Skip to content
Permalink
Browse files Browse the repository at this point in the history
wildmidi_lib.c (WildMidi_Open, WildMidi_OpenBuffer): refuse to procee…
…d if less then 18 bytes of input

Fixes bug #178.
  • Loading branch information
sezero committed Aug 4, 2017
1 parent d8a4668 commit 814f31d
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 0 deletions.
2 changes: 2 additions & 0 deletions README.md
Expand Up @@ -38,6 +38,8 @@ CHANGELOG
0.4.2
* Fixed CVE-2017-11661, CVE-2017-11662, CVE-2017-11663, CVE-2017-11664
(Bug #175).
* Fixed WildMidi_Open() might read beyond buffer with too short inputs
(Bug #178).
* GUS patch processing changes to meet users expectations (Bug #132).
* Worked around a build failure with newer FreeBSD versions failing to
retrieve the ONLCR constant (Bug #171).
Expand Down
8 changes: 8 additions & 0 deletions src/wildmidi_lib.c
Expand Up @@ -1655,6 +1655,10 @@ WM_SYMBOL midi *WildMidi_Open(const char *midifile) {
if ((mididata = (uint8_t *) _WM_BufferFile(midifile, &midisize)) == NULL) {
return (NULL);
}
if (midisize < 18) {
_WM_GLOBAL_ERROR(__FUNCTION__, __LINE__, WM_ERR_CORUPT, "(too short)", 0);
return (NULL);
}
if (memcmp(mididata,"HMIMIDIP", 8) == 0) {
ret = (void *) _WM_ParseNewHmp(mididata, midisize);
} else if (memcmp(mididata, "HMI-MIDISONG061595", 18) == 0) {
Expand Down Expand Up @@ -1696,6 +1700,10 @@ WM_SYMBOL midi *WildMidi_OpenBuffer(uint8_t *midibuffer, uint32_t size) {
_WM_GLOBAL_ERROR(__FUNCTION__, __LINE__, WM_ERR_LONGFIL, NULL, 0);
return (NULL);
}
if (size < 18) {
_WM_GLOBAL_ERROR(__FUNCTION__, __LINE__, WM_ERR_CORUPT, "(too short)", 0);
return (NULL);
}
if (memcmp(midibuffer,"HMIMIDIP", 8) == 0) {
ret = (void *) _WM_ParseNewHmp(midibuffer, size);
} else if (memcmp(midibuffer, "HMI-MIDISONG061595", 18) == 0) {
Expand Down

0 comments on commit 814f31d

Please sign in to comment.