src/audio/SDL_wave.c
author Petr Písař <ppisar@redhat.com>
Mon, 10 Jun 2019 08:54:11 -0700
branchSDL-1.2
changeset 12816 416136310b88
parent 12815 a6e3d2f5183e
child 12817 faf9abbcfb5f
permissions -rw-r--r--
CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
If RIFF/WAV data chunk length is shorter then expected for an audio
format defined in preceeding RIFF/WAV format headers, a buffer
overread can happen.

This patch fixes it by checking a MS ADPCM data to be decoded are not
past the initialized buffer.

CVE-2019-7577
Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492

Signed-off-by: Petr Písař <ppisar@redhat.com>
     1 /*
     2     SDL - Simple DirectMedia Layer
     3     Copyright (C) 1997-2012 Sam Lantinga
     4 
     5     This library is free software; you can redistribute it and/or
     6     modify it under the terms of the GNU Lesser General Public
     7     License as published by the Free Software Foundation; either
     8     version 2.1 of the License, or (at your option) any later version.
     9 
    10     This library is distributed in the hope that it will be useful,
    11     but WITHOUT ANY WARRANTY; without even the implied warranty of
    12     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    13     Lesser General Public License for more details.
    14 
    15     You should have received a copy of the GNU Lesser General Public
    16     License along with this library; if not, write to the Free Software
    17     Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
    18 
    19     Sam Lantinga
    20     slouken@libsdl.org
    21 */
    22 #include "SDL_config.h"
    23 
    24 /* Microsoft WAVE file loading routines */
    25 
    26 #include "SDL_audio.h"
    27 #include "SDL_wave.h"
    28 
    29 
    30 static int ReadChunk(SDL_RWops *src, Chunk *chunk);
    31 
    32 struct MS_ADPCM_decodestate {
    33 	Uint8 hPredictor;
    34 	Uint16 iDelta;
    35 	Sint16 iSamp1;
    36 	Sint16 iSamp2;
    37 };
    38 static struct MS_ADPCM_decoder {
    39 	WaveFMT wavefmt;
    40 	Uint16 wSamplesPerBlock;
    41 	Uint16 wNumCoef;
    42 	Sint16 aCoeff[7][2];
    43 	/* * * */
    44 	struct MS_ADPCM_decodestate state[2];
    45 } MS_ADPCM_state;
    46 
    47 static int InitMS_ADPCM(WaveFMT *format)
    48 {
    49 	Uint8 *rogue_feel;
    50 	int i;
    51 
    52 	/* Set the rogue pointer to the MS_ADPCM specific data */
    53 	MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
    54 	MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
    55 	MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
    56 	MS_ADPCM_state.wavefmt.byterate = SDL_SwapLE32(format->byterate);
    57 	MS_ADPCM_state.wavefmt.blockalign = SDL_SwapLE16(format->blockalign);
    58 	MS_ADPCM_state.wavefmt.bitspersample =
    59 					 SDL_SwapLE16(format->bitspersample);
    60 	rogue_feel = (Uint8 *)format+sizeof(*format);
    61 	if ( sizeof(*format) == 16 ) {
    62 		rogue_feel += sizeof(Uint16);
    63 	}
    64 	MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
    65 	rogue_feel += sizeof(Uint16);
    66 	MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]);
    67 	rogue_feel += sizeof(Uint16);
    68 	if ( MS_ADPCM_state.wNumCoef != 7 ) {
    69 		SDL_SetError("Unknown set of MS_ADPCM coefficients");
    70 		return(-1);
    71 	}
    72 	for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) {
    73 		MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]);
    74 		rogue_feel += sizeof(Uint16);
    75 		MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]);
    76 		rogue_feel += sizeof(Uint16);
    77 	}
    78 	return(0);
    79 }
