readmidi.c (groom_list): avoid integer overflow when recomputing time.
authorOzkan Sezer <sezeroz@gmail.com>
Wed, 03 Oct 2018 21:55:00 +0300
changeset 863b81eb791d10d
parent 862 fba113e1d189
child 891 c39a11fa853e
readmidi.c (groom_list): avoid integer overflow when recomputing time.

from libtimidity -- see:
https://sourceforge.net/p/libtimidity/libtimidity/ci/11be98a89eac229111420e6a3d521edbfddb0dbc/
timidity/readmidi.c
     1.1 --- a/timidity/readmidi.c	Thu Sep 27 00:35:17 2018 -0700
     1.2 +++ b/timidity/readmidi.c	Wed Oct 03 21:55:00 2018 +0300
     1.3 @@ -97,7 +97,7 @@
     1.4        if (SDL_RWread(song->rw, &me, 1, 1) != 1)
     1.5  	{
     1.6  	  SNDDBG(("read_midi_event: SDL_RWread() failure\n"));
     1.7 -	  return 0;
     1.8 +	  return NULL;
     1.9  	}
    1.10        
    1.11        if(me==0xF0 || me == 0xF7) /* SysEx event */
    1.12 @@ -455,6 +455,10 @@
    1.13        /* Recompute time in samples*/
    1.14        if ((dt=meep->event.time - at) && !counting_time)
    1.15  	{
    1.16 +	  if (song->sample_increment  > 2147483647/dt ||
    1.17 +	      song->sample_correction > 2147483647/dt) {
    1.18 +	      goto _overflow;
    1.19 +	    }
    1.20  	  samples_to_do = song->sample_increment * dt;
    1.21  	  sample_cum += song->sample_correction * dt;
    1.22  	  if (sample_cum & 0xFFFF0000)
    1.23 @@ -462,6 +466,13 @@
    1.24  	      samples_to_do += ((sample_cum >> 16) & 0xFFFF);
    1.25  	      sample_cum &= 0x0000FFFF;
    1.26  	    }
    1.27 +	  if (st >= 2147483647 - samples_to_do) {
    1.28 +	  _overflow:
    1.29 +	      SNDDBG(("Overflow in sample counter\n"));
    1.30 +	      free_midi_list(song);
    1.31 +	      free(groomed_list);
    1.32 +	      return NULL;
    1.33 +	    }
    1.34  	  st += samples_to_do;
    1.35  	}
    1.36        else if (counting_time==1) counting_time=0;
    1.37 @@ -502,7 +513,7 @@
    1.38  
    1.39    song->event_count=0;
    1.40    song->at=0;
    1.41 -  song->evlist=0;
    1.42 +  song->evlist = NULL;
    1.43  
    1.44    if (SDL_RWread(song->rw, tmp, 1, 4) != 4 || SDL_RWread(song->rw, &len, 4, 1) != 1)
    1.45      {
    1.46 @@ -598,5 +609,6 @@
    1.47  	  }
    1.48        break;
    1.49      }
    1.50 +
    1.51    return groom_list(song, divisions, count, sp);
    1.52  }