You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, I'm currently trying to use the static analysis tool Infer to find uncatched API-misuse bugs in OpenWrt packages, and I find a potential Integer Overflow in your project, version 1.2.9.
The bug located in aplay/aplay.c. Firstly, the program tries to write the remains bytes in audiobuf with the length of loaded in line 2865, and loaded is later used as the parameter for safe_read in the loop, then loaded is used as the 2nd argument of pct_write() and finally after a multiply operation, it is used as the size of Malloc in remap_data(), as shown in the following code:
staticvoidplayback_go(int fd, size_t loaded, off_t count, int rtype, char *name)
{
int l, r;
off_t written = 0;
off_t c;
header(rtype, name);
set_params();
while (loaded > chunk_bytes && written < count && !in_aborting) {
if (pcm_write(audiobuf + written, chunk_size) <= 0)
return;
written += chunk_bytes;
loaded -= chunk_bytes;
}
if (written > 0 && loaded > 0)
memmove(audiobuf, audiobuf + written, loaded);
l = loaded;
while (written < count && !in_aborting) {
do {
c = count - written;
if (c > chunk_bytes)
c = chunk_bytes;
/* c < l, there is more data loaded * then we actually need to write*/if (c < l)
l = c;
c -= l;
if (c == 0)
break;
r = safe_read(fd, audiobuf + l, c);
if (r < 0) {
perror(name);
prg_exit(EXIT_FAILURE);
}
fdcount += r;
if (r == 0)
break;
l += r;
} while ((size_t)l < chunk_bytes);
l = l * 8 / bits_per_frame;
r = pcm_write(audiobuf, l);
if (r != l)
break;
r = r * bits_per_frame / 8;
written += r;
l = 0;
}
if (!in_aborting) {
snd_pcm_nonblock(handle, 0);
snd_pcm_drain(handle);
snd_pcm_nonblock(handle, nonblock);
}
}
# in remap_data()
chunk_bytes = count * bits_per_frame / 8;
if (tmp_size < chunk_bytes) {
free(tmp);
tmp = malloc(chunk_bytes);
if (!tmp) {
error(_("not enough memory"));
exit(1);
}
tmp_size = count;
}
The parameter passed to Malloc may be overflowed so that the actual allocated memory is small.
I also attached the analysis trace given by Infer FYI:
Hi, I'm currently trying to use the static analysis tool Infer to find uncatched API-misuse bugs in OpenWrt packages, and I find a potential Integer Overflow in your project, version 1.2.9.
The bug located in aplay/aplay.c. Firstly, the program tries to write the remains bytes in
audiobufwith the length ofloadedin line 2865, andloadedis later used as the parameter forsafe_readin the loop, thenloadedis used as the 2nd argument ofpct_write()and finally after a multiply operation, it is used as the size of Malloc inremap_data(), as shown in the following code:The parameter passed to Malloc may be overflowed so that the actual allocated memory is small.
I also attached the analysis trace given by Infer FYI:
The text was updated successfully, but these errors were encountered: