src/audio/SDL_wave.c
author Petr Písař <ppisar@redhat.com>
Sat, 08 Jun 2019 17:57:43 -0700
branchSDL-1.2
changeset 12800 e52413f52586
parent 6227 e11fd9609d10
child 12801 388987dff7bf
permissions -rw-r--r--
CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble
If an IMA ADPCM block contained an initial index out of step table
range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used
this bogus value and that lead to a buffer overread.

This patch fixes it by moving clamping the index value at the
beginning of IMA_ADPCM_nibble() function instead of the end after
an update.

CVE-2019-7572
https://bugzilla.libsdl.org/show_bug.cgi?id=4495

Signed-off-by: Petr Písař <ppisar@redhat.com>
     1 /*
     2     SDL - Simple DirectMedia Layer
     3     Copyright (C) 1997-2012 Sam Lantinga
     4 
     5     This library is free software; you can redistribute it and/or
     6     modify it under the terms of the GNU Lesser General Public
     7     License as published by the Free Software Foundation; either
     8     version 2.1 of the License, or (at your option) any later version.
     9 
    10     This library is distributed in the hope that it will be useful,
    11     but WITHOUT ANY WARRANTY; without even the implied warranty of
    12     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    13     Lesser General Public License for more details.
    14 
    15     You should have received a copy of the GNU Lesser General Public
    16     License along with this library; if not, write to the Free Software
    17     Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
    18 
    19     Sam Lantinga
    20     slouken@libsdl.org
    21 */
    22 #include "SDL_config.h"
    23 
    24 /* Microsoft WAVE file loading routines */
    25 
    26 #include "SDL_audio.h"
    27 #include "SDL_wave.h"
    28 
    29 
    30 static int ReadChunk(SDL_RWops *src, Chunk *chunk);
    31 
    32 struct MS_ADPCM_decodestate {
    33 	Uint8 hPredictor;
    34 	Uint16 iDelta;
    35 	Sint16 iSamp1;
    36 	Sint16 iSamp2;
    37 };
    38 static struct MS_ADPCM_decoder {
    39 	WaveFMT wavefmt;
    40 	Uint16 wSamplesPerBlock;
    41 	Uint16 wNumCoef;
    42 	Sint16 aCoeff[7][2];
    43 	/* * * */
    44 	struct MS_ADPCM_decodestate state[2];
    45 } MS_ADPCM_state;
    46 
    47 static int InitMS_ADPCM(WaveFMT *format)
    48 {
    49 	Uint8 *rogue_feel;
    50 	int i;
    51 
    52 	/* Set the rogue pointer to the MS_ADPCM specific data */
    53 	MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
    54 	MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
    55 	MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
    56 	MS_ADPCM_state.wavefmt.byterate = SDL_SwapLE32(format->byterate);
    57 	MS_ADPCM_state.wavefmt.blockalign = SDL_SwapLE16(format->blockalign);
    58 	MS_ADPCM_state.wavefmt.bitspersample =
    59 					 SDL_SwapLE16(format->bitspersample);
    60 	rogue_feel = (Uint8 *)format+sizeof(*format);
    61 	if ( sizeof(*format) == 16 ) {
    62 		rogue_feel += sizeof(Uint16);
    63 	}
    64 	MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
    65 	rogue_feel += sizeof(Uint16);
    66 	MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]);
    67 	rogue_feel += sizeof(Uint16);
    68 	if ( MS_ADPCM_state.wNumCoef != 7 ) {
    69 		SDL_SetError("Unknown set of MS_ADPCM coefficients");
    70 		return(-1);
    71 	}
    72 	for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) {
    73 		MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]);
