Git log: commit b644a7714712d6177ab96ec28d4ca6ea16c521b7
Author: yangfl <yangfl@users.noreply.github.com>
Date: Thu Dec 4 09:40:49 2025 +0800
debian: update to 2.4
commit 2dac192d11a2d6424c3dae70f174f7d2f13cecde
Merge: 3b75e43 d67f2b6
Author: yangfl <yangfl@users.noreply.github.com>
Date: Thu Dec 4 09:39:23 2025 +0800
Merge tag 'upstream/2.4+dfsg'
commit 3b75e433bff481eed898311ada1f85a24dbe305e
Author: yangfl <yangfl@users.noreply.github.com>
Date: Thu Dec 4 09:38:27 2025 +0800
debian: update to 2.3.3-2.1
commit 408303be6e05f8e17f4cdd0c6e25dd2c3ed45cf8
Author: yangfl <yangfl@users.noreply.github.com>
Date: Wed Jul 15 15:40:00 2020 +0800
debian: update to 2.3.3-2
commit 520b193b7c00bdd8ebffccc3593834c29a299f97
Author: yangfl <yangfl@users.noreply.github.com>
Date: Sat Jun 13 11:43:15 2020 +0800
debian: update to 2.3.3
commit 8837bf45dc214ffe91da2fd288b0ea084522631c
Merge: 7d78036 308af42
Author: yangfl <yangfl@users.noreply.github.com>
Date: Sat Jun 13 12:23:38 2020 +0800
Merge tag 'upstream/2.3.3+dfsg'
commit 308af4208098782e212d8c57aea3e48fa25d44fc
Author: yangfl <yangfl@users.noreply.github.com>
Date: Sat Jun 13 11:37:50 2020 +0800
New upstream version 2.3.3+dfsg
commit 37f287dc9d81cd6aaab61f48da5cacc0ab39130e
Author: Adam Nielsen <malvineous@shikadi.net>
Date: Wed Jun 10 11:07:49 2020 +1000
Release version 2.3.3
commit 7d780366b95eef1e7c27817157e9740cda3c45a2
Author: yangfl <yangfl@users.noreply.github.com>
Date: Fri May 29 23:32:14 2020 +0800
debian: update to 2.3.2
commit 3687f2779da04be1d81bdac8e4a52aaec38a21d3
Merge: b2b1a3f c32fdf3
Author: yangfl <yangfl@users.noreply.github.com>
Date: Fri May 29 23:30:40 2020 +0800
Merge tag 'upstream/2.3.2+dfsg'
commit c32fdf331236ad8a0b8b61e4a73f842bd64edbc1
Author: yangfl <yangfl@users.noreply.github.com>
Date: Fri May 29 23:30:07 2020 +0800
New upstream version 2.3.2+dfsg
commit 6a39cdb66bf3409371cb56fba63f2e820fca4708
Merge: f26e837 ff89e67
Author: yangfl <yangfl@users.noreply.github.com>
Date: Fri May 29 23:28:26 2020 +0800
Merge tag 'adplug-2.3.2'
commit f545cb706955be16901d7850adde3763f57ba39d
Author: Alexander Miller <alex.miller@gmx.de>
Date: Tue May 19 16:25:30 2020 +0200
bmf.cpp: Avoid putting braces on their own line
commit 6fe4df27e2a54c6cf707164ec417afdcb243b7ef
Author: Alexander Miller <alex.miller@gmx.de>
Date: Tue May 19 15:58:29 2020 +0200
bmf.cpp: Improvements suggested in PR #111
* Restore "&p[i]" pattern.
* Replace some literal numbers with "sizeof(...)".
* Remove redundant parentheses from "*(stream++)".
* Also use memcmp to compate the header id.
commit d78f776d3b35c092ac7c51798af6c316a8e5a206
Author: Alexander Miller <alex.miller@gmx.de>
Date: Sun Mar 22 00:29:22 2020 +0100
bmf.cpp: Simplify control flow in xadplayer_update()
commit c15dcab58d8732bdf55dbf31e44b3d27811f8974
Author: Alexander Miller <alex.miller@gmx.de>
Date: Sat Mar 21 23:07:19 2020 +0100
bmf.cpp: Simplify control flow of event decoding in __bmf_convert_stream()
commit d27def01b9004609cf955f2c8893af18b763d6d1
Author: Alexander Miller <alex.miller@gmx.de>
Date: Sat Mar 21 22:23:30 2020 +0100
bmf.cpp: Move command handling for normal events into big switch statement
commit 2cfdfe1bad343bf4fd2fa0f0f78f731a1502446b
Author: Alexander Miller <alex.miller@gmx.de>
Date: Sat Mar 21 22:08:59 2020 +0100
bmf.cpp: Convert cascaded "if"s to a switch statement in __bmf_convert_stream
A switch statement is more compact and easier to read.
