src/(aiff|rf64|w64|wav).c : Exit parser if chunk size > file length.

author: Erik de Castro Lopo <erikd@mega-nerd.com> 2015-02-14 12:45:37 +1100
committer: Erik de Castro Lopo <erikd@mega-nerd.com> 2015-02-14 12:53:54 +1100
commit: e10620bc954f9c3dac79676bf1855f83127f9519 (patch)
tree: 30a32a31b89f13667a1c488e9be575cba6c75498
parent: 3f532789b0eec5acdaff98d03f4f5b1260775f22 (diff)
4 files changed, 22 insertions, 5 deletions
diff --git a/src/aiff.c b/src/aiff.c
index 285748b..a4c9b66 100644
--- a/src/aiff.c
+++ b/src/aiff.c
@@ -869,8 +869,10 @@ aiff_read_header (SF_PRIVATE *psf, COMM_CHUNK *comm_fmt)
 					break ;
 			} ;	/* switch (marker) */
 
-		if (marker != SSND_MARKER && chunk_size >= 0xffffff00)
+		if (chunk_size >= psf->filelength)
+		{	psf_log_printf (psf, "*** Chunk size %u > file length %D. Exiting parser.\n", chunk_size, psf->filelength) ;
 			break ;
+			} ;
 
 		if ((! psf->sf.seekable) && (found_chunk & HAVE_SSND))
 			break ;
diff --git a/src/rf64.c b/src/rf64.c
index 203f87c..12af879 100644
--- a/src/rf64.c
+++ b/src/rf64.c
@@ -296,8 +296,8 @@ rf64_read_header (SF_PRIVATE *psf, int *blockalign, int *framesperblock)
 
 			default :
 					if (chunk_size >= 0xffff0000)
-					{	done = SF_TRUE ;
-						psf_log_printf (psf, "*** Unknown chunk marker (%X) at position %D with length %u. Exiting parser.\n", marker, psf_ftell (psf) - 8, chunk_size) ;
+					{	psf_log_printf (psf, "*** Unknown chunk marker (%X) at position %D with length %u. Exiting parser.\n", marker, psf_ftell (psf) - 8, chunk_size) ;
+						done = SF_TRUE ;
 						break ;
 						} ;
 
@@ -316,9 +316,17 @@ rf64_read_header (SF_PRIVATE *psf, int *blockalign, int *framesperblock)
 						} ;
 					psf_log_printf (psf, "*** Unknown chunk marker (0x%X) at position 0x%X. Exiting parser.\n", marker, psf_ftell (psf) - 4) ;
 					done = SF_TRUE ;
-				break ;
+					break ;
 			} ;	/* switch (marker) */
 
+		/* The 'data' chunk, a chunk size of 0xffffffff means that the 'data' chunk size
+		** is actually given by the ds64_datalength field.
+		*/
+		if (marker != data_MARKER && chunk_size >= psf->filelength)
+		{	psf_log_printf (psf, "*** Chunk size %u > file length %D. Exiting parser.\n", chunk_size, psf->filelength) ;
+			break ;
+			} ;
+
 		if (psf_ftell (psf) >= psf->filelength - SIGNED_SIZEOF (marker))
 		{	psf_log_printf (psf, "End\n") ;
 			break ;
diff --git a/src/w64.c b/src/w64.c
index c05225d..fc03825 100644
--- a/src/w64.c
+++ b/src/w64.c
@@ -360,6 +360,11 @@ w64_read_header	(SF_PRIVATE *psf, int *blockalign, int *framesperblock)
 					break ;
 			} ;	/* switch (dword) */
 
+		if (chunk_size >= psf->filelength)
+		{	psf_log_printf (psf, "*** Chunk size %u > file length %D. Exiting parser.\n", chunk_size, psf->filelength) ;
+			break ;
+			} ;
+
 		if (psf->sf.seekable == 0 && (parsestage & HAVE_data))
 			break ;
 
diff --git a/src/wav.c b/src/wav.c
index 8458253..5427d16 100644
--- a/src/wav.c
+++ b/src/wav.c
@@ -670,8 +670,10 @@ wav_read_header	(SF_PRIVATE *psf, int *blockalign, int *framesperblock)
 					break ;
 			} ;	/* switch (marker) */
 
-		if (marker != data_MARKER && chunk_size >= 0xffffff00)
+		if (chunk_size >= psf->filelength)
+		{	psf_log_printf (psf, "*** Chunk size %u > file length %D. Exiting parser.\n", chunk_size, psf->filelength) ;
 			break ;
+			} ;
 
 		if (! psf->sf.seekable && (parsestage & HAVE_data))
 			break ;
author	Erik de Castro Lopo <erikd@mega-nerd.com>	2015-02-14 12:45:37 +1100
committer	Erik de Castro Lopo <erikd@mega-nerd.com>	2015-02-14 12:53:54 +1100
commit	e10620bc954f9c3dac79676bf1855f83127f9519 (patch)
tree	30a32a31b89f13667a1c488e9be575cba6c75498
parent	3f532789b0eec5acdaff98d03f4f5b1260775f22 (diff)