58 lines
2.8 KiB
Plaintext
58 lines
2.8 KiB
Plaintext
$OpenBSD: patch-src_load_it_cpp,v 1.1 2011/05/05 21:25:48 jasper Exp $
|
|
|
|
Fixed various possible integer overflows in CSoundFile::ReadIT().
|
|
From upstream git: 89dd2ff3f4463a5c657767cee81fa62dff7f70eb
|
|
|
|
--- src/load_it.cpp.orig Sun May 10 05:05:27 2009
|
|
+++ src/load_it.cpp Thu May 5 23:19:10 2011
|
|
@@ -216,7 +216,7 @@ BOOL CSoundFile::ReadIT(const BYTE *lpStream, DWORD dw
|
|
}
|
|
if (m_nChannels < 4) m_nChannels = 4;
|
|
// Reading Song Message
|
|
- if ((pifh.special & 0x01) && (pifh.msglength) && (pifh.msgoffset + pifh.msglength < dwMemLength))
|
|
+ if ((pifh.special & 0x01) && (pifh.msglength) && (pifh.msglength <= dwMemLength) && (pifh.msgoffset < dwMemLength - pifh.msglength))
|
|
{
|
|
m_lpszSongComments = new char[pifh.msglength+1];
|
|
if (m_lpszSongComments)
|
|
@@ -325,11 +325,11 @@ BOOL CSoundFile::ReadIT(const BYTE *lpStream, DWORD dw
|
|
for (UINT patchk=0; patchk<npatterns; patchk++)
|
|
{
|
|
memset(chnmask, 0, sizeof(chnmask));
|
|
- if ((!patpos[patchk]) || ((DWORD)patpos[patchk] + 4 >= dwMemLength)) continue;
|
|
+ if ((!patpos[patchk]) || ((DWORD)patpos[patchk] >= dwMemLength - 4)) continue;
|
|
UINT len = bswapLE16(*((WORD *)(lpStream+patpos[patchk])));
|
|
UINT rows = bswapLE16(*((WORD *)(lpStream+patpos[patchk]+2)));
|
|
if ((rows < 4) || (rows > 256)) continue;
|
|
- if (patpos[patchk]+8+len > dwMemLength) continue;
|
|
+ if (8+len > dwMemLength || patpos[patchk] > dwMemLength - (8+len)) continue;
|
|
UINT i = 0;
|
|
const BYTE *p = lpStream+patpos[patchk]+8;
|
|
UINT nrow = 0;
|
|
@@ -383,7 +383,7 @@ BOOL CSoundFile::ReadIT(const BYTE *lpStream, DWORD dw
|
|
// Reading Samples
|
|
m_nSamples = pifh.smpnum;
|
|
if (m_nSamples >= MAX_SAMPLES) m_nSamples = MAX_SAMPLES-1;
|
|
- for (UINT nsmp=0; nsmp<pifh.smpnum; nsmp++) if ((smppos[nsmp]) && (smppos[nsmp] + sizeof(ITSAMPLESTRUCT) <= dwMemLength))
|
|
+ for (UINT nsmp=0; nsmp<pifh.smpnum; nsmp++) if ((smppos[nsmp]) && (smppos[nsmp] <= dwMemLength - sizeof(ITSAMPLESTRUCT)))
|
|
{
|
|
ITSAMPLESTRUCT pis = *(ITSAMPLESTRUCT *)(lpStream+smppos[nsmp]);
|
|
pis.id = bswapLE32(pis.id);
|
|
@@ -450,7 +450,7 @@ BOOL CSoundFile::ReadIT(const BYTE *lpStream, DWORD dw
|
|
// Reading Patterns
|
|
for (UINT npat=0; npat<npatterns; npat++)
|
|
{
|
|
- if ((!patpos[npat]) || ((DWORD)patpos[npat] + 4 >= dwMemLength))
|
|
+ if ((!patpos[npat]) || ((DWORD)patpos[npat] >= dwMemLength - 4))
|
|
{
|
|
PatternSize[npat] = 64;
|
|
Patterns[npat] = AllocatePattern(64, m_nChannels);
|
|
@@ -460,7 +460,7 @@ BOOL CSoundFile::ReadIT(const BYTE *lpStream, DWORD dw
|
|
UINT len = bswapLE16(*((WORD *)(lpStream+patpos[npat])));
|
|
UINT rows = bswapLE16(*((WORD *)(lpStream+patpos[npat]+2)));
|
|
if ((rows < 4) || (rows > 256)) continue;
|
|
- if (patpos[npat]+8+len > dwMemLength) continue;
|
|
+ if (8+len > dwMemLength || patpos[npat] > dwMemLength - (8+len)) continue;
|
|
PatternSize[npat] = rows;
|
|
if ((Patterns[npat] = AllocatePattern(rows, m_nChannels)) == NULL) continue;
|
|
memset(lastvalue, 0, sizeof(lastvalue));
|