diff options
| author | Alexandre Ratchov <ratchov@cvs.openbsd.org> | 2016-05-05 09:18:13 +0000 |
|---|---|---|
| committer | Alexandre Ratchov <ratchov@cvs.openbsd.org> | 2016-05-05 09:18:13 +0000 |
| commit | 3c76eb80b06feed402ef669897d9a6b0a464ffac (patch) | |
| tree | e163245fe90d9257ae4775708ca2c4b6f0eb57a5 | |
| parent | bd3ece13524f30e0c4509bfa8dc2ec8ea6d770cc (diff) | |
Fix one of the reads past the end of the buffer. Found
by Geoff Hill, fix proposed by jsg@ and zhuk@.
| -rw-r--r-- | usr.bin/midiplay/midiplay.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/usr.bin/midiplay/midiplay.c b/usr.bin/midiplay/midiplay.c index 0ff34fb40ff..284575bc078 100644 --- a/usr.bin/midiplay/midiplay.c +++ b/usr.bin/midiplay/midiplay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: midiplay.c,v 1.17 2015/02/08 23:40:34 deraadt Exp $ */ +/* $OpenBSD: midiplay.c,v 1.18 2016/05/05 09:18:12 ratchov Exp $ */ /* $NetBSD: midiplay.c,v 1.8 1998/11/25 22:17:07 augustss Exp $ */ /* @@ -312,7 +312,7 @@ playdata(u_char *buf, u_int tot, char *name) goto ret; } len = GET32(p + MARK_LEN); - if (len > 1000000) { /* a safe guard */ + if (len > end - (p + MARK_LEN + SIZE_LEN)) { warnx("Crazy track length"); goto ret; } |