The outer for loop now terminates when "pos" is set
past the end of the array instead of jumping out when
an End of Stream marker is found.
commit 73470e1bcbba5c622d0bc0338719fdedabb87572
Author: Alexander Miller <alex.miller@gmx.de>
Date: Sat Mar 21 21:44:49 2020 +0100
bmf.cpp: Use a reference to the processed in event __bmf_convert_stream
commit 75fc6de7c0e09ee6883031fe9516f493ccc2e060
Author: Alexander Miller <alex.miller@gmx.de>
Date: Sat Mar 21 20:12:26 2020 +0100
bmf.cpp: Convert "while (true)" into for loop in __bmf_convert_stream()
commit 6f6e52398dedcf55a3e37beacdde589638d18fcf
Author: Alexander Miller <alex.miller@gmx.de>
Date: Sat Mar 21 19:55:27 2020 +0100
bmf.cpp: Remove pointless shifts when reading speed for v0.9b files
commit 7541886da9254e3d3f17743853dd3d4681a2e821
Author: Alexander Miller <alex.miller@gmx.de>
Date: Sat Mar 21 19:42:20 2020 +0100
bmf.cpp: Small readability improvements
commit 40f03e38ba440bad3ab83ea0eca84269975ab9e9
Author: Alexander Miller <alex.miller@gmx.de>
Date: Sat Mar 21 19:11:27 2020 +0100
bmf.c: Replace open-coded copies with memset, memcpy, or simple assignment
commit a510c52c9820ecdb026a08587b7820f2c9ceff09
Author: Alexander Miller <alex.miller@gmx.de>
Date: Fri Mar 20 19:29:16 2020 +0100
Whitespace fixes in src/bmf.cpp
* Don't mix spaces and tabs for indentation.
* Remove trailing whitespace (except for boilerplate comment).
* Add spaces around operators in some places and after "for"
to improve consistency and readability.
* Change a few line breaks.
No functional changes except for a removed trailing space
in debug output.
commit c215f2746fbab46c53ff2460e2c6e11f4e1b1890
Author: Adam Nielsen <malvineous@shikadi.net>
Date: Tue May 12 11:33:02 2020 +1000
Update NEWS
commit 8021e67794db3032649d4cfa8cc85fd21c8b6524
Author: devinacker <d@revenant1.net>
Date: Tue Aug 27 18:45:02 2019 -0400
rad2: use sprintf instead of snprintf for older versions of msvc
commit 09b4a007a33de41b8eb5ce1eb491687f43c263be
Author: devinacker <d@revenant1.net>
Date: Mon Aug 26 20:29:32 2019 -0400
add tests for RAD2 songs, both OPL and MIDI
commit 37d8fa6e76de7d5d5bd4d4372120a296e720d34e
Author: devinacker <d@revenant1.net>
Date: Mon Aug 26 20:23:04 2019 -0400
misc. bugfixes in RAD2 replayer (see https://github.com/AliceLR/megazeux/pull/188
commit 5232ea24c16cb24a1103dcc906c85abc4c6e43ab
Author: devinacker <d@revenant1.net>
Date: Wed Feb 27 00:04:07 2019 -0500
handle truncated final note in some tunes (fixes rip3.rad, rip4.rad, rip5.rad, rip8.rad)
commit 81dfd3ad19cc7260dd9b94ccb8c4ed892a75d8d1
Author: devinacker <d@revenant1.net>
Date: Tue Feb 26 23:22:07 2019 -0500
rad2: be more lenient about invalid notes in old tunes (fixes blue_ad.rad)
commit c7df6a91e0b7021e932a752e32c17692755525fe
Author: devinacker <d@revenant1.net>
Date: Sat Feb 16 22:17:18 2019 -0500
include string.h
commit 9df0296c6b5ebd78b7dc8b5aabb4aa6e21358bdd
Author: devinacker <d@revenant1.net>
Date: Sat Feb 16 22:08:14 2019 -0500
rad2: use stdint.h instead of cstdint
commit e426f1edd451476f4fc71f8fd36261e8ffa21145
Author: devinacker <d@revenant1.net>
Date: Sat Feb 16 22:04:02 2019 -0500
fix Dxx at pattern end (mindflux.rad)
commit 393e64ecc869d421842402329995b8492d014038
Author: devinacker <d@revenant1.net>
Date: Sat Feb 16 19:47:04 2019 -0500
include cstdint in rad2.cpp (thanks msvc)
commit 8826ceacd28b31fef2b87475969184567c7b7860
Author: devinacker <d@revenant1.net>
Date: Sat Feb 16 19:07:08 2019 -0500
update RAD test file
commit 32952c93b189faf3597e5a6c0c4e6c1125d8d726
Author: devinacker <d@revenant1.net>
Date: Sat Feb 16 18:11:36 2019 -0500
replace original RAD loader with new RAD2 player
commit 480ed3c9fae57d732b7c12e0afcfd02e3cf4ee88
Author: Adam Nielsen <malvineous@shikadi.net>
Date: Mon May 11 21:51:13 2020 +1000
Add new stresstest test program binary to .gitignore
commit 1a282a486a8e33fef3e15998bf6408d3515dc07e
Author: Adam Nielsen <malvineous@shikadi.net>
Date: Mon May 11 21:48:45 2020 +1000
Update NEWS with a list of CVEs now fixed
commit a8903d884e2c900e77af5c70ef440e72626646ad
Author: Alexander Miller <alex.miller@gmx.de>
Date: Fri Apr 3 04:41:57 2020 +0200
Fix description and instrument names handling in CdfmLoader
In src/dfm.cpp, add checks for the length bytes of songinfo and
instrument names to load().