    80 
    81 static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
    82 					Uint8 nybble, Sint16 *coeff)
    83 {
    84 	const Sint32 max_audioval = ((1<<(16-1))-1);
    85 	const Sint32 min_audioval = -(1<<(16-1));
    86 	const Sint32 adaptive[] = {
    87 		230, 230, 230, 230, 307, 409, 512, 614,
    88 		768, 614, 512, 409, 307, 230, 230, 230
    89 	};
    90 	Sint32 new_sample, delta;
    91 
    92 	new_sample = ((state->iSamp1 * coeff[0]) +
    93 		      (state->iSamp2 * coeff[1]))/256;
    94 	if ( nybble & 0x08 ) {
    95 		new_sample += state->iDelta * (nybble-0x10);
    96 	} else {
    97 		new_sample += state->iDelta * nybble;
    98 	}
    99 	if ( new_sample < min_audioval ) {
   100 		new_sample = min_audioval;
   101 	} else
   102 	if ( new_sample > max_audioval ) {
   103 		new_sample = max_audioval;
   104 	}
   105 	delta = ((Sint32)state->iDelta * adaptive[nybble])/256;
   106 	if ( delta < 16 ) {
   107 		delta = 16;
   108 	}
   109 	state->iDelta = (Uint16)delta;
   110 	state->iSamp2 = state->iSamp1;
   111 	state->iSamp1 = (Sint16)new_sample;
   112 	return(new_sample);
   113 }
   114 
   115 static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
   116 {
   117 	struct MS_ADPCM_decodestate *state[2];
   118 	Uint8 *freeable, *encoded, *encoded_end, *decoded;
   119 	Sint32 encoded_len, samplesleft;
   120 	Sint8 nybble, stereo;
   121 	Sint16 *coeff[2];
   122 	Sint32 new_sample;
   123 
   124 	/* Allocate the proper sized output buffer */
   125 	encoded_len = *audio_len;
   126 	encoded = *audio_buf;
   127 	encoded_end = encoded + encoded_len;
   128 	freeable = *audio_buf;
   129 	*audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) * 
   130 				MS_ADPCM_state.wSamplesPerBlock*
   131 				MS_ADPCM_state.wavefmt.channels*sizeof(Sint16);
   132 	*audio_buf = (Uint8 *)SDL_malloc(*audio_len);
   133 	if ( *audio_buf == NULL ) {
   134 		SDL_Error(SDL_ENOMEM);
   135 		return(-1);
   136 	}
   137 	decoded = *audio_buf;
   138 
   139 	/* Get ready... Go! */
   140 	stereo = (MS_ADPCM_state.wavefmt.channels == 2);
   141 	state[0] = &MS_ADPCM_state.state[0];
   142 	state[1] = &MS_ADPCM_state.state[stereo];
   143 	while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
   144 		/* Grab the initial information for this block */
   145 		if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
   146 		state[0]->hPredictor = *encoded++;
   147 		if ( stereo ) {
   148 			state[1]->hPredictor = *encoded++;
   149 		}
   150 		state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
   151 		encoded += sizeof(Sint16);
   152 		if ( stereo ) {
   153 			state[1]->iDelta = ((encoded[1]<<8)|encoded[0]);
   154 			encoded += sizeof(Sint16);
   155 		}
   156 		state[0]->iSamp1 = ((encoded[1]<<8)|encoded[0]);
   157 		encoded += sizeof(Sint16);
   158 		if ( stereo ) {
   159 			state[1]->iSamp1 = ((encoded[1]<<8)|encoded[0]);
   160 			encoded += sizeof(Sint16);
   161 		}
   162 		state[0]->iSamp2 = ((encoded[1]<<8)|encoded[0]);
   163 		encoded += sizeof(Sint16);
   164 		if ( stereo ) {
   165 			state[1]->iSamp2 = ((encoded[1]<<8)|encoded[0]);
   166 			encoded += sizeof(Sint16);
   167 		}
   168 		coeff[0] = MS_ADPCM_state.aCoeff[state[0]->hPredictor];
   169 		coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
   170 
   171 		/* Store the two initial samples we start with */
   172 		decoded[0] = state[0]->iSamp2&0xFF;
   173 		decoded[1] = state[0]->iSamp2>>8;
   174 		decoded += 2;
   175 		if ( stereo ) {
   176 			decoded[0] = state[1]->iSamp2&0xFF;
   177 			decoded[1] = state[1]->iSamp2>>8;
   178 			decoded += 2;
   179 		}
