Fix possible reads past the end of the buffer.
Found by random fuzz testing (zzuf). Without the fix the fuzzer crashes
in several seconds; with the patch, the fuzzer runs clean for hours.
Index: midiplay.c
===================================================================
RCS file: /cvs/src/usr.bin/midiplay/midiplay.c,v
retrieving revision 1.17
diff -u -p -u -r1.17 midiplay.c
--- midiplay.c 8 Feb 2015 23:40:34 -0000 1.17
+++ midiplay.c 27 Apr 2016 21:45:13 -0000
@@ -319,6 +319,10 @@ playdata(u_char *buf, u_int tot, char *n
if (memcmp(p, MARK_TRACK, MARK_LEN) == 0) {
tracks[t].start = p + MARK_LEN + SIZE_LEN;
tracks[t].end = tracks[t].start + len;
+ if (tracks[t].end > end) {
+ warnx("Track length exceeds remaining size");
+ goto ret;
+ }
tracks[t].curtime = getvar(&tracks[t]);
t++;
}
