From: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
To: alsa-devel@alsa-project.org
Cc: Takashi Iwai <tiwai@suse.de>, Jaroslav Kysela <perex@perex.cz>,
Arthur Marsh <arthur.marsh@internode.on.net>
Subject: [PATCH 07/18] ALSA: emux: improve patch ioctl data validation
Date: Mon, 1 Apr 2024 12:07:31 +0200 [thread overview]
Message-ID: <20240401100742.506001-8-oswald.buddenhagen@gmx.de> (raw)
In-Reply-To: <20240401100742.506001-1-oswald.buddenhagen@gmx.de>
In load_data(), make the validation of and skipping over the main info
block match that in load_guspatch().
In load_guspatch(), add checking that the specified patch length matches
the actually supplied data, like load_data() already did.
Signed-off-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
---
sound/synth/emux/soundfont.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/sound/synth/emux/soundfont.c b/sound/synth/emux/soundfont.c
index 6d6f0102ed5b..4edc693da8e7 100644
--- a/sound/synth/emux/soundfont.c
+++ b/sound/synth/emux/soundfont.c
@@ -716,22 +716,25 @@ load_data(struct snd_sf_list *sflist, const void __user *data, long count)
struct snd_soundfont *sf;
struct soundfont_sample_info sample_info;
struct snd_sf_sample *sp;
- long off;
/* patch must be opened */
sf = sflist->currsf;
if (!sf)
return -EINVAL;
if (is_special_type(sf->type))
return -EINVAL;
+ if (count < (long)sizeof(sample_info)) {
+ return -EINVAL;
+ }
if (copy_from_user(&sample_info, data, sizeof(sample_info)))
return -EFAULT;
+ data += sizeof(sample_info);
+ count -= sizeof(sample_info);
- off = sizeof(sample_info);
-
- if (sample_info.size != (count-off)/2)
+ // SoundFont uses S16LE samples.
+ if (sample_info.size * 2 != count)
return -EINVAL;
/* Check for dup */
@@ -774,7 +777,7 @@ load_data(struct snd_sf_list *sflist, const void __user *data, long count)
int rc;
rc = sflist->callback.sample_new
(sflist->callback.private_data, sp, sflist->memhdr,
- data + off, count - off);
+ data, count);
if (rc < 0) {
sf_sample_delete(sflist, sf, sp);
return rc;
@@ -986,10 +989,12 @@ load_guspatch(struct snd_sf_list *sflist, const char __user *data, long count)
}
if (copy_from_user(&patch, data, sizeof(patch)))
return -EFAULT;
-
count -= sizeof(patch);
data += sizeof(patch);
+ if ((patch.len << (patch.mode & WAVE_16_BITS ? 1 : 0)) != count)
+ return -EINVAL;
+
sf = newsf(sflist, SNDRV_SFNT_PAT_TYPE_GUS|SNDRV_SFNT_PAT_SHARED, NULL);
if (sf == NULL)
return -ENOMEM;
--
2.42.0.419.g70bf8a5751
next prev parent reply other threads:[~2024-04-01 10:09 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-01 10:07 [PATCH 00/18] ALSA: emu10k1 & emux: fixes related to wavetable playback Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 01/18] ALSA: emux: fix /proc teardown at module unload Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 02/18] ALSA: emux: prune unused parameter from snd_soundfont_load_guspatch() Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 03/18] ALSA: emux: fix validation of snd_emux.num_ports Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 04/18] ALSA: emux: fix init of patch_info.truesize in load_data() Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 05/18] ALSA: emu10k1: prune vestiges of SNDRV_SFNT_SAMPLE_{BIDIR,REVERSE}_LOOP support Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 06/18] ALSA: emux: centralize & improve patch info validation Oswald Buddenhagen
2024-04-01 10:07 ` Oswald Buddenhagen [this message]
2024-04-01 10:07 ` [PATCH 08/18] ALSA: emu10k1: move patch loader assertions into low-level functions Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 09/18] ALSA: emu10k1: fix sample signedness issues in wavetable loader Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 10/18] ALSA: emu10k1: fix playback of 8-bit wavetable samples Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 11/18] ALSA: emu10k1: make wavetable sample playback start position exact Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 12/18] ALSA: emu10k1: shrink blank space in front of wavetable samples Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 13/18] ALSA: emu10k1: merge conditions in patch loader Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 14/18] ALSA: emu10k1: fix wavetable offset recalculation Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 15/18] ALSA: emu10k1: de-duplicate size calculations for 16-bit samples Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 16/18] ALSA: emu10k1: improve cache behavior documentation Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 17/18] ALSA: emu10k1: fix playback of short wavetable samples Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 18/18] ALSA: emux: simplify snd_sf_list.callback handling Oswald Buddenhagen
2024-04-01 10:51 ` [PATCH 00/18] ALSA: emu10k1 & emux: fixes related to wavetable playback Takashi Iwai
2024-04-01 11:18 ` Oswald Buddenhagen
2024-04-01 11:44 ` Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240401100742.506001-8-oswald.buddenhagen@gmx.de \
--to=oswald.buddenhagen@gmx.de \
--cc=alsa-devel@alsa-project.org \
--cc=arthur.marsh@internode.on.net \
--cc=perex@perex.cz \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox