOB access with broken SysEx UMP packets
X-Git-Tag: v1.2.13~20
X-Git-Url: https://git.alsa-project.org/?a=commitdiff_plain;h=02b0c3af56bd6a5f1eed7c064a768dd6a7fb542a;p=alsa-utils.git

aseqdump: Avoid OOB access with broken SysEx UMP packets

UMP SysEx messages have length field to specify the contained data
bytes, but they can be over the actual packet size.  Add the proper
size limit checks for avoiding the access overflow.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
---

diff --git a/seq/aseqdump/aseqdump.c b/seq/aseqdump/aseqdump.c
index 3630941..85230df 100644
--- a/seq/aseqdump/aseqdump.c
+++ b/seq/aseqdump/aseqdump.c
@@ -698,6 +698,8 @@ static void dump_ump_sysex_event(const unsigned int *ump)
 	dump_ump_sysex_status("SysEx", snd_ump_sysex_msg_status(ump));
 	length = snd_ump_sysex_msg_length(ump);
 	printf(" length %d ", length);
+	if (length > 14)
+		length = 14;
 	for (i = 0; i < length; i++)
 		printf("%s%02x", i ? ":" : "", ump_sysex7_data(ump, i));
 	printf("\n");
@@ -719,6 +721,8 @@ static void dump_ump_sysex8_event(const unsigned int *ump)
 	length = snd_ump_sysex_msg_length(ump);
 	printf(" length %d ", length);
 	printf(" stream %d ", (ump[0] >> 8) & 0xff);
+	if (length > 13)
+		length = 13;
 	for (i = 0; i < length; i++)
 		printf("%s%02x", i ? ":" : "", ump_sysex8_data(ump, i));
 	printf("\n");