cf11e28599
Found via RedHat bug 1174792. It was not clear whether these address a NULL dereference and a division by zero.
28 lines
1.1 KiB
Diff
28 lines
1.1 KiB
Diff
From ebb64cddde59ecc9cedf3741ce2337c72148cc0c Mon Sep 17 00:00:00 2001
|
|
From: Chris Bagwell <chris@cnpbagwell.com>
|
|
Date: Sat, 13 Dec 2014 12:49:55 -0600
|
|
Subject: [PATCH 2/2] More checks for invalid MS ADPCM blocks.
|
|
|
|
If block doesn't exacty match blockAlign then do not allow
|
|
number of samples in invalid size block to ever be more than
|
|
what WAV header defined as samplesPerBlock.
|
|
---
|
|
src/wav.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/src/wav.c b/src/wav.c
|
|
index 61d5908..5202556 100644
|
|
--- a/src/wav.c
|
|
+++ b/src/wav.c
|
|
@@ -168,7 +168,7 @@ static unsigned short AdpcmReadBlock(sox_format_t * ft)
|
|
/* work with partial blocks. Specs say it should be null */
|
|
/* padded but I guess this is better than trailing quiet. */
|
|
samplesThisBlock = lsx_ms_adpcm_samples_in((size_t)0, (size_t)ft->signal.channels, bytesRead, (size_t)0);
|
|
- if (samplesThisBlock == 0)
|
|
+ if (samplesThisBlock == 0 || samplesThisBlock > wav->samplesPerBlock)
|
|
{
|
|
lsx_warn("Premature EOF on .wav input file");
|
|
return 0;
|
|
--
|
|
2.1.0
|
|
|