From 775894cee552f3462a06f602abc09b07fc2abed2 Mon Sep 17 00:00:00 2001 From: Ozkan Sezer Date: Thu, 5 Nov 2020 11:10:20 +0300 Subject: [PATCH] fix integer overflow in midi parser sample count calculation (bug #200) --- README.md | 2 ++ src/wildmidi_lib.c | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/README.md b/README.md index 7364f490..7148c515 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,8 @@ Requirements: CHANGELOG 0.3.16 +* Fixed integer overflow in midi parser sample count calculation + (bug #200). * Fixed 8 bit ping pong GUS patch loaders (bug #207). * Fixed wrong variable use in reverb code (bug #210). * Reset block status of tty after playback (bug #211). diff --git a/src/wildmidi_lib.c b/src/wildmidi_lib.c index 00cd6367..9d4ff4f1 100644 --- a/src/wildmidi_lib.c +++ b/src/wildmidi_lib.c @@ -2821,6 +2821,13 @@ WM_ParseNewMidi(unsigned char *midi_data, unsigned int midi_size) { NEXT_TRACK: continue; } + if ((float)smallest_delta >= 0x7fffffff / samples_per_delta_f) { + // DEBUG + //fprintf(stderr,"INTEGER OVERFLOW (samples_per_delta: %f, smallest_delta: %lu)\n", + // samples_per_delta_f, smallest_delta); + _WM_ERROR(__FUNCTION__, __LINE__, WM_ERR_CORUPT, NULL, 0); + goto _end; + } subtract_delta = smallest_delta; sample_count_tmp = (((float) smallest_delta * samples_per_delta_f) + sample_remainder);