   180 		decoded[0] = state[0]->iSamp1&0xFF;
   181 		decoded[1] = state[0]->iSamp1>>8;
   182 		decoded += 2;
   183 		if ( stereo ) {
   184 			decoded[0] = state[1]->iSamp1&0xFF;
   185 			decoded[1] = state[1]->iSamp1>>8;
   186 			decoded += 2;
   187 		}
   188 
   189 		/* Decode and store the other samples in this block */
   190 		samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
   191 					MS_ADPCM_state.wavefmt.channels;
   192 		while ( samplesleft > 0 ) {
   193 			if (encoded + 1 > encoded_end) goto too_short;
   194 
   195 			nybble = (*encoded)>>4;
   196 			new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
   197 			decoded[0] = new_sample&0xFF;
   198 			new_sample >>= 8;
   199 			decoded[1] = new_sample&0xFF;
   200 			decoded += 2;
   201 
   202 			nybble = (*encoded)&0x0F;
   203 			new_sample = MS_ADPCM_nibble(state[1],nybble,coeff[1]);
   204 			decoded[0] = new_sample&0xFF;
   205 			new_sample >>= 8;
   206 			decoded[1] = new_sample&0xFF;
   207 			decoded += 2;
   208 
   209 			++encoded;
   210 			samplesleft -= 2;
   211 		}
   212 		encoded_len -= MS_ADPCM_state.wavefmt.blockalign;
   213 	}
   214 	SDL_free(freeable);
   215 	return(0);
   216 too_short:
   217 	SDL_SetError("Too short chunk for a MS ADPCM decoder");
   218 	SDL_free(freeable);
   219 	return(-1);
   220 }
   221 
   222 struct IMA_ADPCM_decodestate {
   223 	Sint32 sample;
   224 	Sint8 index;
   225 };
   226 static struct IMA_ADPCM_decoder {
   227 	WaveFMT wavefmt;
   228 	Uint16 wSamplesPerBlock;
   229 	/* * * */
   230 	struct IMA_ADPCM_decodestate state[2];
   231 } IMA_ADPCM_state;
   232 
   233 static int InitIMA_ADPCM(WaveFMT *format, int length)
   234 {
   235 	Uint8 *rogue_feel, *rogue_feel_end;
   236 
   237 	/* Set the rogue pointer to the IMA_ADPCM specific data */
   238 	if (length < sizeof(*format)) goto too_short;
   239 	IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
   240 	IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
   241 	IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
   242 	IMA_ADPCM_state.wavefmt.byterate = SDL_SwapLE32(format->byterate);
   243 	IMA_ADPCM_state.wavefmt.blockalign = SDL_SwapLE16(format->blockalign);
   244 	IMA_ADPCM_state.wavefmt.bitspersample =
   245 					 SDL_SwapLE16(format->bitspersample);
   246 	rogue_feel = (Uint8 *)format+sizeof(*format);
   247 	rogue_feel_end = (Uint8 *)format + length;
   248 	if ( sizeof(*format) == 16 ) {
   249 		rogue_feel += sizeof(Uint16);
   250 	}
   251 	if (rogue_feel + 2 > rogue_feel_end) goto too_short;
   252 	IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
   253 	return(0);
   254 too_short:
   255 	SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format");
   256 	return(-1);
   257 }
   258 
   259 static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
   260 {
   261 	const Sint32 max_audioval = ((1<<(16-1))-1);
   262 	const Sint32 min_audioval = -(1<<(16-1));
   263 	const int index_table[16] = {
   264 		-1, -1, -1, -1,
   265 		 2,  4,  6,  8,
   266 		-1, -1, -1, -1,
   267 		 2,  4,  6,  8
   268 	};
   269 	const Sint32 step_table[89] = {
   270 		7, 8, 9, 10, 11, 12, 13, 14, 16, 17, 19, 21, 23, 25, 28, 31,
   271 		34, 37, 41, 45, 50, 55, 60, 66, 73, 80, 88, 97, 107, 118, 130,
   272 		143, 157, 173, 190, 209, 230, 253, 279, 307, 337, 371, 408,
   273 		449, 494, 544, 598, 658, 724, 796, 876, 963, 1060, 1166, 1282,
   274 		1411, 1552, 1707, 1878, 2066, 2272, 2499, 2749, 3024, 3327,
   275 		3660, 4026, 4428, 4871, 5358, 5894, 6484, 7132, 7845, 8630,
   276 		9493, 10442, 11487, 12635, 13899, 15289, 16818, 18500, 20350,