In src/dfm.h, use the right constructor for char arrays in
getdesc() and getinstrument(), and check for a valid instrument
number in the latter.
That prevents OOB reads or throwing std::out_of_range errors
when requesting these strings.
commit 466328f3ad479aea4d31ac150f3f072cd6670cfd
Author: Alexander Miller <alex.miller@gmx.de>
Date: Fri Apr 3 03:43:17 2020 +0200
Fix memory corruption at user-controlled address in CdfmLoader::load()
As Lionel mentioned in issue #102, unchecked data from the
input file is used to compute an index into the track array
which may be out of bounds. Now, as it is an array of pointers,
song data may be misinterpreted as a pointer if the rows are
allocated immediately after the track array. (If that's the
case depends on the implementation of the memory allocator.)
The attempt to set data for a pattern with an invalid number
may thus write from the file to an address determined by row
data read earlier from the file.
Stop the wild writes by checking the pattern number.
Fixes: https://github.com/adplug/adplug/issues/102
Reported-by: Lionel Debroux <lionel_debroux@yahoo.fr>
commit 860041870b118004b6c8fc2336fc446d8a604baa
Author: Alexander Miller <alex.miller@gmx.de>
Date: Thu Apr 2 23:28:22 2020 +0200
Avoid OOB accesses when playeing .d00 files
In src/d00.cpp, offsets read from file data are used in many
places without checking to access the filedata array (often
via other pointers). This commit adds the missing checks.
In order to be accessible from other methods than load(),
filesize is promoted to a class member. A macro INDEX_OK()
is defined to hide the error-prone details like necessary
casts and pointer arithmetic from the methods and keep the
checks readable.
Checks are added in update(), rewind(), setvolume(), setfreq(),
and setinst(). Also improve handling of invalid subsong numbers
in rewind() while at it.
Note: The class uses a lot of misaligned pointers. This is not
portable even though they are cast back to unsigned char*
before dereferencing. The code should be rewritten without type
punning, but that is outside the scope of this commit.
commit 546b0f482ada85d58c6fdbc71cf6d777e35815ba
Author: Alexander Miller <alex.miller@gmx.de>
Date: Tue Mar 31 16:09:58 2020 +0200
Avoid OOB accesses of filedata array in Cd00Player::load()
Add checks that offsets in the fie header are valid before
using them to index the filedata array.
Also ensure all text fields are properly terminated.
commit fb50dd29c564f5075cb7c707e8abe53d00742f1d
Author: Alexander Miller <alex.miller@gmx.de>
Date: Tue Mar 31 15:49:45 2020 +0200
Fix null pointer dereferences (DoS) in Cd00Player::load() (issue #101)
When a .d00 file has a version 2 header, but its version field
indicates version 0 or 1, the code in src/d00.cppattempts to
access the version 0/1 header, but header1 is not set.
Dereferencing this uninitialized pointer may try to access an
arbitrary address if the object reuses a previously allocated
memory block, and if the block is zeroed it results in a null
pointer dereference.
Fix it by checking that the version number is between 2 and 4.
Bug: https://github.com/adplug/adplug/issues/101
Reported-by: Lionel Debroux <lionel_debroux@yahoo.fr>
commit a7da2db7093c3bd57b16a4ce355a99f68fff617f
Author: Alexander Miller <alex.miller@gmx.de>
Date: Tue Mar 31 02:26:45 2020 +0200
Don't read past buffer end in CcmfPlayer::update()
In src/cmf.cpp, array member data is accessed in several places
without checking whether the index is valid. Add the missing
checks in update() and readMIDINumber().
commit 11733534cec0ae6ead5f389cbcf9a6ec1679d9b4
Author: Alexander Miller <alex.miller@gmx.de>
Date: Sun Mar 29 04:08:33 2020 +0200
Add missing length checks in CrawPlayer::update()
commit 9416dc643d25fdd28bf0bb41c2215ca0c379a48d
Author: Alexander Miller <alex.miller@gmx.de>
Date: Sun Mar 29 03:47:17 2020 +0200
Fix off-by-one error in piConvTable index check in Cdro2Player::update()
commit 3f05bb4c7aa298e968ada8967e7f5ed521e9f165
Author: Alexander Miller <alex.miller@gmx.de>
Date: Sun Mar 29 01:33:24 2020 +0100
Fix excessive memory allocations in multiple loaders (issue #100)
Several loaders use sizes read from file data unchecked,
sometimes even as signed values, or compute them in ways that
can wrap around or get negative, and then use these values
to try to allocate memory. This may fail because the maximum
allocation size is exceeded or use large amounts of memory.
* In src/cmf.cpp, the song length is computed without checking
the validity of the music data's offset. It can become
negative if the offset is greater than the file size.
Add the missing check.
* In src/dro.cpp, the last commit already guarded against
negative size values. Limit that further to not exceed the
remaining length of the file.
* In src/dro2.cpp, check that the computation of iLength doesn't
overflow and that the result is no more than the available
data.
