1*4882a593SmuzhiyunFrom deb669ee8be55a94565f6f8a6b60890c2e7c6f32 Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: bobsayshilol <bobsayshilol@live.co.uk> 3*4882a593SmuzhiyunDate: Thu, 18 Feb 2021 21:52:09 +0000 4*4882a593SmuzhiyunSubject: [PATCH] ms_adpcm: Fix and extend size checks 5*4882a593Smuzhiyun 6*4882a593Smuzhiyun'blockalign' is the size of a block, and each block contains 7 samples 7*4882a593Smuzhiyunper channel as part of the preamble, so check against 'samplesperblock' 8*4882a593Smuzhiyunrather than 'blockalign'. Also add an additional check that the block 9*4882a593Smuzhiyunis big enough to hold the samples it claims to hold. 10*4882a593Smuzhiyun 11*4882a593Smuzhiyunhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26803 12*4882a593SmuzhiyunSigned-off-by: Peter Korsgaard <peter@korsgaard.com> 13*4882a593Smuzhiyun--- 14*4882a593Smuzhiyun src/ms_adpcm.c | 10 ++++++++-- 15*4882a593Smuzhiyun 1 file changed, 8 insertions(+), 2 deletions(-) 16*4882a593Smuzhiyun 17*4882a593Smuzhiyundiff --git a/src/ms_adpcm.c b/src/ms_adpcm.c 18*4882a593Smuzhiyunindex 5e8f1a31..a21cb994 100644 19*4882a593Smuzhiyun--- a/src/ms_adpcm.c 20*4882a593Smuzhiyun+++ b/src/ms_adpcm.c 21*4882a593Smuzhiyun@@ -128,8 +128,14 @@ wavlike_msadpcm_init (SF_PRIVATE *psf, int blockalign, int samplesperblock) 22*4882a593Smuzhiyun if (psf->file.mode == SFM_WRITE) 23*4882a593Smuzhiyun samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ; 24*4882a593Smuzhiyun 25*4882a593Smuzhiyun- if (blockalign < 7 * psf->sf.channels) 26*4882a593Smuzhiyun- { psf_log_printf (psf, "*** Error blockalign (%d) should be > %d.\n", blockalign, 7 * psf->sf.channels) ; 27*4882a593Smuzhiyun+ /* There's 7 samples per channel in the preamble of each block */ 28*4882a593Smuzhiyun+ if (samplesperblock < 7 * psf->sf.channels) 29*4882a593Smuzhiyun+ { psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ; 30*4882a593Smuzhiyun+ return SFE_INTERNAL ; 31*4882a593Smuzhiyun+ } ; 32*4882a593Smuzhiyun+ 33*4882a593Smuzhiyun+ if (2 * blockalign < samplesperblock * psf->sf.channels) 34*4882a593Smuzhiyun+ { psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ; 35*4882a593Smuzhiyun return SFE_INTERNAL ; 36*4882a593Smuzhiyun } ; 37*4882a593Smuzhiyun 38*4882a593Smuzhiyun-- 39*4882a593Smuzhiyun2.20.1 40*4882a593Smuzhiyun 41