   277 		22385, 24623, 27086, 29794, 32767
   278 	};
   279 	Sint32 delta, step;
   280 
   281 	/* Clamp index value. The inital value can be invalid. */
   282 	if ( state->index > 88 ) {
   283 		state->index = 88;
   284 	} else
   285 	if ( state->index < 0 ) {
   286 		state->index = 0;
   287 	}
   288 
   289 	/* Compute difference and new sample value */
   290 	step = step_table[state->index];
   291 	delta = step >> 3;
   292 	if ( nybble & 0x04 ) delta += step;
   293 	if ( nybble & 0x02 ) delta += (step >> 1);
   294 	if ( nybble & 0x01 ) delta += (step >> 2);
   295 	if ( nybble & 0x08 ) delta = -delta;
   296 	state->sample += delta;
   297 
   298 	/* Update index value */
   299 	state->index += index_table[nybble];
   300 
   301 	/* Clamp output sample */
   302 	if ( state->sample > max_audioval ) {
   303 		state->sample = max_audioval;
   304 	} else
   305 	if ( state->sample < min_audioval ) {
   306 		state->sample = min_audioval;
   307 	}
   308 	return(state->sample);
   309 }
   310 
   311 /* Fill the decode buffer with a channel block of data (8 samples) */
   312 static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
   313 	int channel, int numchannels, struct IMA_ADPCM_decodestate *state)
   314 {
   315 	int i;
   316 	Sint8 nybble;
   317 	Sint32 new_sample;
   318 
   319 	decoded += (channel * 2);
   320 	for ( i=0; i<4; ++i ) {
   321 		nybble = (*encoded)&0x0F;
   322 		new_sample = IMA_ADPCM_nibble(state, nybble);
   323 		decoded[0] = new_sample&0xFF;
   324 		new_sample >>= 8;
   325 		decoded[1] = new_sample&0xFF;
   326 		decoded += 2 * numchannels;
   327 
   328 		nybble = (*encoded)>>4;
   329 		new_sample = IMA_ADPCM_nibble(state, nybble);
   330 		decoded[0] = new_sample&0xFF;
   331 		new_sample >>= 8;
   332 		decoded[1] = new_sample&0xFF;
   333 		decoded += 2 * numchannels;
   334 
   335 		++encoded;
   336 	}
   337 }
   338 
   339 static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
   340 {
   341 	struct IMA_ADPCM_decodestate *state;
   342 	Uint8 *freeable, *encoded, *encoded_end, *decoded;
   343 	Sint32 encoded_len, samplesleft;
   344 	unsigned int c, channels;
   345 
   346 	/* Check to make sure we have enough variables in the state array */
   347 	channels = IMA_ADPCM_state.wavefmt.channels;
   348 	if ( channels > SDL_arraysize(IMA_ADPCM_state.state) ) {
   349 		SDL_SetError("IMA ADPCM decoder can only handle %d channels",
   350 					SDL_arraysize(IMA_ADPCM_state.state));
   351 		return(-1);
   352 	}
   353 	state = IMA_ADPCM_state.state;
   354 
   355 	/* Allocate the proper sized output buffer */
   356 	encoded_len = *audio_len;
   357 	encoded = *audio_buf;
   358 	encoded_end = encoded + encoded_len;
   359 	freeable = *audio_buf;
   360 	*audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) * 
   361 				IMA_ADPCM_state.wSamplesPerBlock*
   362 				IMA_ADPCM_state.wavefmt.channels*sizeof(Sint16);
   363 	*audio_buf = (Uint8 *)SDL_malloc(*audio_len);
   364 	if ( *audio_buf == NULL ) {
   365 		SDL_Error(SDL_ENOMEM);
   366 		return(-1);
   367 	}
   368 	decoded = *audio_buf;
   369 
   370 	/* Get ready... Go! */
   371 	while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
   372 		/* Grab the initial information for this block */
   373 		for ( c=0; c<channels; ++c ) {
   374 			if (encoded + 4 > encoded_end) goto invalid_size;
   375 			/* Fill the state information for this block */
   376 			state[c].sample = ((encoded[1]<<8)|encoded[0]);
   377 			encoded += 2;
   378 			if ( state[c].sample & 0x8000 ) {
   379 				state[c].sample -= 0x10000;
   380 			}
   381 			state[c].index = *encoded++;
