From 69cd6039eb3b1e5559121e9d2e7fe2299a814fb7 Mon Sep 17 00:00:00 2001 From: nowhere Date: Sat, 30 Dec 2017 18:52:36 +0100 Subject: [PATCH] Make parsing WAV data more robust Check that we have enough data in the input instead of happily reading out of bounds memory. This fixes the most common problem of crashing on bad data which doesn't look like WAV at all, but doesn't fix problems with parsing input which does look like WAV, but is incorrect -- this will be done in subsequent commits. --- src/unix/sound.cpp | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/src/unix/sound.cpp b/src/unix/sound.cpp index ae38289009..2227b117d1 100644 --- a/src/unix/sound.cpp +++ b/src/unix/sound.cpp @@ -651,14 +651,6 @@ bool wxSound::LoadWAV(const void* data_, size_t length, bool copyData) waveformat.uiBlockAlign = wxUINT16_SWAP_ON_BE(waveformat.uiBlockAlign); waveformat.uiBitsPerSample = wxUINT16_SWAP_ON_BE(waveformat.uiBitsPerSample); - // get the sound data size - wxUint32 ul; - memcpy(&ul, &data[FMT_INDEX + waveformat.uiSize + 12], 4); - ul = wxUINT32_SWAP_ON_BE(ul); - - if ( length < ul + FMT_INDEX + waveformat.uiSize + 16 ) - return false; - if (memcmp(data, "RIFF", 4) != 0) return false; if (memcmp(&data[WAVE_INDEX], "WAVE", 4) != 0) @@ -675,6 +667,24 @@ bool wxSound::LoadWAV(const void* data_, size_t length, bool copyData) waveformat.ulAvgBytesPerSec / waveformat.uiBlockAlign) return false; + // get file size from header + wxUint32 chunkSize; + memcpy(&chunkSize, &data[4], 4); + chunkSize = wxUINT32_SWAP_ON_BE(chunkSize); + + // ensure file length is at least length in header + if (chunkSize > length - 8) + return false; + + // get the sound data size + wxUint32 ul; + memcpy(&ul, &data[FMT_INDEX + waveformat.uiSize + 12], 4); + ul = wxUINT32_SWAP_ON_BE(ul); + + // ensure we actually have at least that much data in the input + if (ul > length - FMT_INDEX - waveformat.uiSize - 16) + return false; + m_data = new wxSoundData; m_data->m_channels = waveformat.uiChannels; m_data->m_samplingRate = waveformat.ulSamplesPerSec;