2 files changed, 31 insertions, 7 deletions

diff --git a/src/cvt_xmi2mid.hpp b/src/cvt_xmi2mid.hpp
index 4dcba70..4bc4775 100644
--- a/src/cvt_xmi2mid.hpp
+++ b/src/cvt_xmi2mid.hpp
@@ -90,7 +90,7 @@ typedef struct {
 } midi_descriptor;
 
 struct xmi2mid_xmi_ctx {
-    uint8_t *src, *src_ptr;
+    uint8_t *src, *src_ptr, *src_end;
     uint32_t srcsize;
     uint32_t datastart;
     uint8_t *dst, *dst_ptr;
@@ -129,6 +129,7 @@ static uint32_t xmi2mid_ExtractTracksFromXmi(struct xmi2mid_xmi_ctx *ctx);
 static uint32_t xmi2mid_read1(struct xmi2mid_xmi_ctx *ctx)
 {
     uint8_t b0;
+    assert(ctx->src_ptr + 1 < ctx->src_end);
     b0 = *ctx->src_ptr++;
     return (b0);
 }
@@ -136,6 +137,7 @@ static uint32_t xmi2mid_read1(struct xmi2mid_xmi_ctx *ctx)
 static uint32_t xmi2mid_read2(struct xmi2mid_xmi_ctx *ctx)
 {
     uint8_t b0, b1;
+    assert(ctx->src_ptr + 2 < ctx->src_end);
     b0 = *ctx->src_ptr++;
     b1 = *ctx->src_ptr++;
     return (b0 + ((uint32_t)b1 << 8));
@@ -144,6 +146,7 @@ static uint32_t xmi2mid_read2(struct xmi2mid_xmi_ctx *ctx)
 static uint32_t xmi2mid_read4(struct xmi2mid_xmi_ctx *ctx)
 {
     uint8_t b0, b1, b2, b3;
+    assert(ctx->src_ptr + 4 < ctx->src_end);
     b3 = *ctx->src_ptr++;
     b2 = *ctx->src_ptr++;
     b1 = *ctx->src_ptr++;
@@ -154,6 +157,7 @@ static uint32_t xmi2mid_read4(struct xmi2mid_xmi_ctx *ctx)
 static uint32_t xmi2mid_read4le(struct xmi2mid_xmi_ctx *ctx)
 {
     uint8_t b0, b1, b2, b3;
+    assert(ctx->src_ptr + 4 < ctx->src_end);
     b3 = *ctx->src_ptr++;
     b2 = *ctx->src_ptr++;
     b1 = *ctx->src_ptr++;
@@ -163,6 +167,7 @@ static uint32_t xmi2mid_read4le(struct xmi2mid_xmi_ctx *ctx)
 
 static void xmi2mid_copy(struct xmi2mid_xmi_ctx *ctx, char *b, uint32_t len)
 {
+    assert(ctx->src_ptr + len < ctx->src_end);
     memcpy(b, ctx->src_ptr, len);
     ctx->src_ptr += len;
 }
@@ -525,6 +530,7 @@ static int Convert_xmi2midi(uint8_t *in, uint32_t insize,
     memset(&ctx, 0, sizeof(struct xmi2mid_xmi_ctx));
     ctx.src = ctx.src_ptr = in;
     ctx.srcsize = insize;
+    ctx.src_end = ctx.src + insize;
     ctx.convert_type = convert_type;
 
     if (xmi2mid_ParseXMI(&ctx) < 0) {
@@ -632,6 +638,8 @@ static int xmi2mid_GetVLQ(struct xmi2mid_xmi_ctx *ctx, uint32_t *quant) {
 
     *quant = 0;
     for (i = 0; i < 4; i++) {
+        if(ctx->src_ptr + 1 >= ctx->src + ctx->srcsize)
+            break;
         data = xmi2mid_read1(ctx);
         *quant <<= 7;
         *quant |= data & 0x7F;
diff --git a/src/midi_sequencer_impl.hpp b/src/midi_sequencer_impl.hpp
index ee2a77d..9136cb6 100644
--- a/src/midi_sequencer_impl.hpp
+++ b/src/midi_sequencer_impl.hpp
@@ -1825,7 +1825,7 @@ void BW_MidiSequencer::handleEvent(size_t track, const BW_MidiSequencer::MidiEve
         // Special event FF
         uint_fast16_t  evtype = evt.subtype;
         uint64_t length = static_cast<uint64_t>(evt.data.size());
-        const char *data(length ? reinterpret_cast<const char *>(evt.data.data()) : "");
+        const char *data(length ? reinterpret_cast<const char *>(evt.data.data()) : "\0\0\0\0\0\0\0\0");
 
         if(m_interface->rt_metaEvent) // Meta event hook
             m_interface->rt_metaEvent(m_interface->rtUserData, evtype, reinterpret_cast<const uint8_t*>(data), size_t(length));
@@ -1879,9 +1879,22 @@ void BW_MidiSequencer::handleEvent(size_t track, const BW_MidiSequencer::MidiEve
                     m_loop.skipStackStart = false;
                     return;
                 }
-                LoopStackEntry &s = m_loop.stack[static_cast<size_t>(m_loop.stackLevel + 1)];
-                s.loops = static_cast<int>(data[0]);
-                s.infinity = (data[0] == 0);
+
+                char x = data[0];
+                size_t s_addr = static_cast<size_t>(m_loop.stackLevel + 1);
+                while(s_addr >= m_loop.stack.size())
+                {
+                    LoopStackEntry e;
+                    e.loops = x;
+                    e.infinity = (x == 0);
+                    e.start = 0;
+                    e.end = 0;
+                    m_loop.stack.push_back(e);
+                }
+
+                LoopStackEntry &s = m_loop.stack[s_addr];
+                s.loops = static_cast<int>(x);
+                s.infinity = (x == 0);
                 m_loop.caughtStackStart = true;
                 return;
             }
@@ -2899,12 +2912,15 @@ bool BW_MidiSequencer::parseXMI(FileAndMemReader &fr)
     size_t mus_len = fr.fileSize();
     fr.seek(0, FileAndMemReader::SET);
 
-    uint8_t *mus = (uint8_t*)malloc(mus_len);
+    uint8_t *mus = (uint8_t*)std::malloc(mus_len + 20);
     if(!mus)
     {
         m_errorString = "Out of memory!";
         return false;
     }
+
+    std::memset(mus, 0, mus_len + 20);
+
     fsize = fr.read(mus, 1, mus_len);
     if(fsize < mus_len)
     {
@@ -2917,7 +2933,7 @@ bool BW_MidiSequencer::parseXMI(FileAndMemReader &fr)
 
     uint8_t *mid = NULL;
     uint32_t mid_len = 0;
-    int m2mret = Convert_xmi2midi(mus, static_cast<uint32_t>(mus_len),
+    int m2mret = Convert_xmi2midi(mus, static_cast<uint32_t>(mus_len + 20),
                                   &mid, &mid_len, XMIDI_CONVERT_NOCONVERSION);
     if(mus)
         free(mus);