* In src/imf.cpp, also check the size computation. There are
different cases to consider here, so it might not be
immediately obvious: The check ensures that in both cases
there is no wraparound (computing size or footerlen), there
is at least one data record (as required by update()), and
if there is a footer, the stated data size is a multiple of
the record size and doesn't exceed the available data.
* In src/raw.cpp, a wraparound occurs if the file is shorter
than the header size, so fail if that happens.
* Likewise in src/xad.cpp.
Fixes: https://github.com/adplug/adplug/issues/100
Reported-by: Lionel Debroux <lionel_debroux@yahoo.fr>
commit fced8db2e6208fcd9f70268eb432cd989cc9df65
Author: Alexander Miller <alex.miller@gmx.de>
Date: Sat Mar 28 20:56:40 2020 +0100
Fix OOB write in CdroPlayer::load() and OOB reads in update()
In src/dro.cpp, the code allocates a buffer with a length
read from the .dro file, and stores the first three bytes in
the buffer without checking. This results in an OOB write if
the recorded length is shorter (issue #99). Fail load() early
when such a small size is requested. (Very large sizes get
mapped to negative values and are rejected, too.)
Also, in the update() method, the code can read up to two
bytes past the end of the same buffer. Add length checks to
avoid that.
Fixes: https://github.com/adplug/adplug/issues/99
commit 16a7fb609b036845ff22b0769b491af583010c78
Author: Alexander Miller <alex.miller@gmx.de>
Date: Sat Mar 28 02:30:36 2020 +0100
Fix division by zero and unterminated strings in CfmcLoader::load()
This commit adds a few missing checks in src/fmc.cpp:
* Ensure title and instrument names are properly terminated.
* Check number of channels early in load() to avoid undefined
shifts and a division by zero later in the method. This
fixes issue #98.
* Fix up the type of a constant used to compute the active
channels mask.
* In getinstrument(), check the argument before using it as
an index into the instruments array.
Fixes: https://github.com/adplug/adplug/issues/98
commit cd5edc7b1612ad21c012e8912b8a770ccec81f79
Author: Alexander Miller <alex.miller@gmx.de>
Date: Sat Mar 28 00:56:16 2020 +0100
Fix std::length_error exception and add missing checks for CrolPlayer
Loading a .rol file can result in a an abort due to an unhandled
std::length_error exception. Fix that along with a few other
issues in src/rol.cpp:
* As noted by Lionel Debroux in issue #96, in several methods
16 bits read from the file are cast to int16_t and then passed
to std::vector::reserve(). As the signed value is promoted to
size_t, a negative value will result in trying an allocatition
close to SIZE_MAX and fail.
Fix it by using uint16_t to store the allocation sizes in
load_tempo_events(), load_instrument_events(),
load_volume_events(), and load_pitch_events().
* Check for file errors to avoid a possible endless loop in
load_note_events() when data is exhausted.
* Ensure instrument names are properly terminated.
* In src/rol.h, method getinstrument(), check for valid instrument
number before accessing the usedInstruments vector.
Fixes: https://github.com/adplug/adplug/issues/96
commit fa08b20047afaccad836f181a2cf45d21d098f89
Author: Alexander Miller <alex.miller@gmx.de>
Date: Fri Mar 27 02:42:43 2020 +0100
Fix undefined behavior, division by zero, and OOB accesses in src/mid.cpp
This patch fixes a few issues with CmidPlayer:
* In the update() method, getnext() is called twice in the
same additive expression several times. That's undefined
behavior. Add sequence points between the calls.
* Mask instrument and channel numbers to legal values before
using as array indices in a few places.
* There is an integer division by a value read from the input
file in rewind(). If there is a zero (or the file is too
short), the code crashes with a division by zero exception
(issue #95). Add a check to avoid the crash.
* For .cmf files, check that offsets for title, author, and
remarks refer to valid data before assigning the correponding
pointers.
* If the name of a sierra file has less than 3 chars (not
conforming to the requirements), load_sierra_ins() tries to
append the "patch.003" for the patch file name after the
string termination character. Shorten the prefix in this
case.
Fixes: https://github.com/adplug/adplug/issues/95
commit eea6e66446e07a81b7a0d0b9a9ab9f5b55cbde83
Author: Alexander Miller <alex.miller@gmx.de>
Date: Thu Mar 26 21:55:23 2020 +0100
Fix multiple out-of-bounds memory accesses in src/rix.cpp
The Softstar RIX OPL Format Player is an unreadable mess
and lacks many checks to avoid invalid memory accesses.
This commit fixes the following:
* In CrixPlayer::load(), replace broken open coded read loop
with a single call to binistream::readString(). That gets
rid of the extra byte at the end of the buffer, so adjust
comparisons in other methods accordingly. While at it, also
use CFileProvider::extension() instead of re-implementing
it.
* Re-implement subsong handling for .mkf files in rewind()
and getsubsongs(), since it was completely broken and
inconsistent. Not sure if the solution is correct, but at
least it's now plausible and doesn't crash. This removes
The RIX_SWAP32() macro with its endianess #ifdef hell and
introduces a portable RIX_GET32() as replacement. Store
the file length in the previously unused clas member "pos"
since "length" is updated for the current subsong.
