fix integer overflow in midi parser sample count calculation (bug #200)

Mindwerks · Nov 5, 2020 · 775894c · 775894c
1 parent ba2dca8
commit 775894c
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -33,6 +33,8 @@ Requirements:
 CHANGELOG
 
 0.3.16
+* Fixed integer overflow in midi parser sample count calculation
+ (bug #200).
 * Fixed 8 bit ping pong GUS patch loaders (bug #207).
 * Fixed wrong variable use in reverb code (bug #210).
 * Reset block status of tty after playback (bug #211).

diff --git a/src/wildmidi_lib.c b/src/wildmidi_lib.c
@@ -2821,6 +2821,13 @@ WM_ParseNewMidi(unsigned char *midi_data, unsigned int midi_size) {
 			NEXT_TRACK: continue;
 		}
 
+		if ((float)smallest_delta >= 0x7fffffff / samples_per_delta_f) {
+			// DEBUG
+			//fprintf(stderr,"INTEGER OVERFLOW (samples_per_delta: %f, smallest_delta: %lu)\n",
+			//	samples_per_delta_f, smallest_delta);
+			_WM_ERROR(__FUNCTION__, __LINE__, WM_ERR_CORUPT, NULL, 0);
+			goto _end;
+		}
 		subtract_delta = smallest_delta;
 		sample_count_tmp = (((float) smallest_delta * samples_per_delta_f)
 				+ sample_remainder);