DMX USB: validate Enttec input payload offsets

cmuellner · cmuellner · commit 11dd00f00ffa · 2026-05-14T11:35:00.000+02:00
Origin: derived while validating PR #1955. The payload-length guard was found while reviewing the same Enttec input parsing path. Feed the Enttec DMX USB Pro input path a receive-DMX packet with a payload length of 0 or 1, or a MIDI input packet ending with an incomplete command. The DMX branch read the status and start-code bytes without proving they existed, and the MIDI branch read data bytes at i + 1 and i + 2 for a truncated final command. The DMX branch also derived its slot-data slice from packet.size(). That is equivalent for well-formed packets, but using the validated payload offset makes the relationship to the decoded header explicit and keeps the malformed-payload checks localized. Reject malformed DMX payloads before decoding fixed fields, copy DMX data from the validated payload offset, and ignore a trailing incomplete MIDI command. No automated regression test exists for this device input path. Signed-off-by: Christoph Müllner <christophm30@gmail.com>
diff --git a/plugins/dmxusb/src/enttecdmxusbpro.cpp b/plugins/dmxusb/src/enttecdmxusbpro.cpp
@@ -526,6 +526,13 @@ int EnttecDMXUSBPro::readData(QByteArray &payload, bool &isMIDI, int RDM)
                 isMIDI = false;
                 int offset = 4;
 
+                if (dataLen < 1 || (RDM == None && dataLen < 2))
+                {
+                    qWarning() << Q_FUNC_INFO << "Malformed DMX packet payload length:" << dataLen;
+                    startIdx = buffer.indexOf(ENTTEC_PRO_START_OF_MSG);
+                    continue;
+                }
+
                 uchar status = static_cast<uchar>(packet[offset++]);
                 if (status & 0x01)
                     qWarning() << Q_FUNC_INFO << "Widget receive queue overflowed";
@@ -544,7 +551,7 @@ int EnttecDMXUSBPro::readData(QByteArray &payload, bool &isMIDI, int RDM)
                     dataLen -= 1;
                 }
 
-                payload = packet.mid(packet.size() - 1 - dataLen, dataLen);
+                payload = packet.mid(offset, dataLen);
                 return payload.size();
             }
 
@@ -990,15 +997,51 @@ void EnttecDMXUSBPro::run()
 
                     for (int i = 0; i < length;)
                     {
-                        if (!MIDI_IS_CMD(data[i]))
+                        uchar midiCmd = data[i];
+                        if (!MIDI_IS_CMD(midiCmd))
                         {
                             i++;
                             continue;
                         }
 
-                        uchar midiCmd = data[i];
-                        uchar midiData1 = data[i + 1];
-                        uchar midiData2 = data[i + 2];
+                        if (midiCmd == MIDI_SYSEX)
+                            break;
+
+                        bool isBeatCommand = midiCmd >= MIDI_BEAT_CLOCK && midiCmd <= MIDI_BEAT_STOP;
+                        int msgLength = 3;
+                        if (isBeatCommand)
+                            msgLength = 1;
+                        else if (MIDI_CMD(midiCmd) == MIDI_PROGRAM_CHANGE ||
+                                 MIDI_CMD(midiCmd) == MIDI_CHANNEL_AFTERTOUCH)
+                            msgLength = 2;
+
+                        if (i + msgLength > length)
+                            break;
+
+                        uchar midiData1 = 0;
+                        uchar midiData2 = 0;
+                        if (msgLength > 1)
+                        {
+                            if (MIDI_IS_CMD(data[i + 1]))
+                            {
+                                i++;
+                                continue;
+                            }
+                            midiData1 = data[i + 1];
+                        }
+                        if (msgLength > 2)
+                        {
+                            if (MIDI_IS_CMD(data[i + 2]))
+                            {
+                                i++;
+                                continue;
+                            }
+                            midiData2 = data[i + 2];
+                        }
+                        else if (MIDI_CMD(midiCmd) == MIDI_PROGRAM_CHANGE)
+                        {
+                            midiData2 = 127;
+                        }
 
                         //qDebug() << "CMD" << midiCmd << "DATA1" << midiData1 << "DATA2" << midiData2;
 
@@ -1009,11 +1052,11 @@ void EnttecDMXUSBPro::run()
                         {
                             emit valueChanged(UINT_MAX, emitLine, channel, value);
 
-                            if (midiCmd >= MIDI_BEAT_CLOCK && midiCmd <= MIDI_BEAT_STOP)
+                            if (isBeatCommand)
                                 emit valueChanged(UINT_MAX, emitLine, channel, 0);
                         }
 
-                        i += 3;
+                        i += msgLength;
                     }
                 }
             }