    74 		rogue_feel += sizeof(Uint16);
    75 		MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]);
    76 		rogue_feel += sizeof(Uint16);
    77 	}
    78 	return(0);
    79 }
    80 
    81 static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
    82 					Uint8 nybble, Sint16 *coeff)
    83 {
    84 	const Sint32 max_audioval = ((1<<(16-1))-1);
    85 	const Sint32 min_audioval = -(1<<(16-1));
    86 	const Sint32 adaptive[] = {
    87 		230, 230, 230, 230, 307, 409, 512, 614,
    88 		768, 614, 512, 409, 307, 230, 230, 230
    89 	};
    90 	Sint32 new_sample, delta;
    91 
    92 	new_sample = ((state->iSamp1 * coeff[0]) +
    93 		      (state->iSamp2 * coeff[1]))/256;
    94 	if ( nybble & 0x08 ) {
    95 		new_sample += state->iDelta * (nybble-0x10);
    96 	} else {
    97 		new_sample += state->iDelta * nybble;
    98 	}
    99 	if ( new_sample < min_audioval ) {
   100 		new_sample = min_audioval;
   101 	} else
   102 	if ( new_sample > max_audioval ) {
   103 		new_sample = max_audioval;
   104 	}
   105 	delta = ((Sint32)state->iDelta * adaptive[nybble])/256;
   106 	if ( delta < 16 ) {
   107 		delta = 16;
   108 	}
   109 	state->iDelta = (Uint16)delta;
   110 	state->iSamp2 = state->iSamp1;
   111 	state->iSamp1 = (Sint16)new_sample;
   112 	return(new_sample);
   113 }
   114 
   115 static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
   116 {
   117 	struct MS_ADPCM_decodestate *state[2];
   118 	Uint8 *freeable, *encoded, *decoded;
   119 	Sint32 encoded_len, samplesleft;
   120 	Sint8 nybble, stereo;
   121 	Sint16 *coeff[2];
   122 	Sint32 new_sample;
   123 
   124 	/* Allocate the proper sized output buffer */
   125 	encoded_len = *audio_len;
   126 	encoded = *audio_buf;
   127 	freeable = *audio_buf;
   128 	*audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) * 
   129 				MS_ADPCM_state.wSamplesPerBlock*
   130 				MS_ADPCM_state.wavefmt.channels*sizeof(Sint16);
   131 	*audio_buf = (Uint8 *)SDL_malloc(*audio_len);
   132 	if ( *audio_buf == NULL ) {
   133 		SDL_Error(SDL_ENOMEM);
   134 		return(-1);
   135 	}
   136 	decoded = *audio_buf;
   137 
   138 	/* Get ready... Go! */
   139 	stereo = (MS_ADPCM_state.wavefmt.channels == 2);
   140 	state[0] = &MS_ADPCM_state.state[0];
   141 	state[1] = &MS_ADPCM_state.state[stereo];
   142 	while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
   143 		/* Grab the initial information for this block */
   144 		state[0]->hPredictor = *encoded++;
   145 		if ( stereo ) {
   146 			state[1]->hPredictor = *encoded++;
   147 		}
   148 		state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
   149 		encoded += sizeof(Sint16);
   150 		if ( stereo ) {
   151 			state[1]->iDelta = ((encoded[1]<<8)|encoded[0]);
   152 			encoded += sizeof(Sint16);
   153 		}
   154 		state[0]->iSamp1 = ((encoded[1]<<8)|encoded[0]);
   155 		encoded += sizeof(Sint16);
   156 		if ( stereo ) {
   157 			state[1]->iSamp1 = ((encoded[1]<<8)|encoded[0]);
   158 			encoded += sizeof(Sint16);
   159 		}
   160 		state[0]->iSamp2 = ((encoded[1]<<8)|encoded[0]);
   161 		encoded += sizeof(Sint16);
   162 		if ( stereo ) {
   163 			state[1]->iSamp2 = ((encoded[1]<<8)|encoded[0]);
   164 			encoded += sizeof(Sint16);
   165 		}
   166 		coeff[0] = MS_ADPCM_state.aCoeff[state[0]->hPredictor];
   167 		coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
   168 
   169 		/* Store the two initial samples we start with */
   170 		decoded[0] = state[0]->iSamp2&0xFF;
