From 3694314058e20075c83e6f1a3f0ecf82e6135888 Mon Sep 17 00:00:00 2001 From: William Wilgus Date: Sun, 8 Jan 2023 15:43:05 -0500 Subject: [PATCH] [BugFix] voicefont.c buffer overflow voicefont.c expected a max of 999 voice IDs we are at 1013 or so bad stuff happened TM new limit is 2048 and added an error message (no file will be created if limit exceeded) Change-Id: Ifda6dc5c45883551f8ae8f0d4efc9f7acdb7c90f --- tools/voicefont.c | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/tools/voicefont.c b/tools/voicefont.c index b732f49c07..82ab537b73 100644 --- a/tools/voicefont.c +++ b/tools/voicefont.c @@ -29,8 +29,9 @@ #include #include -#define HEADER_SIZE 20 - +#define HEADER_SIZE (20) +#define MAX_NAME_LEN (80) +#define MAX_VOICE_ENTRIES (2048) /* endian conversion macros */ #if defined(__BIG_ENDIAN__) #define UINT_TO_BE(x) (x) @@ -47,11 +48,11 @@ int voicefont(FILE* voicefontids,int targetnum,char* filedir, FILE* output, unsi int i,j; /* two tables, one for normal strings, one for voice-only (>0x8000) */ - static char names[1000][80]; /* worst-case space */ - char name[80]; /* one string ID */ - static int pos[1000]; /* position of sample */ - static int size[1000]; /* length of clip */ - int voiceonly[1000]; /* flag if this is voice only */ + static char names[MAX_VOICE_ENTRIES][MAX_NAME_LEN]; /* worst-case space */ + char name[MAX_NAME_LEN]; /* one string ID */ + static int pos[MAX_VOICE_ENTRIES]; /* position of sample */ + static int size[MAX_VOICE_ENTRIES]; /* length of clip */ + int voiceonly[MAX_VOICE_ENTRIES]; /* flag if this is voice only */ int count = 0; int count_voiceonly = 0; unsigned int value; /* value to be written to file */ @@ -86,6 +87,11 @@ int voicefont(FILE* voicefontids,int targetnum,char* filedir, FILE* output, unsi } fclose(voicefontids); + if (count > MAX_VOICE_ENTRIES) + { + return -1; + } + fseek(output, HEADER_SIZE + count*8, SEEK_SET); /* space for header */ for (i=0; i