Hacky patch for buffer overflow issues

I ran into a case where this 1024-entry buffer was indexed with 1388. The chosen value for the buffer size is based on the following: * In pcm8(), the parameter 'buffer_size' is used as the buffer's length. * The source of that parameter ends up being 'len' in mdx_calc_sample(), which in turn is at most '(data->mdx->dsp_speed * frame)/1000000'. * 'dsp_speed' is a user-settable parameter defaulting to 44100; let's assume that nobody will want to use a value greater than 192000 and add a check in mdx_set_rate() just in case. * 'frame' comes from mdx_parse_mml_get_tempo(). When 'self->mdx->tempo' is 0 (I assume it can never be negative), the function computes the maximum possible value: 65536. Thus we get 65536 * 192000 / 1000000 = 12582.912, which we round up to the next multiple of 1024 for some extra safety. Note that even with the default 44100 we get 2890.1376 so the overflow was possible even without using mdx_set_rate().
author: Matti Niemenmaa 2015-06-10 14:21:37 +0300
committer: Matti Niemenmaa 2015-07-14 16:19:13 +0300
commit: 70cbfd06595cc5d103c808c30c262cb25509608f (patch)
tree: 9e0a1a1409467b12231106f37429fb30d3bcba09
parent: 0020b937c6ba3474e67ef87cda41a3afa1b87122 (diff)
download: aur-70cbfd06595cc5d103c808c30c262cb25509608f.tar.gz
3 files changed, 31 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 80c7997fa4a4..8d48abb73cfd 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -8,8 +8,10 @@ pkgbase = mdxmini-git
 	license = GPL2
 	makedepends = git
 	source = mdxmini-git::git+https://github.com/BouKiCHi/mdxplayer.git
+	source = buffer-size.patch
 	source = makefiles.patch
 	sha256sums = SKIP
+	sha256sums = 4f8ec91487736c9ad864f54c615b491c406464573469ed59b1d4f6be77cf2812
 	sha256sums = d8f24d0a385ed081e496573abed032366a2e74c6ea4c6dada80d7571e40bf1c0
 
 pkgname = mdxmini-git
diff --git a/PKGBUILD b/PKGBUILD
index 3e8b43f90ab0..161200108db2 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -10,8 +10,10 @@ url='https://github.com/BouKiCHi/mdxplayer/tree/master/jni/mdxmini'
 license=(GPL2)
 makedepends=(git)
 source=("$pkgbase"::'git+https://github.com/BouKiCHi/mdxplayer.git'
+        buffer-size.patch
         makefiles.patch)
 sha256sums=('SKIP'
+            '4f8ec91487736c9ad864f54c615b491c406464573469ed59b1d4f6be77cf2812'
             'd8f24d0a385ed081e496573abed032366a2e74c6ea4c6dada80d7571e40bf1c0')
 
 pkgver() {
@@ -25,6 +27,7 @@ pkgver() {
 prepare() {
   cd "$srcdir/$pkgbase"
   patch -p1 -i "$srcdir"/makefiles.patch
+  patch -p1 -i "$srcdir"/buffer-size.patch
 }
 
 build() {
diff --git a/buffer-size.patch b/buffer-size.patch
new file mode 100644
index 000000000000..229de32d526c
--- /dev/null
+++ b/buffer-size.patch
@@ -0,0 +1,26 @@
+diff --git i/jni/mdxmini/src/mdxmini.c w/jni/mdxmini/src/mdxmini.c
+index a5bb8e3..dd7a89e 100755
+--- i/jni/mdxmini/src/mdxmini.c
++++ w/jni/mdxmini/src/mdxmini.c
+@@ -199,7 +199,7 @@ void mdx_set_dir ( t_mdxmini *data , char  * dir )
+ 
+ void mdx_set_rate( int freq )
+ {
+-	dsp_speed = freq;
++	dsp_speed = freq > 192000 ? 192000 : freq;
+ }
+ 
+ void mdx_set_max_loop(t_mdxmini *data , int loop)
+diff --git i/jni/mdxmini/src/pcm8.c w/jni/mdxmini/src/pcm8.c
+index 940f90a..f7c8003 100755
+--- i/jni/mdxmini/src/pcm8.c
++++ w/jni/mdxmini/src/pcm8.c
+@@ -199,7 +199,7 @@ int pcm8_open( MDX_DATA *mdx, songdata *data )
+   self->pcm_buffer = NULL;
+ 
+ 
+-  self->sample_buffer_size = 1024;
++  self->sample_buffer_size = 13312;
+   //  self->dsp_speed * PCM8_SYSTEM_RATE / 1000;
+ 
+   if ( self->is_encoding_stereo == FLAG_TRUE ) {
author	Matti Niemenmaa	2015-06-10 14:21:37 +0300
committer	Matti Niemenmaa	2015-07-14 16:19:13 +0300
commit	70cbfd06595cc5d103c808c30c262cb25509608f (patch)
tree	9e0a1a1409467b12231106f37429fb30d3bcba09
parent	0020b937c6ba3474e67ef87cda41a3afa1b87122 (diff)
download	aur-70cbfd06595cc5d103c808c30c262cb25509608f.tar.gz