   171 		decoded[1] = state[0]->iSamp2>>8;
   172 		decoded += 2;
   173 		if ( stereo ) {
   174 			decoded[0] = state[1]->iSamp2&0xFF;
   175 			decoded[1] = state[1]->iSamp2>>8;
   176 			decoded += 2;
   177 		}
   178 		decoded[0] = state[0]->iSamp1&0xFF;
   179 		decoded[1] = state[0]->iSamp1>>8;
   180 		decoded += 2;
   181 		if ( stereo ) {
   182 			decoded[0] = state[1]->iSamp1&0xFF;
   183 			decoded[1] = state[1]->iSamp1>>8;
   184 			decoded += 2;
   185 		}
   186 
   187 		/* Decode and store the other samples in this block */
   188 		samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
   189 					MS_ADPCM_state.wavefmt.channels;
   190 		while ( samplesleft > 0 ) {
   191 			nybble = (*encoded)>>4;
   192 			new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
   193 			decoded[0] = new_sample&0xFF;
   194 			new_sample >>= 8;
   195 			decoded[1] = new_sample&0xFF;
   196 			decoded += 2;
   197 
   198 			nybble = (*encoded)&0x0F;
   199 			new_sample = MS_ADPCM_nibble(state[1],nybble,coeff[1]);
   200 			decoded[0] = new_sample&0xFF;
   201 			new_sample >>= 8;
   202 			decoded[1] = new_sample&0xFF;
   203 			decoded += 2;
   204 
   205 			++encoded;
   206 			samplesleft -= 2;
   207 		}
   208 		encoded_len -= MS_ADPCM_state.wavefmt.blockalign;
   209 	}
   210 	SDL_free(freeable);
   211 	return(0);
   212 }
   213 
   214 struct IMA_ADPCM_decodestate {
   215 	Sint32 sample;
   216 	Sint8 index;
   217 };
   218 static struct IMA_ADPCM_decoder {
   219 	WaveFMT wavefmt;
   220 	Uint16 wSamplesPerBlock;
   221 	/* * * */
   222 	struct IMA_ADPCM_decodestate state[2];
   223 } IMA_ADPCM_state;
   224 
   225 static int InitIMA_ADPCM(WaveFMT *format)
   226 {
   227 	Uint8 *rogue_feel;
   228 
   229 	/* Set the rogue pointer to the IMA_ADPCM specific data */
   230 	IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
   231 	IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
   232 	IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
   233 	IMA_ADPCM_state.wavefmt.byterate = SDL_SwapLE32(format->byterate);
   234 	IMA_ADPCM_state.wavefmt.blockalign = SDL_SwapLE16(format->blockalign);
   235 	IMA_ADPCM_state.wavefmt.bitspersample =
   236 					 SDL_SwapLE16(format->bitspersample);
   237 	rogue_feel = (Uint8 *)format+sizeof(*format);
   238 	if ( sizeof(*format) == 16 ) {
   239 		rogue_feel += sizeof(Uint16);
   240 	}
   241 	IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
   242 	return(0);
   243 }
   244 
   245 static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
   246 {
   247 	const Sint32 max_audioval = ((1<<(16-1))-1);
   248 	const Sint32 min_audioval = -(1<<(16-1));
   249 	const int index_table[16] = {
   250 		-1, -1, -1, -1,
   251 		 2,  4,  6,  8,
   252 		-1, -1, -1, -1,
   253 		 2,  4,  6,  8
   254 	};
   255 	const Sint32 step_table[89] = {
   256 		7, 8, 9, 10, 11, 12, 13, 14, 16, 17, 19, 21, 23, 25, 28, 31,
   257 		34, 37, 41, 45, 50, 55, 60, 66, 73, 80, 88, 97, 107, 118, 130,
   258 		143, 157, 173, 190, 209, 230, 253, 279, 307, 337, 371, 408,
   259 		449, 494, 544, 598, 658, 724, 796, 876, 963, 1060, 1166, 1282,
   260 		1411, 1552, 1707, 1878, 2066, 2272, 2499, 2749, 3024, 3327,
   261 		3660, 4026, 4428, 4871, 5358, 5894, 6484, 7132, 7845, 8630,
   262 		9493, 10442, 11487, 12635, 13899, 15289, 16818, 18500, 20350,
   263 		22385, 24623, 27086, 29794, 32767
   264 	};
   265 	Sint32 delta, step;
   266 
   267 	/* Clamp index value. The inital value can be invalid. */
