alsa-project/alsa-utils issue #282 was opened from geoffreybennett:
While trying to figure out how TLVs work, I found that if the length field is not a multiple of 4 then amixer and alsactl keep reading past the end of the buffer until they segfault, because size is unsigned. One example here:
```
diff --git a/amixer/amixer.c b/amixer/amixer.c
index 8b8000b..03cc9cb 100644
--- a/amixer/amixer.c
+++ b/amixer/amixer.c
@@ -587,7 +587,7 @@ static void decode_tlv(unsigned int spaces, unsigned int *tlv, unsigned int tlv_
#endif
default:
printf("unk-%u-", type);
- while (size > 0) {
+ while (size >= sizeof(unsigned int)) {
printf("0x%08x,", tlv[idx++]);
size -= sizeof(unsigned int);
}
```
Issue URL : https://github.com/alsa-project/alsa-utils/issues/282
Repository URL: https://github.com/alsa-project/alsa-utils