* Check the song data length before trying to access the data
in data_initial(). This fixes an OOB read (issue #94).
* Move length check before data access in rix_proc(), and add
missing length check in rix_get_ins().
* Add range checks for song data used to index various array
class members to avoid OOB reads or writes in multiple
locations.
Fixes: https://github.com/adplug/adplug/issues/94
commit 8dd6f70c158b96e7e6855870b758adc68d3fb21f
Author: Alexander Miller <alex.miller@gmx.de>
Date: Wed Mar 25 03:59:26 2020 +0100
Fix OOB accesses while playing songs with malicious data in Cu6mPlayer
In src/u6m.cpp, several methods called by update() lack
necessary checks. Broken or malicious Ultima 6 Music files
can provoke out-of-bounds read accesses of song_data and
out-of-bounds writes for multiple class members.
This commit includes the following changes:
* Introduce a new class member that records the allocted
size of "song_data", conveniently named "song_size".
* In read_song_byte(), use song_size to avoid OOB accesses
of song_data. Change the return type to int and return -1
if the end has been reached.
* Make read_signed_song_byte() a wrapper around read_song_byte().
* Add a check that instrument data lies completely within
allocated song_data to command_83().
* Exit command_loop() when read_song_byte() returns -1 for
the next command, indicating an invalid position.
* Add checks for valid channel and instrument numbers to
various command_*() methods before trying to use them as
array indices.
* For consistency with get_next_codeword(), make the destination
of output_root() a data_block&. Move the capacity check from
the SAVE_OUTPUT_ROOT() macro into the member function and
return a bool indicating success.
* The class uses a mix of int, long, and unsigned long for
offsets int song_data. Clean up the mess and change the
types to size_t everywhere. Use unsigned long for the bit
counter in lzw decoding.
* Remove unused "played_ticks" member.
commit 3a50051c3556b54696cd78d6e5ba2013dca2c723
Author: Alexander Miller <alex.miller@gmx.de>
Date: Tue Mar 24 23:41:40 2020 +0100
Fix OOB reads in Cu6mPlayer::get_next_codeword() (issue #92)
During LZW decompression in src/u6m.cpp, the size of the input
buffer is not checked when reading input codewords. So an
out-of-bounds read access can be triggered simply by reading
a truncated Ultima 6 Music file.
Change the 2nd parameter of get_next_codeword() from "const
char *" to "data_block&" to make the buffer size available
to the method and add a proper size check. Also return failure
from lzw_decompress() when an input error is detected.
Fixes: https://github.com/adplug/adplug/issues/92
commit e8814f46ec2285a32eed47cbaea691030da67637
Author: Alexander Miller <alex.miller@gmx.de>
Date: Tue Mar 24 15:43:22 2020 +0100
Fix double free in Cu6mPlayer::~Cu6mPlayer() (issue #91)
Leave deallocation of song_data to destructor when
decompression fails, just like on success.
This fixes CVE-2019-15151.
Even though load() is apparently not supposed to be called
twice (and bad things happen in many players if you do),
let's also avoid leaking song_data's memory in that case.
Fixes: https://github.com/adplug/adplug/issues/91
commit 8342139c09178823dba3f3bbd8b53d0ea0c72de9
Author: Alexander Miller <alex.miller@gmx.de>
Date: Mon Mar 23 23:36:34 2020 +0100
Fix multiple heap-based buffer overflows in CmtkLoader::load()
Changes in src/mtk.cpp for loading files:
* Fail early if the (decompressed) size is too small to hold
mtkdata minus patterns. That avoids attempts to copy data
from beyond allocated memory.
* In the data decompression section, there are multiple cases
where the code actually has checks for available space before
copying data, but the size of the copy is increased after
the check, so a buffer overflow is still possible (issue #90).
Fix that by moving the check after the size computation,
and also check for a valid source offset where applicable.
* Also add several checks whether source data is exhausted
during decompession, so
* When copying the patterns, don't copy more data than the
"pattern" array can hold.
In src/mtk.h, method getinstrument(), check for valid instrument
number to avoid accessing the array with an invalid index.
This commit fixes CVE-2019-14734.
Fixes: https://github.com/adplug/adplug/issues/90
commit cb715174f95187bf544c11ca2a2ecd091b7fbb8a
Author: Alexander Miller <alex.miller@gmx.de>
Date: Mon Mar 23 18:48:32 2020 +0100
Fix multiple buffer overflows in CradLoader::load()
This patches several memory issues while loading .rad files
in src/rad.cpp:
* Simplify the code reading the descrition and ensure not
to write past the end of "desc".
* Add several checks for errors reading the file and fail
loading in that case.
* Check instument number before using it as index to the
"inst" array to avoid an out-of bounds write.
* Check order length before writing data to the array. Fixes
a heap-based buffer overflow (issue #89).
* Check channel and row numbers before using them as indices
for writing track data. Fixes another buffer overflow
(issue #89).
This fixes CVE-2019-14733.
Fixes: https://github.com/adplug/adplug/issues/89
commit 30ddcfe9bd1cce3e02f8135961bceb411419dbdb
Author: Alexander Miller <alex.miller@gmx.de>
Date: Mon Mar 23 03:56:52 2020 +0100
Fix invalid memory accesses while loading .a2m files
Missing checks and wrong calculations in src/a2m.cpp cause
multiple heap-based buffer overflows and out-of-bounds reads
in heap, stack, and static data.
