From 02b0c3af56bd6a5f1eed7c064a768dd6a7fb542a Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Wed, 24 Jul 2024 14:05:55 +0200 Subject: [PATCH] aseqdump: Avoid OOB access with broken SysEx UMP packets UMP SysEx messages have length field to specify the contained data bytes, but they can be over the actual packet size. Add the proper size limit checks for avoiding the access overflow. Signed-off-by: Takashi Iwai --- seq/aseqdump/aseqdump.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/seq/aseqdump/aseqdump.c b/seq/aseqdump/aseqdump.c index 3630941..85230df 100644 --- a/seq/aseqdump/aseqdump.c +++ b/seq/aseqdump/aseqdump.c @@ -698,6 +698,8 @@ static void dump_ump_sysex_event(const unsigned int *ump) dump_ump_sysex_status("SysEx", snd_ump_sysex_msg_status(ump)); length = snd_ump_sysex_msg_length(ump); printf(" length %d ", length); + if (length > 14) + length = 14; for (i = 0; i < length; i++) printf("%s%02x", i ? ":" : "", ump_sysex7_data(ump, i)); printf("\n"); @@ -719,6 +721,8 @@ static void dump_ump_sysex8_event(const unsigned int *ump) length = snd_ump_sysex_msg_length(ump); printf(" length %d ", length); printf(" stream %d ", (ump[0] >> 8) & 0xff); + if (length > 13) + length = 13; for (i = 0; i < length; i++) printf("%s%02x", i ? ":" : "", ump_sysex8_data(ump, i)); printf("\n"); -- 2.47.1