From 44e4deab7c5ca515a1d3580f082c2c3855fd1c98 Mon Sep 17 00:00:00 2001
From: "Ryan C. Gordon" <icculus@icculus.org>
Date: Mon, 22 Sep 2025 09:49:23 -0400
Subject: [PATCH] wav: Clamp DATA chunk to size of file if possible.

Prevents a malicious file from malloc'ing multiple gigabytes.

Fixes #10052.
---
 src/audio/SDL_wave.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 3ecb5e959d..53b950b5e6 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -1775,6 +1775,7 @@ static bool WaveLoad(SDL_IOStream *src, WaveFile *file, SDL_AudioSpec *spec, Uin
     int result;
     Uint32 chunkcount = 0;
     Uint32 chunkcountlimit = 10000;
+    const Sint64 flen = SDL_GetIOSize(src);   // this might be -1 if the IOStream can't determine the total size.
     const char *hint;
     Sint64 RIFFstart, RIFFend, lastchunkpos;
     bool RIFFlengthknown = false;
@@ -1883,6 +1884,14 @@ static bool WaveLoad(SDL_IOStream *src, WaveFile *file, SDL_AudioSpec *spec, Uin
                 fmtchunk = *chunk;
             }
         } else if (chunk->fourcc == DATA) {
+            /* If the data chunk is bigger than the file, it might be corrupt
+               or the file is truncated. Try to recover by clamping the file
+               size. This also means a malicious file can't allocate 4 gigabytes
+               for the chunks without actually supplying a 4 gigabyte file. */
+            if ((flen > 0) && ((chunk->position + chunk->length) > flen)) {
+                chunk->length = flen - chunk->position;
+            }
+
             /* Only use the first data chunk. Handling the wavl list madness
              * may require a different approach.
              */