File libmikmod-3.1.12-CVE-2007-6720.diff of Package libmikmod

Overview Repositories Revisions Requests Users Attributes Meta

File libmikmod-3.1.12-CVE-2007-6720.diff of Package libmikmod

This patch fixes "buffer overflow due to md_numchn - ID: 1630158"

Index: libmikmod-3.1.12/playercode/mplayer.c
===================================================================
--- libmikmod-3.1.12.orig/playercode/mplayer.c
+++ libmikmod-3.1.12/playercode/mplayer.c
@@ -52,6 +52,8 @@ extern long int random(void);
    will wait */
 /*static*/ MODULE *pf = NULL;
 
+#define NUMVOICES(mod)	(md_sngchn < (mod)->numvoices ? md_sngchn : (mod)->numvoices)
+
 #define	HIGH_OCTAVE		2	/* number of above-range octaves */
 
 static	UWORD oldperiods[OCTAVE*2]={
@@ -248,14 +250,14 @@ static int MP_FindEmptyChannel(MODULE *m
 	MP_VOICE *a;
 	ULONG t,k,tvol,pp;
 
-	for (t=0;t<md_sngchn;t++)
+	for (t=0;t<NUMVOICES(mod);t++)
 		if (((mod->voice[t].main.kick==KICK_ABSENT)||
 			 (mod->voice[t].main.kick==KICK_ENV))&&
 		   Voice_Stopped_internal(t))
 			return t;
 
 	tvol=0xffffffUL;t=-1;a=mod->voice;
-	for (k=0;k<md_sngchn;k++,a++) {
+	for (k=0;k<NUMVOICES(mod);k++,a++) {
 		/* allow us to take over a nonexisting sample */
 		if (!a->main.s)
 			return k;
@@ -2249,12 +2251,12 @@ static void DoNNAEffects(MODULE *mod, MP
 
 	switch (dat) {
 	case 0x0: /* past note cut */
-		for (t=0;t<md_sngchn;t++)
+		for (t=0;t<NUMVOICES(mod);t++)
 			if (mod->voice[t].master==a)
 				mod->voice[t].main.fadevol=0;
 		break;
 	case 0x1: /* past note off */
-		for (t=0;t<md_sngchn;t++)
+		for (t=0;t<NUMVOICES(mod);t++)
 			if (mod->voice[t].master==a) {
 				mod->voice[t].main.keyoff|=KEY_OFF;
 				if ((!(mod->voice[t].venv.flg & EF_ON))||
@@ -2263,7 +2265,7 @@ static void DoNNAEffects(MODULE *mod, MP
 			}
 		break;
 	case 0x2: /* past note fade */
-		for (t=0;t<md_sngchn;t++)
+		for (t=0;t<NUMVOICES(mod);t++)
 			if (mod->voice[t].master==a)
 				mod->voice[t].main.keyoff|=KEY_FADE;
 		break;
@@ -2318,7 +2320,7 @@ void pt_UpdateVoices(MODULE *mod, int ma
 	SAMPLE *s;
 
 	mod->totalchn=mod->realchn=0;
-	for (channel=0;channel<md_sngchn;channel++) {
+	for (channel=0;channel<NUMVOICES(mod);channel++) {
 		aout=&mod->voice[channel];
 		i=aout->main.i;
 		s=aout->main.s;
@@ -2736,7 +2738,7 @@ void pt_NNA(MODULE *mod)
 			if (a->dct!=DCT_OFF) {
 				int t;
 
-				for (t=0;t<md_sngchn;t++)
+				for (t=0;t<NUMVOICES(mod);t++)
 					if ((!Voice_Stopped_internal(t))&&
 					   (mod->voice[t].masterchn==channel)&&
 					   (a->main.sample==mod->voice[t].main.sample)) {
@@ -2978,6 +2980,11 @@ BOOL Player_Init(MODULE* mod)
 	if (!(mod->voice=(MP_VOICE*)_mm_calloc(md_sngchn,sizeof(MP_VOICE))))
 		return 1;
 
+	/* mod->numvoices was used during loading to clamp md_sngchn.
+	   After loading it's used to remember how big mod->voice is.
+	*/
+	mod->numvoices = md_sngchn;
+
 	Player_Init_internal(mod);
 	return 0;
 }
@@ -3086,7 +3093,7 @@ MIKMODAPI void Player_NextPosition(void)
 		pf->patbrk=0;
 		pf->vbtick=pf->sngspd;
 
-		for (t=0;t<md_sngchn;t++) {
+		for (t=0;t<NUMVOICES(pf);t++) {
 			Voice_Stop_internal(t);
 			pf->voice[t].main.i=NULL;
 			pf->voice[t].main.s=NULL;
@@ -3111,7 +3118,7 @@ MIKMODAPI void Player_PrevPosition(void)
 		pf->patbrk=0;
 		pf->vbtick=pf->sngspd;
 
-		for (t=0;t<md_sngchn;t++) {
+		for (t=0;t<NUMVOICES(pf);t++) {
 			Voice_Stop_internal(t);
 			pf->voice[t].main.i=NULL;
 			pf->voice[t].main.s=NULL;
@@ -3138,7 +3145,7 @@ MIKMODAPI void Player_SetPosition(UWORD
 		pf->sngpos=pos;
 		pf->vbtick=pf->sngspd;
 
-		for (t=0;t<md_sngchn;t++) {
+		for (t=0;t<NUMVOICES(pf);t++) {
 			Voice_Stop_internal(t);
 			pf->voice[t].main.i=NULL;
 			pf->voice[t].main.s=NULL;

Places

File libmikmod-3.1.12-CVE-2007-6720.diff of Package libmikmod

Places