The branch main has been updated by christos: URL: https://cgit.FreeBSD.org/src/commit/?id=453de99b386d40754a038cc4b804f4c7a3b04624
commit 453de99b386d40754a038cc4b804f4c7a3b04624 Author: Christos Margiolis <[email protected]> AuthorDate: 2026-05-28 13:51:26 +0000 Commit: Christos Margiolis <[email protected]> CommitDate: 2026-05-28 14:46:01 +0000 virtual_oss(8): Fix buffer overflow in voss_compressor() call This particular calls swaps the samples and maxchan arguments, which can cause a buffer overflow in p_ch_chain if maxchan exceeds its bounds (VMAX_CHAN). Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai Sponsored by: The FreeBSD Foundation MFC after: 3 days Reviewed by: emaste --- usr.sbin/virtual_oss/virtual_oss/virtual_oss.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr.sbin/virtual_oss/virtual_oss/virtual_oss.c b/usr.sbin/virtual_oss/virtual_oss/virtual_oss.c index 1d95c87d57b1..42a748a5e3bd 100644 --- a/usr.sbin/virtual_oss/virtual_oss/virtual_oss.c +++ b/usr.sbin/virtual_oss/virtual_oss/virtual_oss.c @@ -783,8 +783,8 @@ virtual_oss_process(void *arg __unused) /* check if compressor should be applied */ voss_compressor(buffer_temp, pvp->rx_compressor_gain, - &pvp->rx_compressor_param, samples, - samples * src_chans, (1ULL << (pvp->bits - 1)) - 1ULL); + &pvp->rx_compressor_param, samples * src_chans, + src_chans, (1ULL << (pvp->bits - 1)) - 1ULL); TAILQ_FOREACH(pvc, &pvp->head, entry) {
