From: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
To: alsa-devel@alsa-project.org
Cc: Takashi Iwai <tiwai@suse.de>, Jaroslav Kysela <perex@perex.cz>,
Arthur Marsh <arthur.marsh@internode.on.net>
Subject: [PATCH v3 07/17] ALSA: emux: improve patch ioctl data validation
Date: Sat, 6 Apr 2024 08:48:20 +0200 [thread overview]
Message-ID: <20240406064830.1029573-8-oswald.buddenhagen@gmx.de> (raw)
In-Reply-To: <20240406064830.1029573-1-oswald.buddenhagen@gmx.de>
In load_data(), make the validation of and skipping over the main info
block match that in load_guspatch().
In load_guspatch(), add checking that the specified patch length matches
the actually supplied data, like load_data() already did.
Signed-off-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
---
sound/synth/emux/soundfont.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/sound/synth/emux/soundfont.c b/sound/synth/emux/soundfont.c
index 6d6f0102ed5b..4edc693da8e7 100644
--- a/sound/synth/emux/soundfont.c
+++ b/sound/synth/emux/soundfont.c
@@ -716,22 +716,25 @@ load_data(struct snd_sf_list *sflist, const void __user *data, long count)
struct snd_soundfont *sf;
struct soundfont_sample_info sample_info;
struct snd_sf_sample *sp;
- long off;
/* patch must be opened */
sf = sflist->currsf;
if (!sf)
return -EINVAL;
if (is_special_type(sf->type))
return -EINVAL;
+ if (count < (long)sizeof(sample_info)) {
+ return -EINVAL;
+ }
if (copy_from_user(&sample_info, data, sizeof(sample_info)))
return -EFAULT;
+ data += sizeof(sample_info);
+ count -= sizeof(sample_info);
- off = sizeof(sample_info);
-
- if (sample_info.size != (count-off)/2)
+ // SoundFont uses S16LE samples.
+ if (sample_info.size * 2 != count)
return -EINVAL;
/* Check for dup */
@@ -774,7 +777,7 @@ load_data(struct snd_sf_list *sflist, const void __user *data, long count)
int rc;
rc = sflist->callback.sample_new
(sflist->callback.private_data, sp, sflist->memhdr,
- data + off, count - off);
+ data, count);
if (rc < 0) {
sf_sample_delete(sflist, sf, sp);
return rc;
@@ -986,10 +989,12 @@ load_guspatch(struct snd_sf_list *sflist, const char __user *data, long count)
}
if (copy_from_user(&patch, data, sizeof(patch)))
return -EFAULT;
-
count -= sizeof(patch);
data += sizeof(patch);
+ if ((patch.len << (patch.mode & WAVE_16_BITS ? 1 : 0)) != count)
+ return -EINVAL;
+
sf = newsf(sflist, SNDRV_SFNT_PAT_TYPE_GUS|SNDRV_SFNT_PAT_SHARED, NULL);
if (sf == NULL)
return -ENOMEM;
--
2.44.0.701.g2cf7baacf3.dirty
next prev parent reply other threads:[~2024-04-06 7:16 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-06 6:48 [PATCH v3 00/17] ALSA: emu10k1 & emux: fixes related to wavetable playback Oswald Buddenhagen
2024-04-06 6:48 ` [PATCH v3 01/17] ALSA: emux: fix /proc teardown at module unload Oswald Buddenhagen
2024-04-06 6:48 ` [PATCH v3 02/17] ALSA: emux: prune unused parameter from snd_soundfont_load_guspatch() Oswald Buddenhagen
2024-04-06 6:48 ` [PATCH v3 03/17] ALSA: emux: fix validation of snd_emux.num_ports Oswald Buddenhagen
2024-04-06 6:48 ` [PATCH v3 04/17] ALSA: emux: fix init of patch_info.truesize in load_data() Oswald Buddenhagen
2024-04-06 6:48 ` [PATCH v3 05/17] ALSA: emu10k1: prune vestiges of SNDRV_SFNT_SAMPLE_{BIDIR,REVERSE}_LOOP support Oswald Buddenhagen
2024-04-06 6:48 ` [PATCH v3 06/17] ALSA: emux: centralize & improve patch info validation Oswald Buddenhagen
2024-04-06 6:48 ` Oswald Buddenhagen [this message]
2024-04-06 6:48 ` [PATCH v3 08/17] ALSA: emu10k1: move patch loader assertions into low-level functions Oswald Buddenhagen
2024-04-06 6:48 ` [PATCH v3 09/17] ALSA: emu10k1: fix sample signedness issues in wavetable loader Oswald Buddenhagen
2024-04-06 6:48 ` [PATCH v3 10/17] ALSA: emu10k1: fix playback of 8-bit wavetable samples Oswald Buddenhagen
2024-04-06 6:48 ` [PATCH v3 11/17] ALSA: emu10k1: merge conditions in patch loader Oswald Buddenhagen
2024-04-06 6:48 ` [PATCH v3 12/17] ALSA: emu10k1: fix wavetable offset recalculation Oswald Buddenhagen
2024-04-06 6:48 ` [PATCH v3 13/17] ALSA: emu10k1: de-duplicate size calculations for 16-bit samples Oswald Buddenhagen
2024-04-06 6:48 ` [PATCH v3 15/17] ALSA: emu10k1: fix wavetable playback position and caching, take 2 Oswald Buddenhagen
2024-04-06 6:48 ` [PATCH v3 16/17] ALSA: emu10k1: shrink blank space in front of wavetable samples Oswald Buddenhagen
2024-04-06 6:48 ` [PATCH v3 17/17] ALSA: emux: simplify snd_sf_list.callback handling Oswald Buddenhagen
2024-04-07 9:18 ` [PATCH v3 00/17] ALSA: emu10k1 & emux: fixes related to wavetable playback Takashi Iwai
2024-04-08 23:34 ` Arthur Marsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240406064830.1029573-8-oswald.buddenhagen@gmx.de \
--to=oswald.buddenhagen@gmx.de \
--cc=alsa-devel@alsa-project.org \
--cc=arthur.marsh@internode.on.net \
--cc=perex@perex.cz \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.