Bugs addressed in this commit:
* Check the number of patterns. Too big values can cause reads
past the end of the len array.
* Reading a not packed data block with odd length will allocate
a buffer which is one byte too small and write past the end
of it (issue #88). Change the allocation/deallocation code
to fix that in both places.
* Check that data blocks (afer unpacking if applicable) are big
enough for the expected data before accessing the memory.
* Ensure that the length byte for author, song name, and instrument
names doesn't exceed the maximum size available.
* Also change the accessor functions for these strings to call
the proper std::string constructors for char arrays.
* Avoid reads past the end of convfx/newconvfx arrays while
converting track data.
This commit fixes CVE-2019-14732.
Fixes: https://github.com/adplug/adplug/issues/88
commit b5fb32c5d2af4444525cad2adef0bd63a9b5b414
Author: Alexander Miller <alex.miller@gmx.de>
Date: Sun Mar 22 20:38:26 2020 +0100
Add missing checks when loading and playing .mkj files
Fix the following issues in src/mkj.cpp:
* Check number of channels before loading instruments data.
This fixes a heap-based buffer overflow in CmkjPlayer::load()
(issue #87).
* Check number of notes befor calculating size of song data
to avoid interger overflows as well as out-of-bounds reads
later in update(). (Size of song data vs. used data is really
hilarious, but that's the way it is.)
* Fail loading if there was an error while reading file data.
* Also in update(), end the song if invalid data is encountered.
That avoids integer overflows or out-of-range OPL writes.
This commit fixes CVE-2019-14692.
Fixes: https://github.com/adplug/adplug/issues/87
commit b48ac59168a478e673ebf6b1aad09b8b80027e2e
Author: Alexander Miller <alex.miller@gmx.de>
Date: Sun Mar 22 04:01:57 2020 +0100
Fix invalid memory accesses and add missing checks in src/dtm.cpp
There are several issues when loading .dtm files which can lead
to invalid memory accesses. This patch fixes the following:
* In CdtmLoader::load(), ensure that title and author strings
are properly terminated to avoid out-of-bounds reads.
* Check that the number of instruments is valid. This avoids a
heap-based buffer overflow (see issue #86).
* Reading the description string could overflow a stack buffer
by 1 byte and write past the end of the array into an adjacent
class member (which is only initialized later). Get rid of the
stack buffer and truncate the description if necessary.
* Fail loading when an error is detected while trying to read
data from the file or while decoding RLE data.
* Check the argument of CdtmLoader::getinstrument() to avoid
out-of-bound accesses.
This fixes CVE-2019-14691.
Fixes: https://github.com/adplug/adplug/issues/86
commit d7f3a047e42395662ddbec04300ce78bfb40b95c
Author: Alexander Miller <alex.miller@gmx.de>
Date: Fri Mar 20 04:19:38 2020 +0100
Add missing checks while loading .bmf files (CxadbmfPlayer, src/bmf.cpp)
There are no checks validating the integrity of .bmf files
in the methods CxadbmfPlayer::xadplayer_load() and
CxadbmfPlayer::__bmf_convert_stream() used to load them.
A broken or malicious .bmf file can easily cause invalid
memory accesses.
This commit addresses the following issues:
* Add checks whether the input buffer has enough data available
before accessing it in many places. Abort loading otherwise.
* Replace unlimited strcpy for instrument names with code that
doesn't overflow the destination buffer.
* Check index when loading instrument data in BMF0_9B files.
* Fail loading if number of streams encoded in version BMF0_9B
files exceeds the maximum.
* Don't overflow buffer if stream is too long.
This fixes CVE-2019-14690.
Fixes: https://github.com/adplug/adplug/issues/85
Fixes: https://github.com/adplug/adplug/issues/93
commit ff89e67636dd4cbb1afbb95eb516171bef10b361
Author: Adam Nielsen <malvineous@shikadi.net>
Date: Mon May 11 20:31:58 2020 +1000
Prepare release 2.3.2
commit b2b1a3f4e86b974fa8d65aa34eacf623e3862e71
Author: yangfl <yangfl@users.noreply.github.com>
Date: Mon Oct 14 17:54:28 2019 +0800
debian: upload to unstable
commit 7ee10c3f00ee93e8819e0985520c1bed5ad3dc9e
Author: yangfl <yangfl@users.noreply.github.com>
Date: Fri Oct 4 16:53:32 2019 +0800
debian: new maintainer
commit f26e83793dc777dbf8948f2a13958403e26db2f9
Author: yangfl <yangfl@users.noreply.github.com>
Date: Thu Oct 10 09:47:03 2019 +0800
New upstream version 2.3.1+dfsg
commit b9c8791651c35c6e4f2c228b1915054a47f7d03b
Author: David Seifert <soap@gentoo.org>
Date: Thu Sep 5 15:46:24 2019 +0200
Avoid unaligned access in `mid.cpp`
commit 4900d0ac781858057837b2e14c5bec6b4b0e1809
Author: David Seifert <soap@gentoo.org>
Date: Thu Sep 5 15:46:21 2019 +0200
Avoid unaligned access in `herad.cpp`
commit a23133c219e67e4b00b672260de0d43a1a394938
Author: David Seifert <soap@gentoo.org>
Date: Thu Sep 5 15:46:18 2019 +0200
Avoid unaligned access in `d00.cpp`
commit 928426f26a33b1d3ab2592b8f3e61fe44251f521
Author: David Seifert <soap@gentoo.org>
Date: Thu Sep 5 15:46:15 2019 +0200
Unaligned load helpers
commit c3d6856a5c3743fbbd0aa66645218574fa8bfb01
Author: Adam Nielsen <malvineous@shikadi.net>
Date: Sun May 5 21:29:07 2019 +1000
Fix deletion of uninitialised value reported in #71
commit 2a1424ca4e2bcf72f1868cdbe78d9b8460dcc5bd
Author: Adam Biser <adambiser@gmail.com>
Date: Sun Feb 24 18:30:17 2019 -0500
Verify the program pointer
KYRA3A.ADL subsong 2 points to program 2, but program 2's pointer is
0xffff causing an access violation.
