shithub: sox

Info  •  Files  •  Log  •  Branches

wav: ima_adpcm: fix buffer overflow on corrupt input (CVE-2017-15370)

Add the same check bad block size as was done for MS adpcm in commit
f39c574b ("More checks for invalid MS ADPCM blocks").

--- a/src/wav.c

+++ b/src/wav.c

@@ -127,7 +127,7 @@

         /* work with partial blocks.  Specs say it should be null */

         /* padded but I guess this is better than trailing quiet. */

         samplesThisBlock = lsx_ima_samples_in((size_t)0, (size_t)ft->signal.channels, bytesRead, (size_t) 0);

-        if (samplesThisBlock == 0)

+        if (samplesThisBlock == 0 || samplesThisBlock > wav->samplesPerBlock)

         {

             lsx_warn("Premature EOF on .wav input file");

             return 0;