@@ -229,25 +229,30 @@ static struct IMA_ADPCM_decoder
229229} IMA_ADPCM_state ;
230230
231231static int
232- InitIMA_ADPCM (WaveFMT * format )
232+ InitIMA_ADPCM (WaveFMT * format , int length )
233233{
234- Uint8 * rogue_feel ;
234+ Uint8 * rogue_feel , * rogue_feel_end ;
235235
236236 /* Set the rogue pointer to the IMA_ADPCM specific data */
237+ if (length < sizeof (* format )) goto too_short ;
237238 IMA_ADPCM_state .wavefmt .encoding = SDL_SwapLE16 (format -> encoding );
238239 IMA_ADPCM_state .wavefmt .channels = SDL_SwapLE16 (format -> channels );
239240 IMA_ADPCM_state .wavefmt .frequency = SDL_SwapLE32 (format -> frequency );
240241 IMA_ADPCM_state .wavefmt .byterate = SDL_SwapLE32 (format -> byterate );
241242 IMA_ADPCM_state .wavefmt .blockalign = SDL_SwapLE16 (format -> blockalign );
242- IMA_ADPCM_state .wavefmt .bitspersample =
243- SDL_SwapLE16 (format -> bitspersample );
243+ IMA_ADPCM_state .wavefmt .bitspersample = SDL_SwapLE16 (format -> bitspersample );
244244 rogue_feel = (Uint8 * ) format + sizeof (* format );
245+ rogue_feel_end = (Uint8 * ) format + length ;
245246 if (sizeof (* format ) == 16 ) {
246247 /* const Uint16 extra_info = ((rogue_feel[1] << 8) | rogue_feel[0]); */
247248 rogue_feel += sizeof (Uint16 );
248249 }
250+ if (rogue_feel + 2 > rogue_feel_end ) goto too_short ;
249251 IMA_ADPCM_state .wSamplesPerBlock = ((rogue_feel [1 ] << 8 ) | rogue_feel [0 ]);
250252 return (0 );
253+ too_short :
254+ SDL_SetError ("Unexpected length of a chunk with an IMA ADPCM format" );
255+ return (-1 );
251256}
252257
253258static Sint32
@@ -530,7 +535,7 @@ SDL_LoadWAV_RW(SDL_RWops * src, int freesrc,
530535 break ;
531536 case IMA_ADPCM_CODE :
532537 /* Try to understand this */
533- if (InitIMA_ADPCM (format ) < 0 ) {
538+ if (InitIMA_ADPCM (format , lenread ) < 0 ) {
534539 was_error = 1 ;
535540 goto done ;
536541 }
0 commit comments