ref: f300dc7f73d28f5b772e3a311e0e792f66bab2c9
parent: cca5c5acce39dac0bb25cd0b2585bc3a59d01f8c
author: cbagwell <cbagwell>
date: Mon Dec 30 22:19:22 EST 2002
Buffer overrun fix in wav file comment handling
--- a/Changelog
+++ b/Changelog
@@ -43,6 +43,8 @@
of oggenc based on suggestion from Christian Weisgerber.
o Prints error message now when a channel value of -1 is given.
Reported by Pierre Fortin.
+ o Fixed bug were memory could be trashed if a input WAV file contained
+ a comment. Found by Rhys Chard.
sox-12.17.3
-----------
--- a/src/wav.c
+++ b/src/wav.c
@@ -908,6 +908,8 @@
st_seek(ft, len, SEEK_CUR);
if( findChunk(ft, "LIST") != ST_EOF){ft->comment = (char*)malloc(256);
+ /* Initialize comment to a NULL string */
+ ft->comment[0] = 0;
while(!feof(ft->fp)){st_reads(ft,magic,4);
if(strncmp(magic,"INFO",4) == 0){@@ -916,14 +918,20 @@
st_readdw(ft,&len);
len = (len + 1) & ~1;
st_reads(ft,text,len);
- strcat(ft->comment,text);
- strcat(ft->comment,"\n");
+ if (strlen(ft->comment) + strlen(text) < 254)
+ {+ strcat(ft->comment,text);
+ strcat(ft->comment,"\n");
+ }
} else if(strncmp(magic,"ISFT",4) == 0){st_readdw(ft,&len);
len = (len + 1) & ~1;
st_reads(ft,text,len);
- strcat(ft->comment,text);
- strcat(ft->comment,"\n");
+ if (strlen(ft->comment) + strlen(text) < 254)
+ {+ strcat(ft->comment,text);
+ strcat(ft->comment,"\n");
+ }
} else if(strncmp(magic,"cue ",4) == 0){st_readdw(ft,&len);
len = (len + 1) & ~1;