From 0aa7c4413630644b24c808d2762c7eff9216f21d Mon Sep 17 00:00:00 2001 From: Vadim Zeitlin Date: Sun, 12 Mar 2006 13:29:05 +0000 Subject: [PATCH] don't require at least 8 bytes of sound data (patch 1340767); do check that we have enough data before reading it (and crashing) git-svn-id: https://svn.wxwidgets.org/svn/wx/wxWidgets/trunk@38021 c3d73ce0-8a6f-49c7-b76d-6d57e0e08775 --- src/unix/sound.cpp | 40 ++++++++++++++++++++++++++++++---------- 1 file changed, 30 insertions(+), 10 deletions(-) diff --git a/src/unix/sound.cpp b/src/unix/sound.cpp index 04100babf9..997873bf90 100644 --- a/src/unix/sound.cpp +++ b/src/unix/sound.cpp @@ -626,12 +626,30 @@ typedef struct bool wxSound::LoadWAV(const wxUint8 *data, size_t length, bool copyData) { - WAVEFORMAT waveformat; - wxUint32 ul; - - if (length < 32 + sizeof(WAVEFORMAT)) + // the simplest wave file header consists of 44 bytes: + // + // 0 "RIFF" + // 4 file size - 8 + // 8 "WAVE" + // + // 12 "fmt " + // 16 chunk size | + // 20 format tag | + // 22 number of channels | + // 24 sample rate | WAVEFORMAT + // 28 average bytes per second | + // 32 bytes per frame | + // 34 bits per sample | + // + // 36 "data" + // 40 number of data bytes + // 44 (wave signal) data + // + // so check that we have at least as much + if ( length < 44 ) return false; + WAVEFORMAT waveformat; memcpy(&waveformat, &data[FMT_INDEX + 4], sizeof(WAVEFORMAT)); waveformat.uiSize = wxUINT32_SWAP_ON_BE(waveformat.uiSize); waveformat.uiFormatTag = wxUINT16_SWAP_ON_BE(waveformat.uiFormatTag); @@ -641,6 +659,14 @@ bool wxSound::LoadWAV(const wxUint8 *data, size_t length, bool copyData) waveformat.uiBlockAlign = wxUINT16_SWAP_ON_BE(waveformat.uiBlockAlign); waveformat.uiBitsPerSample = wxUINT16_SWAP_ON_BE(waveformat.uiBitsPerSample); + // get the sound data size + wxUint32 ul; + memcpy(&ul, &data[FMT_INDEX + waveformat.uiSize + 12], 4); + ul = wxUINT32_SWAP_ON_BE(ul); + + if ( length < ul + FMT_INDEX + waveformat.uiSize + 16 ) + return false; + if (memcmp(data, "RIFF", 4) != 0) return false; if (memcmp(&data[WAVE_INDEX], "WAVE", 4) != 0) @@ -649,12 +675,6 @@ bool wxSound::LoadWAV(const wxUint8 *data, size_t length, bool copyData) return false; if (memcmp(&data[FMT_INDEX + waveformat.uiSize + 8], "data", 4) != 0) return false; - memcpy(&ul,&data[FMT_INDEX + waveformat.uiSize + 12], 4); - ul = wxUINT32_SWAP_ON_BE(ul); - - //WAS: if (ul + FMT_INDEX + waveformat.uiSize + 16 != length) - if (ul + FMT_INDEX + waveformat.uiSize + 16 > length) - return false; if (waveformat.uiFormatTag != WAVE_FORMAT_PCM) return false;