Skip to content
Permalink
Browse files

issue #33, sanitize size of unknown chunks before malloc()

  • Loading branch information...
dbry committed Apr 25, 2018
1 parent 0a72951 commit 6f8bb34c2993a48ab9afbe353e6d0cff7c8d821d
Showing with 24 additions and 3 deletions.
  1. +8 −1 cli/dsdiff.c
  2. +8 −1 cli/riff.c
  3. +8 −1 cli/wave64.c
@@ -279,7 +279,14 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
else { // just copy unknown chunks to output file

int bytes_to_copy = (int)(((dff_chunk_header.ckDataSize) + 1) & ~(int64_t)1);
char *buff = malloc (bytes_to_copy);
char *buff;

if (bytes_to_copy < 0 || bytes_to_copy > 4194304) {
error_line ("%s is not a valid .DFF file!", infilename);
return WAVPACK_SOFT_ERROR;
}

buff = malloc (bytes_to_copy);

if (debug_logging_mode)
error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",
@@ -286,7 +286,14 @@ int ParseRiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
else { // just copy unknown chunks to output file

int bytes_to_copy = (chunk_header.ckSize + 1) & ~1L;
char *buff = malloc (bytes_to_copy);
char *buff;

if (bytes_to_copy < 0 || bytes_to_copy > 4194304) {
error_line ("%s is not a valid .WAV file!", infilename);
return WAVPACK_SOFT_ERROR;
}

buff = malloc (bytes_to_copy);

if (debug_logging_mode)
error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",
@@ -241,7 +241,14 @@ int ParseWave64HeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
}
else { // just copy unknown chunks to output file
int bytes_to_copy = (chunk_header.ckSize + 7) & ~7L;
char *buff = malloc (bytes_to_copy);
char *buff;

if (bytes_to_copy < 0 || bytes_to_copy > 4194304) {
error_line ("%s is not a valid .W64 file!", infilename);
return WAVPACK_SOFT_ERROR;
}

buff = malloc (bytes_to_copy);

if (debug_logging_mode)
error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",

0 comments on commit 6f8bb34

Please sign in to comment.
You can’t perform that action at this time.