From 4b46493cb4f8699c95e01783eee5cf90ca7810e2 Mon Sep 17 00:00:00 2001 From: rppicomidi Date: Thu, 20 Mar 2025 06:27:23 -0700 Subject: [PATCH 1/3] Fix #3033: Increase array bounds and test for overflow --- src/class/midi/midi_host.c | 3 ++- src/class/midi/midi_host.h | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/class/midi/midi_host.c b/src/class/midi/midi_host.c index cfea0c080..68e46aca3 100644 --- a/src/class/midi/midi_host.c +++ b/src/class/midi/midi_host.c @@ -254,7 +254,8 @@ bool midih_open(uint8_t rhport, uint8_t dev_addr, tusb_desc_interface_t const *d TU_LOG_DRV(" Jack %s %s descriptor \r\n", tu_desc_subtype(p_desc) == MIDI_CS_INTERFACE_IN_JACK ? "IN" : "OUT", p_desc[3] == MIDI_JACK_EXTERNAL ? "External" : "Embedded"); - desc_cb.desc_jack[desc_cb.jack_num++] = p_desc; + if (desc_cb.jack_num < TU_ARRAY_SIZE(desc_cb.desc_jack)) + desc_cb.desc_jack[desc_cb.jack_num++] = p_desc; break; } diff --git a/src/class/midi/midi_host.h b/src/class/midi/midi_host.h index 67df25a82..06554a03d 100644 --- a/src/class/midi/midi_host.h +++ b/src/class/midi/midi_host.h @@ -69,7 +69,7 @@ typedef struct { const tusb_desc_endpoint_t* desc_epout; // endpoint OUT descriptor, CS_ENDPOINT is right after uint8_t jack_num; - const uint8_t* desc_jack[16]; // list of jack descriptors (embedded + external) + const uint8_t* desc_jack[32]; // list of jack descriptors (embedded + external) } tuh_midi_descriptor_cb_t; typedef struct { From b0def52f45439c3dc41a0c370115deb54cd443e4 Mon Sep 17 00:00:00 2001 From: rppicomidi Date: Fri, 21 Mar 2025 07:13:01 -0700 Subject: [PATCH 2/3] Move misplaced statement --- src/class/midi/midi_host.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/class/midi/midi_host.c b/src/class/midi/midi_host.c index 68e46aca3..b252e8466 100644 --- a/src/class/midi/midi_host.c +++ b/src/class/midi/midi_host.c @@ -591,8 +591,8 @@ uint32_t tuh_midi_stream_read(uint8_t idx, uint8_t *p_cable_num, uint8_t *p_buff break; default: break; - cable_sysex_in_progress &= (uint16_t) ~cable_mask; } + cable_sysex_in_progress &= (uint16_t) ~cable_mask; } else { // Real-time message: can be inserted into a sysex message, // so do don't clear cable_sysex_in_progress bit From 3324a327cbd82d18305030ba2247cbbc71dc9f19 Mon Sep 17 00:00:00 2001 From: rppicomidi Date: Fri, 21 Mar 2025 07:14:10 -0700 Subject: [PATCH 3/3] Fix #3033: address review comment --- src/class/midi/midi_host.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/class/midi/midi_host.c b/src/class/midi/midi_host.c index b252e8466..cd6e115ee 100644 --- a/src/class/midi/midi_host.c +++ b/src/class/midi/midi_host.c @@ -254,8 +254,9 @@ bool midih_open(uint8_t rhport, uint8_t dev_addr, tusb_desc_interface_t const *d TU_LOG_DRV(" Jack %s %s descriptor \r\n", tu_desc_subtype(p_desc) == MIDI_CS_INTERFACE_IN_JACK ? "IN" : "OUT", p_desc[3] == MIDI_JACK_EXTERNAL ? "External" : "Embedded"); - if (desc_cb.jack_num < TU_ARRAY_SIZE(desc_cb.desc_jack)) + if (desc_cb.jack_num < TU_ARRAY_SIZE(desc_cb.desc_jack)) { desc_cb.desc_jack[desc_cb.jack_num++] = p_desc; + } break; }