[AD] Memory overrun in load

[AD] Memory overrun in load_wav

[ Thread Index | Date Index | More lists.liballeg.org/allegro-developers Archives ]

To: <alleg-developers@xxxxxxxxxx>
Subject: [AD] Memory overrun in load_wav
From: "Chris Jones" <allegdev@xxxxxxxxxx>
Date: Thu, 24 Nov 2005 10:41:05 -0000

Hey,

I've just been investigating a random crash I've been having in my program,
and have tracked it down to a bug in load_wav_pf.

Basically, there is this bit of code:

      else if (memcmp(buffer, "data", 4) == 0) {
  len = length / channels;

  if (bits == 16)
     len /= 2;

  spl = create_sample(bits, ((channels == 2) ? TRUE : FALSE), freq, len);

in the loader. However, in my case the WAV files that I have are set as
stereo (channels = 2), but have an odd "length" (eg. 15317). Because "len"
is set to "length / 2", then create_sample multiplies it back up again,
create_sample ends up only allocating 15316 bytes of memory. Then, the
pack_fread call attempts to read in all "length" bytes which overruns the
buffer and crashes the program.

My temporary patch has been to add this after the "len = length / channels"
line:

if ((channels == 2) && (bits == 8) && (length % 2 == 1))
  len++;

but that's rather hacky and probably not a final solution.

Cheers,
Chris

Follow-Ups:
- Re: [AD] Memory overrun in load_wav
  - From: Chris

Messages sorted by: [ date | thread ]
Prev by Date: [AD] Proposing patch in windows detection
Next by Date: RE: [AD] Mouse events getting through to other consoles
Previous by thread: Re: [AD] Proposing patch in windows detection
Next by thread: Re: [AD] Memory overrun in load_wav

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/