diff options
author | Matti Niemenmaa | 2015-06-10 14:21:37 +0300 |
---|---|---|
committer | Matti Niemenmaa | 2015-07-14 16:19:13 +0300 |
commit | 70cbfd06595cc5d103c808c30c262cb25509608f (patch) | |
tree | 9e0a1a1409467b12231106f37429fb30d3bcba09 | |
parent | 0020b937c6ba3474e67ef87cda41a3afa1b87122 (diff) | |
download | aur-70cbfd06595cc5d103c808c30c262cb25509608f.tar.gz |
Hacky patch for buffer overflow issues
I ran into a case where this 1024-entry buffer was indexed with 1388.
The chosen value for the buffer size is based on the following:
* In pcm8(), the parameter 'buffer_size' is used as the buffer's length.
* The source of that parameter ends up being 'len' in mdx_calc_sample(),
which in turn is at most '(data->mdx->dsp_speed * frame)/1000000'.
* 'dsp_speed' is a user-settable parameter defaulting to 44100; let's
assume that nobody will want to use a value greater than 192000 and
add a check in mdx_set_rate() just in case.
* 'frame' comes from mdx_parse_mml_get_tempo(). When 'self->mdx->tempo'
is 0 (I assume it can never be negative), the function computes the
maximum possible value: 65536.
Thus we get 65536 * 192000 / 1000000 = 12582.912, which we round up to
the next multiple of 1024 for some extra safety. Note that even with the
default 44100 we get 2890.1376 so the overflow was possible even without
using mdx_set_rate().
-rw-r--r-- | .SRCINFO | 2 | ||||
-rw-r--r-- | PKGBUILD | 3 | ||||
-rw-r--r-- | buffer-size.patch | 26 |
3 files changed, 31 insertions, 0 deletions
@@ -8,8 +8,10 @@ pkgbase = mdxmini-git license = GPL2 makedepends = git source = mdxmini-git::git+https://github.com/BouKiCHi/mdxplayer.git + source = buffer-size.patch source = makefiles.patch sha256sums = SKIP + sha256sums = 4f8ec91487736c9ad864f54c615b491c406464573469ed59b1d4f6be77cf2812 sha256sums = d8f24d0a385ed081e496573abed032366a2e74c6ea4c6dada80d7571e40bf1c0 pkgname = mdxmini-git @@ -10,8 +10,10 @@ url='https://github.com/BouKiCHi/mdxplayer/tree/master/jni/mdxmini' license=(GPL2) makedepends=(git) source=("$pkgbase"::'git+https://github.com/BouKiCHi/mdxplayer.git' + buffer-size.patch makefiles.patch) sha256sums=('SKIP' + '4f8ec91487736c9ad864f54c615b491c406464573469ed59b1d4f6be77cf2812' 'd8f24d0a385ed081e496573abed032366a2e74c6ea4c6dada80d7571e40bf1c0') pkgver() { @@ -25,6 +27,7 @@ pkgver() { prepare() { cd "$srcdir/$pkgbase" patch -p1 -i "$srcdir"/makefiles.patch + patch -p1 -i "$srcdir"/buffer-size.patch } build() { diff --git a/buffer-size.patch b/buffer-size.patch new file mode 100644 index 000000000000..229de32d526c --- /dev/null +++ b/buffer-size.patch @@ -0,0 +1,26 @@ +diff --git i/jni/mdxmini/src/mdxmini.c w/jni/mdxmini/src/mdxmini.c +index a5bb8e3..dd7a89e 100755 +--- i/jni/mdxmini/src/mdxmini.c ++++ w/jni/mdxmini/src/mdxmini.c +@@ -199,7 +199,7 @@ void mdx_set_dir ( t_mdxmini *data , char * dir ) + + void mdx_set_rate( int freq ) + { +- dsp_speed = freq; ++ dsp_speed = freq > 192000 ? 192000 : freq; + } + + void mdx_set_max_loop(t_mdxmini *data , int loop) +diff --git i/jni/mdxmini/src/pcm8.c w/jni/mdxmini/src/pcm8.c +index 940f90a..f7c8003 100755 +--- i/jni/mdxmini/src/pcm8.c ++++ w/jni/mdxmini/src/pcm8.c +@@ -199,7 +199,7 @@ int pcm8_open( MDX_DATA *mdx, songdata *data ) + self->pcm_buffer = NULL; + + +- self->sample_buffer_size = 1024; ++ self->sample_buffer_size = 13312; + // self->dsp_speed * PCM8_SYSTEM_RATE / 1000; + + if ( self->is_encoding_stereo == FLAG_TRUE ) { |