   268 	if ( state->index > 88 ) {
   269 		state->index = 88;
   270 	} else
   271 	if ( state->index < 0 ) {
   272 		state->index = 0;
   273 	}
   274 
   275 	/* Compute difference and new sample value */
   276 	step = step_table[state->index];
   277 	delta = step >> 3;
   278 	if ( nybble & 0x04 ) delta += step;
   279 	if ( nybble & 0x02 ) delta += (step >> 1);
   280 	if ( nybble & 0x01 ) delta += (step >> 2);
   281 	if ( nybble & 0x08 ) delta = -delta;
   282 	state->sample += delta;
   283 
   284 	/* Update index value */
   285 	state->index += index_table[nybble];
   286 
   287 	/* Clamp output sample */
   288 	if ( state->sample > max_audioval ) {
   289 		state->sample = max_audioval;
   290 	} else
   291 	if ( state->sample < min_audioval ) {
   292 		state->sample = min_audioval;
   293 	}
   294 	return(state->sample);
   295 }
   296 
   297 /* Fill the decode buffer with a channel block of data (8 samples) */
   298 static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
   299 	int channel, int numchannels, struct IMA_ADPCM_decodestate *state)
   300 {
   301 	int i;
   302 	Sint8 nybble;
   303 	Sint32 new_sample;
   304 
   305 	decoded += (channel * 2);
   306 	for ( i=0; i<4; ++i ) {
   307 		nybble = (*encoded)&0x0F;
   308 		new_sample = IMA_ADPCM_nibble(state, nybble);
   309 		decoded[0] = new_sample&0xFF;
   310 		new_sample >>= 8;
   311 		decoded[1] = new_sample&0xFF;
   312 		decoded += 2 * numchannels;
   313 
   314 		nybble = (*encoded)>>4;
   315 		new_sample = IMA_ADPCM_nibble(state, nybble);
   316 		decoded[0] = new_sample&0xFF;
   317 		new_sample >>= 8;
   318 		decoded[1] = new_sample&0xFF;
   319 		decoded += 2 * numchannels;
   320 
   321 		++encoded;
   322 	}
   323 }
   324 
   325 static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
   326 {
   327 	struct IMA_ADPCM_decodestate *state;
   328 	Uint8 *freeable, *encoded, *decoded;
   329 	Sint32 encoded_len, samplesleft;
   330 	unsigned int c, channels;
   331 
   332 	/* Check to make sure we have enough variables in the state array */
   333 	channels = IMA_ADPCM_state.wavefmt.channels;
   334 	if ( channels > SDL_arraysize(IMA_ADPCM_state.state) ) {
   335 		SDL_SetError("IMA ADPCM decoder can only handle %d channels",
   336 					SDL_arraysize(IMA_ADPCM_state.state));
   337 		return(-1);
   338 	}
   339 	state = IMA_ADPCM_state.state;
   340 
   341 	/* Allocate the proper sized output buffer */
   342 	encoded_len = *audio_len;
   343 	encoded = *audio_buf;
   344 	freeable = *audio_buf;
   345 	*audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) * 
   346 				IMA_ADPCM_state.wSamplesPerBlock*
   347 				IMA_ADPCM_state.wavefmt.channels*sizeof(Sint16);
   348 	*audio_buf = (Uint8 *)SDL_malloc(*audio_len);
   349 	if ( *audio_buf == NULL ) {
   350 		SDL_Error(SDL_ENOMEM);
   351 		return(-1);
   352 	}
   353 	decoded = *audio_buf;
   354 
   355 	/* Get ready... Go! */
   356 	while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
   357 		/* Grab the initial information for this block */
   358 		for ( c=0; c<channels; ++c ) {
   359 			/* Fill the state information for this block */
   360 			state[c].sample = ((encoded[1]<<8)|encoded[0]);
   361 			encoded += 2;
   362 			if ( state[c].sample & 0x8000 ) {
   363 				state[c].sample -= 0x10000;
   364 			}
   365 			state[c].index = *encoded++;
   366 			/* Reserved byte in buffer header, should be 0 */
   367 			if ( *encoded++ != 0 ) {
