git: 369207a6c471 - stable/15 - virtual_oss(8): Fix buffer overflow in voss_compressor() call
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 01 Jun 2026 17:32:27 UTC
The branch stable/15 has been updated by christos:
URL: https://cgit.FreeBSD.org/src/commit/?id=369207a6c4713c64d2411eb96e3f0d6ddab6169e
commit 369207a6c4713c64d2411eb96e3f0d6ddab6169e
Author: Christos Margiolis <christos@FreeBSD.org>
AuthorDate: 2026-05-28 13:51:26 +0000
Commit: Christos Margiolis <christos@FreeBSD.org>
CommitDate: 2026-06-01 17:32:18 +0000
virtual_oss(8): Fix buffer overflow in voss_compressor() call
This particular calls swaps the samples and maxchan arguments, which can
cause a buffer overflow in p_ch_chain if maxchan exceeds its bounds
(VMAX_CHAN).
Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Reviewed by: emaste
(cherry picked from commit 453de99b386d40754a038cc4b804f4c7a3b04624)
---
usr.sbin/virtual_oss/virtual_oss/virtual_oss.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/usr.sbin/virtual_oss/virtual_oss/virtual_oss.c b/usr.sbin/virtual_oss/virtual_oss/virtual_oss.c
index 18af38d8e7aa..1da50979873d 100644
--- a/usr.sbin/virtual_oss/virtual_oss/virtual_oss.c
+++ b/usr.sbin/virtual_oss/virtual_oss/virtual_oss.c
@@ -781,8 +781,8 @@ virtual_oss_process(void *arg __unused)
/* check if compressor should be applied */
voss_compressor(buffer_temp, pvp->rx_compressor_gain,
- &pvp->rx_compressor_param, samples,
- samples * src_chans, (1ULL << (pvp->bits - 1)) - 1ULL);
+ &pvp->rx_compressor_param, samples * src_chans,
+ src_chans, (1ULL << (pvp->bits - 1)) - 1ULL);
TAILQ_FOREACH(pvc, &pvp->head, entry) {