diff mbox series

TLVs with (size % 4) != 0 make amixer and alsactl crash

Message ID 20241123061519.64127F80533@alsa1.perex.cz
State New
Headers show
Series TLVs with (size % 4) != 0 make amixer and alsactl crash | expand

Commit Message

GitHub issues - opened Nov. 23, 2024, 6:15 a.m. UTC
alsa-project/alsa-utils issue #282 was opened from geoffreybennett:

While trying to figure out how TLVs work, I found that if the length field is not a multiple of 4 then amixer and alsactl keep reading past the end of the buffer until they segfault, because size is unsigned. One example here:
```
```

Issue URL     : https://github.com/alsa-project/alsa-utils/issues/282
Repository URL: https://github.com/alsa-project/alsa-utils
diff mbox series

Patch

diff --git a/amixer/amixer.c b/amixer/amixer.c
index 8b8000b..03cc9cb 100644
--- a/amixer/amixer.c
+++ b/amixer/amixer.c
@@ -587,7 +587,7 @@  static void decode_tlv(unsigned int spaces, unsigned int *tlv, unsigned int tlv_
 #endif
        default:
                printf("unk-%u-", type);
-               while (size > 0) {
+               while (size >= sizeof(unsigned int)) {
                        printf("0x%08x,", tlv[idx++]);
                        size -= sizeof(unsigned int);
                }