   368 				/* Uh oh, corrupt data?  Buggy code? */;
   369 			}
   370 
   371 			/* Store the initial sample we start with */
   372 			decoded[0] = (Uint8)(state[c].sample&0xFF);
   373 			decoded[1] = (Uint8)(state[c].sample>>8);
   374 			decoded += 2;
   375 		}
   376 
   377 		/* Decode and store the other samples in this block */
   378 		samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
   379 		while ( samplesleft > 0 ) {
   380 			for ( c=0; c<channels; ++c ) {
   381 				Fill_IMA_ADPCM_block(decoded, encoded,
   382 						c, channels, &state[c]);
   383 				encoded += 4;
   384 				samplesleft -= 8;
   385 			}
   386 			decoded += (channels * 8 * 2);
   387 		}
   388 		encoded_len -= IMA_ADPCM_state.wavefmt.blockalign;
   389 	}
   390 	SDL_free(freeable);
   391 	return(0);
   392 }
   393 
   394 SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
   395 		SDL_AudioSpec *spec, Uint8 **audio_buf, Uint32 *audio_len)
   396 {
   397 	int was_error;
   398 	Chunk chunk;
   399 	int lenread;
   400 	int MS_ADPCM_encoded, IMA_ADPCM_encoded;
   401 	int samplesize;
   402 
   403 	/* WAV magic header */
   404 	Uint32 RIFFchunk;
   405 	Uint32 wavelen = 0;
   406 	Uint32 WAVEmagic;
   407 	Uint32 headerDiff = 0;
   408 
   409 	/* FMT chunk */
   410 	WaveFMT *format = NULL;
   411 
   412 	/* Make sure we are passed a valid data source */
   413 	was_error = 0;
   414 	if ( src == NULL ) {
   415 		was_error = 1;
   416 		goto done;
   417 	}
   418 		
   419 	/* Check the magic header */
   420 	RIFFchunk	= SDL_ReadLE32(src);
   421 	wavelen		= SDL_ReadLE32(src);
   422 	if ( wavelen == WAVE ) { /* The RIFFchunk has already been read */
   423 		WAVEmagic = wavelen;
   424 		wavelen   = RIFFchunk;
   425 		RIFFchunk = RIFF;
   426 	} else {
   427 		WAVEmagic = SDL_ReadLE32(src);
   428 	}
   429 	if ( (RIFFchunk != RIFF) || (WAVEmagic != WAVE) ) {
   430 		SDL_SetError("Unrecognized file type (not WAVE)");
   431 		was_error = 1;
   432 		goto done;
   433 	}
   434 	headerDiff += sizeof(Uint32); /* for WAVE */
   435 
   436 	/* Read the audio data format chunk */
   437 	chunk.data = NULL;
   438 	do {
   439 		if ( chunk.data != NULL ) {
   440 			SDL_free(chunk.data);
   441 			chunk.data = NULL;
   442 		}
   443 		lenread = ReadChunk(src, &chunk);
   444 		if ( lenread < 0 ) {
   445 			was_error = 1;
   446 			goto done;
   447 		}
   448 		/* 2 Uint32's for chunk header+len, plus the lenread */
   449 		headerDiff += lenread + 2 * sizeof(Uint32);
   450 	} while ( (chunk.magic == FACT) || (chunk.magic == LIST) );
   451 
   452 	/* Decode the audio data format */
   453 	format = (WaveFMT *)chunk.data;
   454 	if ( chunk.magic != FMT ) {
   455 		SDL_SetError("Complex WAVE files not supported");
   456 		was_error = 1;
   457 		goto done;
   458 	}
   459 	MS_ADPCM_encoded = IMA_ADPCM_encoded = 0;
   460 	switch (SDL_SwapLE16(format->encoding)) {
   461 		case PCM_CODE:
   462 			/* We can understand this */
   463 			break;
   464 		case MS_ADPCM_CODE:
   465 			/* Try to understand this */
   466 			if ( InitMS_ADPCM(format) < 0 ) {
   467 				was_error = 1;
   468 				goto done;
   469 			}
   470 			MS_ADPCM_encoded = 1;
   471 			break;
   472 		case IMA_ADPCM_CODE:
   473 			/* Try to understand this */
   474 			if ( InitIMA_ADPCM(format) < 0 ) {
   475 				was_error = 1;
   476 				goto done;
   477 			}
   478 			IMA_ADPCM_encoded = 1;
   479 			break;
   480 		case MP3_CODE:
   481 			SDL_SetError("MPEG Layer 3 data not supported",
