Fixed bug 2670 - Possible memory overflow in Mix_LoadWAV_RW

Lee Salzman In mixer.c, Mix_LoadWAV_RW, there is the following code: wavecvt.len = chunk->alen & ~(samplesize-1); wavecvt.buf = (Uint8 *)SDL_calloc(1, wavecvt.len*wavecvt.len_mult); ... SDL_memcpy(wavecvt.buf, chunk->abuf, chunk->alen); That SDL_memcpy should rather be: SDL_memcpy(wavectf.buf, chunk->abuf, wavecvt.len); If you imagine that wavecvt.len_mult was 1 and samplesize was greater than 1 with wavecvt.len < chunk->alen, then it may overwrite.
libsdl-org · Oct 21, 2017 · a60d5d8 · a60d5d8
1 parent a9d667e
commit a60d5d8
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/mixer.c b/mixer.c
@@ -745,7 +745,7 @@ Mix_Chunk *Mix_LoadWAV_RW(SDL_RWops *src, int freesrc)
             SDL_free(chunk);
             return(NULL);
         }
-        SDL_memcpy(wavecvt.buf, chunk->abuf, chunk->alen);
+        SDL_memcpy(wavecvt.buf, chunk->abuf, wavecvt.len);
         SDL_free(chunk->abuf);
 
         /* Run the audio converter */