vilyaem/Xrasher
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

engine: soundlib: fix buffer overflow with truncated WAV files containing CoolEdit cue mark

Browse source
This commit is contained in:
Alibek Omarov 2024-08-05 21:53:36 +03:00
parent 4c569e1d5f
commit 2a6862ceb9
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
engine/common/soundlib/snd_wav.c
View file

@ -241,14 +241,14 @@ qboolean Sound_LoadWAV( const char *name, const byte *buffer, fs_offset_t filesi
// get cue chunk // get cue chunk
FindChunk( name, "cue " ); FindChunk( name, "cue " );
if( iff_dataPtr ) if( iff_dataPtr && iff_end - iff_dataPtr >= 36 )
{ {
iff_dataPtr += 32; iff_dataPtr += 32;
sound.loopstart = GetLittleLong(); sound.loopstart = GetLittleLong();
SetBits( sound.flags, SOUND_LOOPED ); SetBits( sound.flags, SOUND_LOOPED );
FindNextChunk( name, "LIST" ); // if the next chunk is a LIST chunk, look for a cue length marker FindNextChunk( name, "LIST" ); // if the next chunk is a LIST chunk, look for a cue length marker
if( iff_dataPtr ) if( iff_dataPtr && iff_end - iff_dataPtr >= 32 )
{ {
if( IsFourCC( iff_dataPtr + 28, "mark" )) if( IsFourCC( iff_dataPtr + 28, "mark" ))
{ {