We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 2670

Summary:	Possible memory overflow in Mix_LoadWAV_RW
Product:	SDL_mixer	Reporter:	Lee Salzman <lsalzman>
Component:	misc	Assignee:	Sam Lantinga <slouken>
Status:	RESOLVED FIXED	QA Contact:	Sam Lantinga <slouken>
Severity:	normal
Priority:	P2
Version:	2.0.0
Hardware:	All
OS:	All

Description Lee Salzman 2014-08-04 13:34:40 UTC

In mixer.c, Mix_LoadWAV_RW, there is the following code:

        wavecvt.len = chunk->alen & ~(samplesize-1);
        wavecvt.buf = (Uint8 *)SDL_calloc(1, wavecvt.len*wavecvt.len_mult);
...
        SDL_memcpy(wavecvt.buf, chunk->abuf, chunk->alen);

That SDL_memcpy should rather be:
        SDL_memcpy(wavectf.buf, chunk->abuf, wavecvt.len);

If you imagine that wavecvt.len_mult was 1 and samplesize was greater than 1 with wavecvt.len < chunk->alen, then it may overwrite.

Comment 1 Sam Lantinga 2017-10-21 19:34:47 UTC

Fixed, thanks!
https://hg.libsdl.org/SDL_mixer/rev/ebb26212a00f

We are currently migrating Bugzilla to GitHub issues.Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 2670

We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.