Permalink
Browse files

src/wav_w64.c : Fix heap write overflow.

Heap write could occur if the number of channels is less than the
length of the file's channel map.

Found using the afl (http://lcamtuf.coredump.cx/afl/) fuzzer.
  • Loading branch information...
erikd committed Nov 28, 2014
1 parent e67d42d commit a8ab5b375bf7faa040ae0dd4743f8c99a027574a
Showing with 6 additions and 4 deletions.
  1. +6 −4 src/wav_w64.c
View
@@ -1,5 +1,5 @@
/*
-** Copyright (C) 1999-2012 Erik de Castro Lopo <erikd@mega-nerd.com>
+** Copyright (C) 1999-2014 Erik de Castro Lopo <erikd@mega-nerd.com>
** Copyright (C) 2004-2005 David Viens <davidv@plogue.com>
**
** This program is free software; you can redistribute it and/or modify
@@ -324,7 +324,7 @@ wav_w64_read_fmt_chunk (SF_PRIVATE *psf, int fmtsize)
/* Terminate the buffer we're going to append_snprintf into. */
buffer [0] = 0 ;
- for (bit = k = 0 ; bit < ARRAY_LEN (channel_mask_bits) ; bit++)
+ for (bit = k = 0 ; bit < ARRAY_LEN (channel_mask_bits) && k < psf->sf.channels ; bit++)
{
if (wav_fmt->ext.channelmask & (1 << bit))
{ if (k > psf->sf.channels)
@@ -339,8 +339,10 @@ wav_w64_read_fmt_chunk (SF_PRIVATE *psf, int fmtsize)
/* Remove trailing ", ". */
bit = strlen (buffer) ;
- buffer [--bit] = 0 ;
- buffer [--bit] = 0 ;
+ if (bit >= 2)
+ { buffer [--bit] = 0 ;
+ buffer [--bit] = 0 ;
+ } ;
if (k != psf->sf.channels)
{ psf_log_printf (psf, " Channel Mask : 0x%X\n", wav_fmt->ext.channelmask) ;

0 comments on commit a8ab5b3

Please sign in to comment.