We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 2670 - Possible memory overflow in Mix_LoadWAV_RW
Summary: Possible memory overflow in Mix_LoadWAV_RW
Status: RESOLVED FIXED
Alias: None
Product: SDL_mixer
Classification: Unclassified
Component: misc (show other bugs)
Version: 2.0.0
Hardware: All All
: P2 normal
Assignee: Sam Lantinga
QA Contact: Sam Lantinga
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-04 13:34 UTC by Lee Salzman
Modified: 2017-10-21 19:34 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Lee Salzman 2014-08-04 13:34:40 UTC 
In mixer.c, Mix_LoadWAV_RW, there is the following code:

        wavecvt.len = chunk->alen & ~(samplesize-1);
        wavecvt.buf = (Uint8 *)SDL_calloc(1, wavecvt.len*wavecvt.len_mult);
...
        SDL_memcpy(wavecvt.buf, chunk->abuf, chunk->alen);

That SDL_memcpy should rather be:
        SDL_memcpy(wavectf.buf, chunk->abuf, wavecvt.len);

If you imagine that wavecvt.len_mult was 1 and samplesize was greater than 1 with wavecvt.len < chunk->alen, then it may overwrite.
Comment 1 Sam Lantinga 2017-10-21 19:34:47 UTC 
Fixed, thanks!
https://hg.libsdl.org/SDL_mixer/rev/ebb26212a00f