   382 			/* Reserved byte in buffer header, should be 0 */
   383 			if ( *encoded++ != 0 ) {
   384 				/* Uh oh, corrupt data?  Buggy code? */;
   385 			}
   386 
   387 			/* Store the initial sample we start with */
   388 			decoded[0] = (Uint8)(state[c].sample&0xFF);
   389 			decoded[1] = (Uint8)(state[c].sample>>8);
   390 			decoded += 2;
   391 		}
   392 
   393 		/* Decode and store the other samples in this block */
   394 		samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
   395 		while ( samplesleft > 0 ) {
   396 			for ( c=0; c<channels; ++c ) {
   397 				if (encoded + 4 > encoded_end) goto invalid_size;
   398 				Fill_IMA_ADPCM_block(decoded, encoded,
   399 						c, channels, &state[c]);
   400 				encoded += 4;
   401 				samplesleft -= 8;
   402 			}
   403 			decoded += (channels * 8 * 2);
   404 		}
   405 		encoded_len -= IMA_ADPCM_state.wavefmt.blockalign;
   406 	}
   407 	SDL_free(freeable);
   408 	return(0);
   409 invalid_size:
   410 	SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder");
   411 	SDL_free(freeable);
   412 	return(-1);
   413 }
   414 
   415 SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
   416 		SDL_AudioSpec *spec, Uint8 **audio_buf, Uint32 *audio_len)
   417 {
   418 	int was_error;
   419 	Chunk chunk;
   420 	int lenread;
   421 	int MS_ADPCM_encoded, IMA_ADPCM_encoded;
   422 	int samplesize;
   423 
   424 	/* WAV magic header */
   425 	Uint32 RIFFchunk;
   426 	Uint32 wavelen = 0;
   427 	Uint32 WAVEmagic;
   428 	Uint32 headerDiff = 0;
   429 
   430 	/* FMT chunk */
   431 	WaveFMT *format = NULL;
   432 
   433 	/* Make sure we are passed a valid data source */
   434 	was_error = 0;
   435 	if ( src == NULL ) {
   436 		was_error = 1;
   437 		goto done;
   438 	}
   439 		
   440 	/* Check the magic header */
   441 	RIFFchunk	= SDL_ReadLE32(src);
   442 	wavelen		= SDL_ReadLE32(src);
   443 	if ( wavelen == WAVE ) { /* The RIFFchunk has already been read */
   444 		WAVEmagic = wavelen;
   445 		wavelen   = RIFFchunk;
   446 		RIFFchunk = RIFF;
   447 	} else {
   448 		WAVEmagic = SDL_ReadLE32(src);
   449 	}
   450 	if ( (RIFFchunk != RIFF) || (WAVEmagic != WAVE) ) {
   451 		SDL_SetError("Unrecognized file type (not WAVE)");
   452 		was_error = 1;
   453 		goto done;
   454 	}
   455 	headerDiff += sizeof(Uint32); /* for WAVE */
   456 
   457 	/* Read the audio data format chunk */
   458 	chunk.data = NULL;
   459 	do {
   460 		if ( chunk.data != NULL ) {
   461 			SDL_free(chunk.data);
   462 			chunk.data = NULL;
   463 		}
   464 		lenread = ReadChunk(src, &chunk);
   465 		if ( lenread < 0 ) {
   466 			was_error = 1;
   467 			goto done;
   468 		}
   469 		/* 2 Uint32's for chunk header+len, plus the lenread */
   470 		headerDiff += lenread + 2 * sizeof(Uint32);
   471 	} while ( (chunk.magic == FACT) || (chunk.magic == LIST) );
   472 
   473 	/* Decode the audio data format */
   474 	format = (WaveFMT *)chunk.data;
   475 	if ( chunk.magic != FMT ) {
   476 		SDL_SetError("Complex WAVE files not supported");
   477 		was_error = 1;
   478 		goto done;
   479 	}
   480 	MS_ADPCM_encoded = IMA_ADPCM_encoded = 0;
   481 	switch (SDL_SwapLE16(format->encoding)) {
   482 		case PCM_CODE:
   483 			/* We can understand this */
   484 			break;
   485 		case MS_ADPCM_CODE:
   486 			/* Try to understand this */
   487 			if ( InitMS_ADPCM(format) < 0 ) {
   488 				was_error = 1;
   489 				goto done;
   490 			}
   491 			MS_ADPCM_encoded = 1;
   492 			break;
   493 		case IMA_ADPCM_CODE:
   494 			/* Try to understand this */
   495 			if ( InitIMA_ADPCM(format, lenread) < 0 ) {
   496 				was_error = 1;
