Skip to content
Permalink
Browse files Browse the repository at this point in the history
[Sec] STP: Possible out-of-bounds memory read with malformed STP file…
…s (caught with afl-fuzz).

Patch-by: sagamusix
(originally committed as part of r9568)


git-svn-id: https://source.openmpt.org/svn/openmpt/branches/OpenMPT-1.27@9576 56274372-70c3-4bfc-bfc3-4c3a0b034d27
  • Loading branch information
manxorist committed Feb 3, 2018
1 parent 73e5145 commit b60b322
Showing 1 changed file with 9 additions and 4 deletions.
13 changes: 9 additions & 4 deletions soundlib/Load_stp.cpp
Expand Up @@ -108,7 +108,12 @@ static TEMPO ConvertTempo(uint16 ciaSpeed)

static void ConvertLoopSlice(ModSample &src, ModSample &dest, SmpLength start, SmpLength len, bool loop)
{
if(!src.HasSampleData()) return;
if(!src.HasSampleData()
|| start >= src.nLength
|| src.nLength - start < len)
{
return;
}

dest.FreeSample();
dest = src;
Expand Down Expand Up @@ -156,9 +161,9 @@ static void ConvertLoopSequence(ModSample &smp, STPLoopList &loopList)

// If adding this loop would cause the sample length to exceed maximum,
// then limit and bail out
if((newSmp.nLength + info.loopLength > MAX_SAMPLE_LENGTH) ||
(info.loopLength > MAX_SAMPLE_LENGTH) ||
(info.loopStart + info.loopLength > smp.nLength))
if(info.loopStart >= smp.nLength
|| smp.nLength - info.loopStart < info.loopLength
|| newSmp.nLength > MAX_SAMPLE_LENGTH - info.loopLength)
{
numLoops = i;
break;
Expand Down

0 comments on commit b60b322

Please sign in to comment.