commit 3753629e918f84222c0dc816a41b25ef7f14e20c
Author: Adam Biser <adambiser@gmail.com>
Date: Sun Feb 24 10:55:14 2019 -0500
ADL: Fix playback issues (#6)
Calling rewind() before update() causes access violation.
The driver channels are now cleared in rewind (callback 8). Before this
change, values for previous subsongs could be held over into the new
subsong when the previous subsong had a channel active that the new
subsong did not leaving a dataptr value on an inactive channel which
will then be processed in executePrograms.
Both rewind and update perform a check to be sure no subsong < 2 can be
selected.
Removed the update call from the end of rewind. This would cause update
to occur twice in the first update call. This affects the test results
because there is now an extra r72.00 near the beginning since there are
now 2 updates where there was originally 1.
Also added loadcursubsong to act as a flag that indicates that rewind has
been called and cursubsong needs loaded the next time update is called.
Calling rewind(-1) is a special case that initializes the opl and sets
itself up to load subsong 2.
Note: EOBSOUND.ADL has a subsong 1.
update() checks the loadcursubsong flag and, when sent, calls
playSoundEffect for cursubsong (this used to be in rewind, but it caused
subsong 2 to load up while initializing. Now doing something like
rewind();
songlength(4);
will report the correct song length and not be messed up due to subsong
2 being prepared when it's not wanted.
This still allows multiple subsongs to play simultaneously (by channel
priority) as well as each subsong to be cycled consecutively for Winamp
(though I imagine songlength and seek would be/has been whacked in
Winamp).
Constructor doesn't need init call, it's done in rewind(-1) now.
commit e373ca88ed035e00575c6bc44f5054e7c4afe5af
Author: Adam Biser <adambiser@gmail.com>
Date: Thu Feb 21 11:38:58 2019 -0500
Emulator init() should reset the opl.
commit 43b9ae0c7edd1bde9482ce917d581ea8cb251b10
Author: Adam Biser <adambiser@gmail.com>
Date: Thu Feb 21 11:10:26 2019 -0500
Report song rate in getspeed.
commit cce50af438ecaefefae064f255093b30cc3f56e0
Author: Adam Biser <adambiser@gmail.com>
Date: Thu Feb 21 09:44:01 2019 -0500
Re-added opl->write(1, 32). Updated test data.
commit af8ea955539fec9947c00fd0ded8994f68d7451a
Author: Adam Biser <adambiser@gmail.com>
Date: Thu Feb 21 02:23:05 2019 -0500
Added opl->init() back
But leaving opl->write(1, 32); commented out.
The code didn't have either call before.
commit 1f2ec025bfb8ca7a72cf59ef17625e94831b4ca8
Author: Adam Biser <adambiser@gmail.com>
Date: Thu Feb 21 02:06:15 2019 -0500
Try removing opl->init and write(1,32).
The code did not have these calls before and the self-tests fail, so try
without these commands.
commit 8996d59b66bd456f3a6b9b40b917599976d28c52
Author: Adam Biser <adambiser@gmail.com>
Date: Thu Feb 21 01:50:22 2019 -0500
Changed value to unsigned char.
commit 9bf2815364b8aab5f262ae29ef0892a67eec7906
Author: Adam Biser <adambiser@gmail.com>
Date: Thu Feb 21 01:37:17 2019 -0500
Moved XSM's OPL initialization code into rewind.
commit 779f1f0398f43c495eecdc6d6bbfc9ae20782c07
Author: Adam Biser <adambiser@gmail.com>
Date: Thu Feb 21 11:07:12 2019 -0500
Converted tabs to spaces
To be consistent with the rest of the code.
commit 2515cd1a787aeddb47c05d2a5497add8d44f1e0e
Author: Adam Biser <adambiser@gmail.com>
Date: Thu Feb 21 00:55:32 2019 -0500
Moved OPL initialization code into rewind.