   482 					SDL_SwapLE16(format->encoding));
   483 			was_error = 1;
   484 			goto done;
   485 		default:
   486 			SDL_SetError("Unknown WAVE data format: 0x%.4x",
   487 					SDL_SwapLE16(format->encoding));
   488 			was_error = 1;
   489 			goto done;
   490 	}
   491 	SDL_memset(spec, 0, (sizeof *spec));
   492 	spec->freq = SDL_SwapLE32(format->frequency);
   493 	switch (SDL_SwapLE16(format->bitspersample)) {
   494 		case 4:
   495 			if ( MS_ADPCM_encoded || IMA_ADPCM_encoded ) {
   496 				spec->format = AUDIO_S16;
   497 			} else {
   498 				was_error = 1;
   499 			}
   500 			break;
   501 		case 8:
   502 			spec->format = AUDIO_U8;
   503 			break;
   504 		case 16:
   505 			spec->format = AUDIO_S16;
   506 			break;
   507 		default:
   508 			was_error = 1;
   509 			break;
   510 	}
   511 	if ( was_error ) {
   512 		SDL_SetError("Unknown %d-bit PCM data format",
   513 			SDL_SwapLE16(format->bitspersample));
   514 		goto done;
   515 	}
   516 	spec->channels = (Uint8)SDL_SwapLE16(format->channels);
   517 	spec->samples = 4096;		/* Good default buffer size */
   518 
   519 	/* Read the audio data chunk */
   520 	*audio_buf = NULL;
   521 	do {
   522 		if ( *audio_buf != NULL ) {
   523 			SDL_free(*audio_buf);
   524 			*audio_buf = NULL;
   525 		}
   526 		lenread = ReadChunk(src, &chunk);
   527 		if ( lenread < 0 ) {
   528 			was_error = 1;
   529 			goto done;
   530 		}
   531 		*audio_len = lenread;
   532 		*audio_buf = chunk.data;
   533 		if(chunk.magic != DATA) headerDiff += lenread + 2 * sizeof(Uint32);
   534 	} while ( chunk.magic != DATA );
   535 	headerDiff += 2 * sizeof(Uint32); /* for the data chunk and len */
   536 
   537 	if ( MS_ADPCM_encoded ) {
   538 		if ( MS_ADPCM_decode(audio_buf, audio_len) < 0 ) {
   539 			was_error = 1;
   540 			goto done;
   541 		}
   542 	}
   543 	if ( IMA_ADPCM_encoded ) {
   544 		if ( IMA_ADPCM_decode(audio_buf, audio_len) < 0 ) {
   545 			was_error = 1;
   546 			goto done;
   547 		}
   548 	}
   549 
   550 	/* Don't return a buffer that isn't a multiple of samplesize */
   551 	samplesize = ((spec->format & 0xFF)/8)*spec->channels;
   552 	*audio_len &= ~(samplesize-1);
   553 
   554 done:
   555 	if ( format != NULL ) {
   556 		SDL_free(format);
   557 	}
   558 	if ( src ) {
   559 		if ( freesrc ) {
   560 			SDL_RWclose(src);
   561 		} else {
   562 			/* seek to the end of the file (given by the RIFF chunk) */
   563 			SDL_RWseek(src, wavelen - chunk.length - headerDiff, RW_SEEK_CUR);
   564 		}
   565 	}
   566 	if ( was_error ) {
   567 		spec = NULL;
   568 	}
   569 	return(spec);
   570 }
   571 
   572 /* Since the WAV memory is allocated in the shared library, it must also
   573    be freed here.  (Necessary under Win32, VC++)
   574  */
   575 void SDL_FreeWAV(Uint8 *audio_buf)
   576 {
   577 	if ( audio_buf != NULL ) {
   578 		SDL_free(audio_buf);
   579 	}
   580 }
   581 
   582 static int ReadChunk(SDL_RWops *src, Chunk *chunk)
   583 {
   584 	chunk->magic	= SDL_ReadLE32(src);
   585 	chunk->length	= SDL_ReadLE32(src);
   586 	chunk->data = (Uint8 *)SDL_malloc(chunk->length);
   587 	if ( chunk->data == NULL ) {
   588 		SDL_Error(SDL_ENOMEM);
   589 		return(-1);
   590 	}
   591 	if ( SDL_RWread(src, chunk->data, chunk->length, 1) != 1 ) {
   592 		SDL_Error(SDL_EFREAD);
   593 		SDL_free(chunk->data);
   594 		chunk->data = NULL;
   595 		return(-1);
   596 	}
   597 	return(chunk->length);
   598 }