1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
This patch is from upstream:
https://github.com/milkytracker/MilkyTracker/commit/ea7772a3fae0a9dd0a322e8fec441d15843703b7
commit ea7772a3fae0a9dd0a322e8fec441d15843703b7
Author: Christopher O'Neill <code@chrisoneill.co.uk>
Date: Tue Jul 30 18:40:03 2019 +0100
Fixes for buffer overflow issues #182 & #183
diff --git a/src/milkyplay/LoaderXM.cpp b/src/milkyplay/LoaderXM.cpp
index 108d915..f87f5c1 100644
--- a/src/milkyplay/LoaderXM.cpp
+++ b/src/milkyplay/LoaderXM.cpp
@@ -63,8 +63,8 @@ const char* LoaderXM::identifyModule(const mp_ubyte* buffer)
mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
{
mp_ubyte insData[230];
- mp_sint32 smpReloc[96];
- mp_ubyte nbu[96];
+ mp_sint32 smpReloc[MP_MAXINSSAMPS];
+ mp_ubyte nbu[MP_MAXINSSAMPS];
mp_uint32 fileSize = 0;
module->cleanUp();
@@ -117,6 +117,8 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
memcpy(header->ord, hdrBuff+16, 256);
if(header->ordnum > MP_MAXORDERS)
header->ordnum = MP_MAXORDERS;
+ if(header->insnum > MP_MAXINS)
+ return MP_LOADER_FAILED;
delete[] hdrBuff;
@@ -143,7 +145,7 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
f.read(&instr[y].type,1,1);
mp_uword numSamples = 0;
f.readWords(&numSamples,1);
- if(numSamples > 96)
+ if(numSamples > MP_MAXINSSAMPS)
return MP_LOADER_FAILED;
instr[y].samp = numSamples;
@@ -169,8 +171,8 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
if (instr[y].samp) {
mp_ubyte* insDataPtr = insData;
- memcpy(nbu, insDataPtr, 96);
- insDataPtr+=96;
+ memcpy(nbu, insDataPtr, MP_MAXINSSAMPS);
+ insDataPtr+=MP_MAXINSSAMPS;
TEnvelope venv;
TEnvelope penv;
@@ -285,7 +287,7 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
instr[y].samp = g;
- for (sc = 0; sc < 96; sc++) {
+ for (sc = 0; sc < MP_MAXINSSAMPS; sc++) {
if (smpReloc[nbu[sc]] == -1)
instr[y].snum[sc] = -1;
else
@@ -491,6 +493,8 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
f.read(&instr[y].type,1,1);
f.readWords(&instr[y].samp,1);
}
+ if (instr[y].samp > MP_MAXINSSAMPS)
+ return MP_LOADER_FAILED;
//printf("%i, %i\n", instr[y].size, instr[y].samp);
@@ -532,8 +536,8 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
//f.read(&nbu,1,96);
- memcpy(nbu, insDataPtr, 96);
- insDataPtr+=96;
+ memcpy(nbu, insDataPtr, MP_MAXINSSAMPS);
+ insDataPtr+=MP_MAXINSSAMPS;
TEnvelope venv;
TEnvelope penv;
@@ -650,7 +654,7 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
instr[y].samp = g;
- for (sc = 0; sc < 96; sc++) {
+ for (sc = 0; sc < MP_MAXINSSAMPS; sc++) {
if (smpReloc[nbu[sc]] == -1)
instr[y].snum[sc] = -1;
else
diff --git a/src/milkyplay/XModule.h b/src/milkyplay/XModule.h
index f42d04b..4f04a2d 100644
--- a/src/milkyplay/XModule.h
+++ b/src/milkyplay/XModule.h
@@ -40,6 +40,8 @@
#define MP_MAXTEXT 32
#define MP_MAXORDERS 256
+#define MP_MAXINS 255
+#define MP_MAXINSSAMPS 96
struct TXMHeader
{
|