Setting up the OPL in load means that if the OPL emulator is reset after
loading the file but before playing the song, the song will be silent
(at least in the beginning) instead of producing sound.
commit 847526b379e1fdd2b2ebcbda4e23e9fdffd726d7
Author: Adam Biser <adambiser@gmail.com>
Date: Sat Feb 16 01:35:36 2019 -0500
CNemuopl::init should call OPL3_Reset.
Otherwise the emulator doesn't reset when the song rewinds, etc.
commit 8877361058478b2e6c250366f7a091a322a2d594
Author: PalMusicFan <25916579+PalMusicFan@users.noreply.github.com>
Date: Tue Jan 8 11:11:11 2019 +0800
Added user configurable frequency offset for surroundopl. Thanks to @palxex
commit 881056dba106b16f6d2e7aca1a15cf4039e781d3
Author: Adam Nielsen <malvineous@shikadi.net>
Date: Wed Oct 17 11:35:32 2018 +1000
Update surround effect to work with NukedOPL
commit 301faa8fcca10b83c6f122180c8b31d1f11e31a5
Author: Mike Welsh <mwelsh@gmail.com>
Date: Wed Oct 10 10:16:40 2018 -0700
Bump libbinio NuGet dependency to 1.4.20
Allows building with v141 toolset on VS2017.
commit 9a73bcf8e88e0c5134ce142d481a8f61bb5314e8
Author: Mike Welsh <mwelsh@gmail.com>
Date: Mon Oct 8 14:52:13 2018 -0700
Add v141 toolset for VS2017 support
commit a18ca3227a21fa4cea303b6cdc68d22466a0dd0d
Author: Stas'M <x86corez@gmail.com>
Date: Thu Oct 4 00:57:55 2018 +0300
Bump version number to 2.3.2-beta
commit 19ebb61bf92262dc1868de10ba5a211db249ce76
Author: Stas'M <x86corez@gmail.com>
Date: Thu Oct 4 00:18:32 2018 +0300
FMOPL: Avoid double-free by checking OPL pointer (fix #67)
Fixes CVE-2018-17825.
commit 8789f347f5dc545436ffa50c7e2d9f66afcb9f87
Author: Donovan Watteau <tsoomi@gmail.com>
Date: Wed May 30 13:11:26 2018 +0200
Remove UTF-8 BOM, for compatibility with older compilers
Some operating systems still use older compilers such as GCC 4.2.1,
which choke on UTF-8 BOMs.
commit efe452df461d51dc741fbe063b8bf357dc7d0f10
Author: David Seifert <soap@gentoo.org>
Date: Sun Apr 22 11:09:23 2018 +0200
Prepare 2.3.1 release
commit 1827e3ef4a11c783b0cd9da49b4efd5c51d27c3d
Author: David Seifert <soap@gentoo.org>
Date: Sat Apr 21 12:55:32 2018 +0200
`$<` is not guaranteed to work in ordinary make rules
https://www.gnu.org/software/autoconf/manual/autoconf.html#g_t_0024_003c-in-Ordinary-Make-Rules
commit 14557a40b120e4361cc57575e82cc0be85d9191d
Author: David Seifert <soap@gentoo.org>
Date: Tue Jan 23 10:29:55 2018 +0100
Fix building on more esoteric arches
* glibc provides `sys/io.h` only on
amd64, arm, armel and i386, such that compilation
on hppa, m68k, mips, mipsel, powerpc, s390 and sparc
fails. See also:
https://bugs.gentoo.org/645296
commit ea46846e834620cf79949dbc2bcc9b1104cbf456
Author: David Seifert <soap@gentoo.org>
Date: Tue Jan 23 10:29:55 2018 +0100
Fix for out-of-source building
commit 53547b5d9464aacfd4900ea8141541244878a47f
Author: Stas'M <x86corez@gmail.com>
Date: Sun Nov 26 18:54:08 2017 +0300
MUS/MDI: Check for driver class presence
commit 73213e507f4e9fec4ead2f34503e665a1d682915
Author: Stas'M <x86corez@gmail.com>
Date: Sun Nov 26 18:47:41 2017 +0300
SOP: Add support for version 2 (fix #60)
commit dabd423ce43db72c2aa185a83d25e8550acb0b27
Author: David Seifert <soap@gentoo.org>
Date: Wed Nov 22 10:41:29 2017 +0100
Make build system completely non-recursive
Fixes #58
commit 4ed24a4bed424c0b8dae72474faa43f4ca20d9fe
Author: Adam Nielsen <malvineous@shikadi.net>
Date: Sun Nov 19 10:01:07 2017 +1000
Add GitHub issue tracker URL to BUGS
commit 11d699e7c902a4336354b59bf59e6a640c184157
Author: Adam Nielsen <malvineous@shikadi.net>
Date: Sun Nov 19 09:56:57 2017 +1000
Update AUTHORS
commit 8c9796c593b94d93ce7df10732d8323087019510
Author: Adam Nielsen <malvineous@shikadi.net>
Date: Sun Nov 19 09:52:25 2017 +1000
Update copyright year in docs
commit 4543d8612b2571e2b3da2230fe47ff6c934db00b
Author: Stas'M <x86corez@gmail.com>
Date: Sat Nov 18 17:37:37 2017 +0300
Update NEWS and libadplug.texi
adplug (2.4+dfsg-1)
[PTS] [DDPO]