ALSA: emux: centralize & improve patch info validation

This does several closely related things:
- Move the code from the drivers into the SoundFont loader, which
  de-duplicates it.
- Sort of explain the weird "recalculate address offset" feature. Note
  that I don't think it actually makes any sense - the calling user
  space code should do that. The background is certainly that the source
  data (the SoundFont format) uses pointers into a single wave block
  (and the API allows doing the same for on-board ROM), but the API
  expects the wave data from user space to be pre-chopped into
  individual patches anyway.
- Make sure that the specified offsets actually lie within the supplied
  wave data. Note that we don't validate ROM offsets, so one can play
  back anything within the sound card's address space.
- In load_guspatch(), don't call the sample_new callback anymore when
  the patch size is zero, as was already the case in load_data(). The
  callbacks would instantly return in that case anyway; these checks are
  now removed.

Signed-off-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
Message-ID: <20240406064830.1029573-7-oswald.buddenhagen@gmx.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

diff --git a/sound/isa/sb/emu8000_patch.c b/sound/isa/sb/emu8000_patch.c
index 8c1e7f2bfc34a11575495eda050203f68737b580..ab4f988f080dc79ef6a4c778ca7f999eb1731359 100644 (file)
--- a/sound/isa/sb/emu8000_patch.c
+++ b/sound/isa/sb/emu8000_patch.c
@@ -148,13 +148,6 @@ snd_emu8000_sample_new(struct snd_emux *rec, struct snd_sf_sample *sp,
        if (snd_BUG_ON(!sp))
                return -EINVAL;
 
-       if (sp->v.size == 0)
-               return 0;
-
-       /* be sure loop points start < end */
-       if (sp->v.loopstart > sp->v.loopend)
-               swap(sp->v.loopstart, sp->v.loopend);
-
        /* compute true data size to be loaded */
        truesize = sp->v.size;
        if (sp->v.mode_flags & (SNDRV_SFNT_SAMPLE_BIDIR_LOOP|SNDRV_SFNT_SAMPLE_REVERSE_LOOP))
@@ -177,12 +170,6 @@ snd_emu8000_sample_new(struct snd_emux *rec, struct snd_sf_sample *sp,
                        return -EFAULT;
        }
 
-       /* recalculate address offset */
-       sp->v.end -= sp->v.start;
-       sp->v.loopstart -= sp->v.start;
-       sp->v.loopend -= sp->v.start;
-       sp->v.start = 0;
-
        /* dram position (in word) -- mem_offset is byte */
        dram_offset = EMU8000_DRAM_OFFSET + (sp->block->offset >> 1);
        dram_start = dram_offset;

diff --git a/sound/pci/emu10k1/emu10k1_patch.c b/sound/pci/emu10k1/emu10k1_patch.c
index 49214c22680847815b0c41ba8006cc825dc463a5..47d69a0e44bc6019b027cfbba24d3bba5234dfdc 100644 (file)
--- a/sound/pci/emu10k1/emu10k1_patch.c
+++ b/sound/pci/emu10k1/emu10k1_patch.c
@@ -35,28 +35,12 @@ snd_emu10k1_sample_new(struct snd_emux *rec, struct snd_sf_sample *sp,
        if (snd_BUG_ON(!sp || !hdr))
                return -EINVAL;
 
-       if (sp->v.size == 0) {
-               dev_dbg(emu->card->dev,
-                       "emu: rom font for sample %d\n", sp->v.sample);
-               return 0;
-       }
-
        if (sp->v.mode_flags & (SNDRV_SFNT_SAMPLE_BIDIR_LOOP | SNDRV_SFNT_SAMPLE_REVERSE_LOOP)) {
                /* should instead return -ENOTSUPP; but compatibility */
                printk(KERN_WARNING "Emu10k1 wavetable patch %d with unsupported loop feature\n",
                       sp->v.sample);
        }
 
-       /* recalculate address offset */
-       sp->v.end -= sp->v.start;
-       sp->v.loopstart -= sp->v.start;
-       sp->v.loopend -= sp->v.start;
-       sp->v.start = 0;
-
-       /* be sure loop points start < end */
-       if (sp->v.loopstart >= sp->v.loopend)
-               swap(sp->v.loopstart, sp->v.loopend);
-
        /* compute true data size to be loaded */
        truesize = sp->v.size + BLANK_HEAD_SIZE;
        if (sp->v.mode_flags & SNDRV_SFNT_SAMPLE_NO_BLANK)

diff --git a/sound/synth/emux/soundfont.c b/sound/synth/emux/soundfont.c
index ad0231d7a39db9b6211b1961131010c48c41f6c4..6d6f0102ed5b920f30f55a4c7fcb83ec1845a56b 100644 (file)
--- a/sound/synth/emux/soundfont.c
+++ b/sound/synth/emux/soundfont.c
@@ -689,6 +689,21 @@ find_sample(struct snd_soundfont *sf, int sample_id)
 }
 
 
+static int
+validate_sample_info(struct soundfont_sample_info *si)
+{
+       if (si->end < 0 || si->end > si->size)
+               return -EINVAL;
+       if (si->loopstart < 0 || si->loopstart > si->end)
+               return -EINVAL;
+       if (si->loopend < 0 || si->loopend > si->end)
+               return -EINVAL;
+       /* be sure loop points start < end */
+       if (si->loopstart > si->loopend)
+               swap(si->loopstart, si->loopend);
+       return 0;
+}
+
 /*
  * Load sample information, this can include data to be loaded onto
  * the soundcard.  It can also just be a pointer into soundcard ROM.
@@ -727,6 +742,21 @@ load_data(struct snd_sf_list *sflist, const void __user *data, long count)
                return -EINVAL;
        }
 
+       if (sample_info.size > 0) {
+               if (sample_info.start < 0)
+                       return -EINVAL;
+
+               // Here we "rebase out" the start address, because the
+               // real start is the start of the provided sample data.
+               sample_info.end -= sample_info.start;
+               sample_info.loopstart -= sample_info.start;
+               sample_info.loopend -= sample_info.start;
+               sample_info.start = 0;
+
+               if (validate_sample_info(&sample_info) < 0)
+                       return -EINVAL;
+       }
+
        /* Allocate a new sample structure */
        sp = sf_sample_new(sflist, sf);
        if (!sp)
@@ -974,6 +1004,11 @@ load_guspatch(struct snd_sf_list *sflist, const char __user *data, long count)
        smp->v.loopend = patch.loop_end;
        smp->v.size = patch.len;
 
+       if (validate_sample_info(&smp->v) < 0) {
+               sf_sample_delete(sflist, sf, smp);
+               return -EINVAL;
+       }
+
        /* set up mode flags */
        smp->v.mode_flags = 0;
        if (!(patch.mode & WAVE_16_BITS))
@@ -1011,7 +1046,7 @@ load_guspatch(struct snd_sf_list *sflist, const char __user *data, long count)
        /*
         * load wave data
         */
-       if (sflist->callback.sample_new) {
+       if (smp->v.size > 0 && sflist->callback.sample_new) {
                rc = sflist->callback.sample_new
                        (sflist->callback.private_data, smp, sflist->memhdr,
                         data, count);