From c010efc172907253570126d5a13c70230b2abbda Mon Sep 17 00:00:00 2001 From: Vadim Zeitlin Date: Sat, 30 Dec 2017 18:47:43 +0100 Subject: [PATCH] Avoid integer overflow when computing the sample size While it seems to be harmless in this particular case, it still prevents testing this code with UBSAN by triggering it here, so check that multiplication doesn't overflow. --- src/unix/sound.cpp | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/src/unix/sound.cpp b/src/unix/sound.cpp index 9697c36af4..355fc8673d 100644 --- a/src/unix/sound.cpp +++ b/src/unix/sound.cpp @@ -673,10 +673,16 @@ bool wxSound::LoadWAV(const void* data_, size_t length, bool copyData) waveformat.ulSamplesPerSec * waveformat.uiBlockAlign) return false; - // We divide by this number below to obtain the number of samples, so it - // definitely can't be 0. - wxUint32 const sampleSize = - waveformat.uiChannels * waveformat.uiBitsPerSample / 8; + // We divide by the sample size below to obtain the number of samples, so + // it definitely can't be 0. Also take care to avoid integer overflow when + // computing it. + unsigned tmp = waveformat.uiChannels; + if (tmp >= 0x10000) + return false; + + tmp *= waveformat.uiBitsPerSample; + + wxUint32 const sampleSize = tmp / 8; if (!sampleSize) return false;