From: Ozkan Sezer Date: Wed, 17 Feb 2021 11:50:10 +0300 Subject: [PATCH] fix off-by-one buffer overflow in load_instrument (github bug #299) --- timidity/instrum.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/timidity/instrum.c b/timidity/instrum.c index 25f6e9a3b..d8584ae0c 100644 --- a/timidity/instrum.c +++ b/timidity/instrum.c @@ -669,8 +669,8 @@ static InstrumentLayer *load_instrument(const char *name, int font_type, int per { goto fail; } - sp->data = safe_malloc(sp->data_length + 1); - lp->size += sp->data_length + 1; + sp->data = safe_malloc(sp->data_length + 2); + lp->size += sp->data_length + 2; if (1 != fread(sp->data, sp->data_length, 1, fp)) goto fail; @@ -822,7 +822,7 @@ static InstrumentLayer *load_instrument(const char *name, int font_type, int per uint8 *gulp,*ulp; int16 *swp; int l=sp->data_length >> FRACTION_BITS; - gulp=ulp=safe_malloc(l+1); + gulp=ulp=safe_malloc(l+2); swp=(int16 *)sp->data; while(l--) *ulp++ = (*swp++ >> 8) & 0xFF;