   497 				goto done;
   498 			}
   499 			IMA_ADPCM_encoded = 1;
   500 			break;
   501 		case MP3_CODE:
   502 			SDL_SetError("MPEG Layer 3 data not supported",
   503 					SDL_SwapLE16(format->encoding));
   504 			was_error = 1;
   505 			goto done;
   506 		default:
   507 			SDL_SetError("Unknown WAVE data format: 0x%.4x",
   508 					SDL_SwapLE16(format->encoding));
   509 			was_error = 1;
   510 			goto done;
   511 	}
   512 	SDL_memset(spec, 0, (sizeof *spec));
   513 	spec->freq = SDL_SwapLE32(format->frequency);
   514 	switch (SDL_SwapLE16(format->bitspersample)) {
   515 		case 4:
   516 			if ( MS_ADPCM_encoded || IMA_ADPCM_encoded ) {
   517 				spec->format = AUDIO_S16;
   518 			} else {
   519 				was_error = 1;
   520 			}
   521 			break;
   522 		case 8:
   523 			spec->format = AUDIO_U8;
   524 			break;
   525 		case 16:
   526 			spec->format = AUDIO_S16;
   527 			break;
   528 		default:
   529 			was_error = 1;
   530 			break;
   531 	}
   532 	if ( was_error ) {
   533 		SDL_SetError("Unknown %d-bit PCM data format",
   534 			SDL_SwapLE16(format->bitspersample));
   535 		goto done;
   536 	}
   537 	spec->channels = (Uint8)SDL_SwapLE16(format->channels);
   538 	spec->samples = 4096;		/* Good default buffer size */
   539 
   540 	/* Read the audio data chunk */
   541 	*audio_buf = NULL;
   542 	do {
   543 		if ( *audio_buf != NULL ) {
   544 			SDL_free(*audio_buf);
   545 			*audio_buf = NULL;
   546 		}
   547 		lenread = ReadChunk(src, &chunk);
   548 		if ( lenread < 0 ) {
   549 			was_error = 1;
   550 			goto done;
   551 		}
   552 		*audio_len = lenread;
   553 		*audio_buf = chunk.data;
   554 		if(chunk.magic != DATA) headerDiff += lenread + 2 * sizeof(Uint32);
   555 	} while ( chunk.magic != DATA );
   556 	headerDiff += 2 * sizeof(Uint32); /* for the data chunk and len */
   557 
   558 	if ( MS_ADPCM_encoded ) {
   559 		if ( MS_ADPCM_decode(audio_buf, audio_len) < 0 ) {
   560 			was_error = 1;
   561 			goto done;
   562 		}
   563 	}
   564 	if ( IMA_ADPCM_encoded ) {
   565 		if ( IMA_ADPCM_decode(audio_buf, audio_len) < 0 ) {
   566 			was_error = 1;
   567 			goto done;
   568 		}
   569 	}
   570 
   571 	/* Don't return a buffer that isn't a multiple of samplesize */
   572 	samplesize = ((spec->format & 0xFF)/8)*spec->channels;
   573 	*audio_len &= ~(samplesize-1);
   574 
   575 done:
   576 	if ( format != NULL ) {
   577 		SDL_free(format);
   578 	}
   579 	if ( src ) {
   580 		if ( freesrc ) {
   581 			SDL_RWclose(src);
   582 		} else {
   583 			/* seek to the end of the file (given by the RIFF chunk) */
   584 			SDL_RWseek(src, wavelen - chunk.length - headerDiff, RW_SEEK_CUR);
   585 		}
   586 	}
   587 	if ( was_error ) {
   588 		spec = NULL;
   589 	}
   590 	return(spec);
   591 }
   592 
   593 /* Since the WAV memory is allocated in the shared library, it must also
   594    be freed here.  (Necessary under Win32, VC++)
   595  */
   596 void SDL_FreeWAV(Uint8 *audio_buf)
   597 {
   598 	if ( audio_buf != NULL ) {
   599 		SDL_free(audio_buf);
   600 	}
   601 }
   602 
   603 static int ReadChunk(SDL_RWops *src, Chunk *chunk)
   604 {
   605 	chunk->magic	= SDL_ReadLE32(src);
   606 	chunk->length	= SDL_ReadLE32(src);
   607 	chunk->data = (Uint8 *)SDL_malloc(chunk->length);
   608 	if ( chunk->data == NULL ) {
   609 		SDL_Error(SDL_ENOMEM);
   610 		return(-1);
   611 	}
   612 	if ( SDL_RWread(src, chunk->data, chunk->length, 1) != 1 ) {
   613 		SDL_Error(SDL_EFREAD);
   614 		SDL_free(chunk->data);
   615 		chunk->data = NULL;
   616 		return(-1);
   617 	}
   618 	return(chunk->length);
   619 }