mirrors/SDL
1
0
Fork 0
mirror of https://github.com/libsdl-org/SDL.git synced 2025-09-29 06:28:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

wav: Clamp DATA chunk to size of file if possible.

Browse Source 
Prevents a malicious file from malloc'ing multiple gigabytes.

Fixes #10052.
This commit is contained in:
Ryan C. Gordon
2025-09-22 09:49:23 -04:00
parent aef05d8750
commit 44e4deab7c
1 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/audio/SDL_wave.c
View File

@@ -1775,6 +1775,7 @@ static bool WaveLoad(SDL_IOStream *src, WaveFile *file, SDL_AudioSpec *spec, Uin
int result; int result;
Uint32 chunkcount = 0; Uint32 chunkcount = 0;
Uint32 chunkcountlimit = 10000; Uint32 chunkcountlimit = 10000;
const Sint64 flen = SDL_GetIOSize(src); // this might be -1 if the IOStream can't determine the total size.
const char *hint; const char *hint;
Sint64 RIFFstart, RIFFend, lastchunkpos; Sint64 RIFFstart, RIFFend, lastchunkpos;
bool RIFFlengthknown = false; bool RIFFlengthknown = false;
@@ -1883,6 +1884,14 @@ static bool WaveLoad(SDL_IOStream *src, WaveFile *file, SDL_AudioSpec *spec, Uin
fmtchunk = *chunk; fmtchunk = *chunk;
} }
} else if (chunk->fourcc == DATA) { } else if (chunk->fourcc == DATA) {
/* If the data chunk is bigger than the file, it might be corrupt
or the file is truncated. Try to recover by clamping the file
size. This also means a malicious file can't allocate 4 gigabytes
for the chunks without actually supplying a 4 gigabyte file. */
if ((flen > 0) && ((chunk->position + chunk->length) > flen)) {
chunk->length = flen - chunk->position;
}
/* Only use the first data chunk. Handling the wavl list madness /* Only use the first data chunk. Handling the wavl list madness
* may require a different approach. * may require a different approach.
*/ */