Skip to content

Commit 6f8bb34

Browse files
committed
issue #33, sanitize size of unknown chunks before malloc()
1 parent 0a72951 commit 6f8bb34

File tree

3 files changed

+24
-3
lines changed

3 files changed

+24
-3
lines changed

Diff for: cli/dsdiff.c

+8-1
Original file line numberDiff line numberDiff line change
@@ -279,7 +279,14 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
279279
else { // just copy unknown chunks to output file
280280

281281
int bytes_to_copy = (int)(((dff_chunk_header.ckDataSize) + 1) & ~(int64_t)1);
282-
char *buff = malloc (bytes_to_copy);
282+
char *buff;
283+
284+
if (bytes_to_copy < 0 || bytes_to_copy > 4194304) {
285+
error_line ("%s is not a valid .DFF file!", infilename);
286+
return WAVPACK_SOFT_ERROR;
287+
}
288+
289+
buff = malloc (bytes_to_copy);
283290

284291
if (debug_logging_mode)
285292
error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",

Diff for: cli/riff.c

+8-1
Original file line numberDiff line numberDiff line change
@@ -286,7 +286,14 @@ int ParseRiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
286286
else { // just copy unknown chunks to output file
287287

288288
int bytes_to_copy = (chunk_header.ckSize + 1) & ~1L;
289-
char *buff = malloc (bytes_to_copy);
289+
char *buff;
290+
291+
if (bytes_to_copy < 0 || bytes_to_copy > 4194304) {
292+
error_line ("%s is not a valid .WAV file!", infilename);
293+
return WAVPACK_SOFT_ERROR;
294+
}
295+
296+
buff = malloc (bytes_to_copy);
290297

291298
if (debug_logging_mode)
292299
error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",

Diff for: cli/wave64.c

+8-1
Original file line numberDiff line numberDiff line change
@@ -241,7 +241,14 @@ int ParseWave64HeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
241241
}
242242
else { // just copy unknown chunks to output file
243243
int bytes_to_copy = (chunk_header.ckSize + 7) & ~7L;
244-
char *buff = malloc (bytes_to_copy);
244+
char *buff;
245+
246+
if (bytes_to_copy < 0 || bytes_to_copy > 4194304) {
247+
error_line ("%s is not a valid .W64 file!", infilename);
248+
return WAVPACK_SOFT_ERROR;
249+
}
250+
251+
buff = malloc (bytes_to_copy);
245252

246253
if (debug_logging_mode)
247254
error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",

0 commit comments

Comments
 (0)