"Nick Davis" firstname.lastname@example.org
Narf Industries (NRFIN)
SOLFEDGE is state of the art software used by ARRRRGH, the Academy of Really, Really, Really, Really, Great Harmony, to translate their music between notes and syllables (Solmization).
ARRRRGH teaches their classes in French, so SOFEDGE is designed to use the French 'fixed do' method of solfedge and only recognizes the C major scale.
This service is a translation engine, so it has 2 primary functions:
Valid notes are: C D E F G A * B
And valid syllables are: Ut Re Mi Fa Sol La * Si
A single harmony can contain up to 2048 syllables or notes.
The buffer that stores syllables is 4096 bytes long. Assuming syllables are 2 bytes, that allows 2048 syllables. The syllable 'sol' is 3 bytes long, while the rest are 2 chars long. So, if the user provides a harmony that contains 2048 notes and one or more of those notes corresponds to the syllable 'sol', then writing those notes as syllables will go beyond the syllables buffer (page) and cause a segfault.
More specifically, in operation.c:process_notes, the while loop will cause write_syllable_to_buf to write into the syllables_buf until one of 3 conditions happens. 1) an error is returned, 2) all of the input bytes have been processed, and 3) the total chars written to the syllable buf has reached the MAX_SYLLABLES_BYTES. The comparison (total_bytes_written < MAX_SYLLABLES_BYTES) is a form of an off-by-one error, because each iteration of the loop can write 2 or 3 bytes. So, if total_bytes_written is 1 or 2 less than MAX_SYLLABLES_BYTES, the loop will run one more iteration. If it is 1 less, that iteration will cause a segfault with both a 2-btye and 3-byte syllable. If it is 2 less, that iteration will cause segfault with a 3-byte syllable.
The segfault will occur in operations.c:write_syllable_to_buf at either line 224 or 227.
There are multiple ways to patch this vuln. The provided PATCHED version uses a more optimal patch that covers both failure conditions. It is also possible to put a much more restrictive bound on total_bytes_written (i.e. 100 or 2000), that will prevent the overflow, but will also greatly shorten the possible harmony length.
A more extensive patch, that is unlikely for automated patching is to pass the total_bytes_written value into write_syllable_to_buf, and perform a check that can calculate how many more bytes will fit into the buffer before it writes any bytes. It could then return an error value if there are not enough bytes remaining to complete the write.
Improper Input Validation Improper Validation of Array Index Off-by-one Error
Improper Input Validation CWE-20
Improper Validation of Array Index CWE-129
Off-by-one Error CWE-193
Curated by Lunge Technology, LLC. Questions or comments? Send us email