From 45e8d13e1304f39fdf763ec06a9443d3a4df06f3 Mon Sep 17 00:00:00 2001 From: Vadim Zeitlin Date: Sat, 30 Dec 2017 17:28:27 +0100 Subject: [PATCH] Add format sub-chunk size check to WAV parsing This fixes a crash due to reading beyond the buffer bounds when checking for "data" if WAVEFORMAT::uiSize was too big. --- src/unix/sound.cpp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/unix/sound.cpp b/src/unix/sound.cpp index 2227b117d1..53e3f31240 100644 --- a/src/unix/sound.cpp +++ b/src/unix/sound.cpp @@ -657,6 +657,12 @@ bool wxSound::LoadWAV(const void* data_, size_t length, bool copyData) return false; if (memcmp(&data[FMT_INDEX], "fmt ", 4) != 0) return false; + + // Check that the format chunk size is correct: it must be 16 for PCM, + // which is the only format we handle. + if (waveformat.uiSize != 16) + return false; + if (memcmp(&data[FMT_INDEX + waveformat.uiSize + 8], "data", 4) != 0) return false;