cheng/wxWidgets
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

don't require at least 8 bytes of sound data (patch 1340767); do check that we have enough data before reading it (and crashing)

Browse Source 
git-svn-id: https://svn.wxwidgets.org/svn/wx/wxWidgets/trunk@38021 c3d73ce0-8a6f-49c7-b76d-6d57e0e08775
This commit is contained in:
Vadim Zeitlin 2006-03-12 13:29:05 +00:00
parent cceed0407f
commit 0aa7c44136
1 changed files with 30 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
src/unix/sound.cpp
View File

@ -626,12 +626,30 @@ typedef struct
bool wxSound::LoadWAV(const wxUint8 *data, size_t length, bool copyData)
{
WAVEFORMAT waveformat;
wxUint32 ul;
if (length < 32 + sizeof(WAVEFORMAT))
// the simplest wave file header consists of 44 bytes:
//
// 0 "RIFF"
// 4 file size - 8
// 8 "WAVE"
//
// 12 "fmt "
// 16 chunk size |
// 20 format tag |
// 22 number of channels |
// 24 sample rate | WAVEFORMAT
// 28 average bytes per second |
// 32 bytes per frame |
// 34 bits per sample |
//
// 36 "data"
// 40 number of data bytes
// 44 (wave signal) data
//
// so check that we have at least as much
if ( length < 44 )
return false;
WAVEFORMAT waveformat;
memcpy(&waveformat, &data[FMT_INDEX + 4], sizeof(WAVEFORMAT));
waveformat.uiSize = wxUINT32_SWAP_ON_BE(waveformat.uiSize);
waveformat.uiFormatTag = wxUINT16_SWAP_ON_BE(waveformat.uiFormatTag);
@ -641,6 +659,14 @@ bool wxSound::LoadWAV(const wxUint8 *data, size_t length, bool copyData)
waveformat.uiBlockAlign = wxUINT16_SWAP_ON_BE(waveformat.uiBlockAlign);
waveformat.uiBitsPerSample = wxUINT16_SWAP_ON_BE(waveformat.uiBitsPerSample);
// get the sound data size
wxUint32 ul;
memcpy(&ul, &data[FMT_INDEX + waveformat.uiSize + 12], 4);
ul = wxUINT32_SWAP_ON_BE(ul);
if ( length < ul + FMT_INDEX + waveformat.uiSize + 16 )
return false;
if (memcmp(data, "RIFF", 4) != 0)
return false;
if (memcmp(&data[WAVE_INDEX], "WAVE", 4) != 0)
@ -649,12 +675,6 @@ bool wxSound::LoadWAV(const wxUint8 *data, size_t length, bool copyData)
return false;
if (memcmp(&data[FMT_INDEX + waveformat.uiSize + 8], "data", 4) != 0)
return false;
memcpy(&ul,&data[FMT_INDEX + waveformat.uiSize + 12], 4);
ul = wxUINT32_SWAP_ON_BE(ul);
//WAS: if (ul + FMT_INDEX + waveformat.uiSize + 16 != length)
if (ul + FMT_INDEX + waveformat.uiSize + 16 > length)
return false;
if (waveformat.uiFormatTag != WAVE_FORMAT_PCM)
return false;