AudioUnitSDK icon indicating copy to clipboard operation
AudioUnitSDK copied to clipboard
verified publisher icon apple

Fix out-of-bounds read in FillInParameterName

Open reuk opened this issue 2 years ago • 1 comments

  • [x] I understand that response time may be limited because the project doesn't accept pull requests.
  • [x] I agree to the terms outlined in CONTRIBUTING.md

This change fixes a potential out-of-bounds read by CFStringGetCString. offsetof(..., clumpID is not the correct buffer size for name, because the definition of AudioUnitParameterInfo includes an extra field, unitName, between name and clumpID. Additionally, the compiler may choose to insert padding after name in order to ensure the correct alignment of the following struct member.

struct AudioUnitParameterInfo {
	char name[52];
	CFStringRef __nullable unitName;
	UInt32 clumpID;
	...

reuk avatar Dec 07 '23 14:12 reuk

Thank you for catching this! And your solution looks good. Per our documentation, we do not merge PRs here, but have opened a PR internally to incorporate the fix.

sophiapoirier avatar Dec 11 '23 23:12 sophiapoirier