git: 453de99b386d - main - virtual_oss(8): Fix buffer overflow in voss_compressor() call

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Christos Margiolis <christos_at_FreeBSD.org>
Date: Thu, 28 May 2026 14:46:09 UTC

The branch main has been updated by christos:

URL: https://cgit.FreeBSD.org/src/commit/?id=453de99b386d40754a038cc4b804f4c7a3b04624

commit 453de99b386d40754a038cc4b804f4c7a3b04624
Author:     Christos Margiolis <christos@FreeBSD.org>
AuthorDate: 2026-05-28 13:51:26 +0000
Commit:     Christos Margiolis <christos@FreeBSD.org>
CommitDate: 2026-05-28 14:46:01 +0000

    virtual_oss(8): Fix buffer overflow in voss_compressor() call
    
    This particular calls swaps the samples and maxchan arguments, which can
    cause a buffer overflow in p_ch_chain if maxchan exceeds its bounds
    (VMAX_CHAN).
    
    Reported by:    Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai
    Sponsored by:   The FreeBSD Foundation
    MFC after:      3 days
    Reviewed by:    emaste
---
 usr.sbin/virtual_oss/virtual_oss/virtual_oss.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/usr.sbin/virtual_oss/virtual_oss/virtual_oss.c b/usr.sbin/virtual_oss/virtual_oss/virtual_oss.c
index 1d95c87d57b1..42a748a5e3bd 100644
--- a/usr.sbin/virtual_oss/virtual_oss/virtual_oss.c
+++ b/usr.sbin/virtual_oss/virtual_oss/virtual_oss.c
@@ -783,8 +783,8 @@ virtual_oss_process(void *arg __unused)
 
 			    /* check if compressor should be applied */
 			    voss_compressor(buffer_temp, pvp->rx_compressor_gain,
-				&pvp->rx_compressor_param, samples,
-			        samples * src_chans, (1ULL << (pvp->bits - 1)) - 1ULL);
+				&pvp->rx_compressor_param, samples * src_chans,
+				src_chans, (1ULL << (pvp->bits - 1)) - 1ULL);
 
 			    TAILQ_FOREACH(pvc, &pvp->head, entry) {