@@ -89,8 +89,8 @@ typedef struct
8989
9090#define CAFChannelDescriptionFormat "LLLLL"
9191
92- static const char TMH_full [] = { 1 ,2 ,3 ,13 ,9 ,10 ,5 ,6 ,12 ,14 ,15 ,16 ,17 ,9 ,4 ,18 ,7 ,8 ,19 ,20 ,21 };
93- static const char TMH_std [] = { 1 ,2 ,3 ,11 ,8 ,9 ,5 ,6 ,10 ,12 ,13 ,14 ,15 ,7 ,4 ,16 };
92+ static const char TMH_full [] = { 1 ,2 ,3 ,13 ,9 ,10 ,5 ,6 ,12 ,14 ,15 ,16 ,17 ,9 ,4 ,18 ,7 ,8 ,19 ,20 ,21 , 0 };
93+ static const char TMH_std [] = { 1 ,2 ,3 ,11 ,8 ,9 ,5 ,6 ,10 ,12 ,13 ,14 ,15 ,7 ,4 ,16 , 0 };
9494
9595static struct {
9696 uint32_t mChannelLayoutTag ; // Core Audio layout, 100 - 146 in high word, num channels in low word
@@ -274,10 +274,19 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
274274 }
275275 }
276276 else if (!strncmp (caf_chunk_header .mChunkType , "chan" , 4 )) {
277- CAFChannelLayout * caf_channel_layout = malloc (( size_t ) caf_chunk_header . mChunkSize ) ;
277+ CAFChannelLayout * caf_channel_layout ;
278278
279- if (caf_chunk_header .mChunkSize < sizeof (CAFChannelLayout ) ||
280- !DoReadFile (infile , caf_channel_layout , (uint32_t ) caf_chunk_header .mChunkSize , & bcount ) ||
279+ if (caf_chunk_header .mChunkSize < sizeof (CAFChannelLayout ) || caf_chunk_header .mChunkSize > 1024 ) {
280+ error_line ("this .CAF file has an invalid 'chan' chunk!" );
281+ return WAVPACK_SOFT_ERROR ;
282+ }
283+
284+ if (debug_logging_mode )
285+ error_line ("'chan' chunk is %d bytes" , (int ) caf_chunk_header .mChunkSize );
286+
287+ caf_channel_layout = malloc ((size_t ) caf_chunk_header .mChunkSize );
288+
289+ if (!DoReadFile (infile , caf_channel_layout , (uint32_t ) caf_chunk_header .mChunkSize , & bcount ) ||
281290 bcount != caf_chunk_header .mChunkSize ) {
282291 error_line ("%s is not a valid .CAF file!" , infilename );
283292 free (caf_channel_layout );
@@ -495,8 +504,15 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
495504 }
496505 else { // just copy unknown chunks to output file
497506
498- int bytes_to_copy = (uint32_t ) caf_chunk_header .mChunkSize ;
499- char * buff = malloc (bytes_to_copy );
507+ uint32_t bytes_to_copy = (uint32_t ) caf_chunk_header .mChunkSize ;
508+ char * buff ;
509+
510+ if (caf_chunk_header .mChunkSize < 0 || caf_chunk_header .mChunkSize > 1048576 ) {
511+ error_line ("%s is not a valid .CAF file!" , infilename );
512+ return WAVPACK_SOFT_ERROR ;
513+ }
514+
515+ buff = malloc (bytes_to_copy );
500516
501517 if (debug_logging_mode )
502518 error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes" ,
0 commit comments