3 Mar
2015
3 Mar
'15
12:21 p.m.
Dan Carpenter wrote:
In snd_opl3_calc_pitch() then the limit is:
if (pitchbend > 0x1FFF) pitchbend = 0x1FFF;
But it can underflow meaning that segment can be as low as SHORT_MIN / 0x1000 and we can read 6 elements before the start of the opl3_note_table[] array.
- short midi_pitchbend; /* Pitch bend amount */
- unsigned short midi_pitchbend; /* Pitch bend amount */
Pitch bend is a signed 14-bit value. What is wrong is the missing check for the lower bound.
Regards, Clemens