src/wav.c: Fix heap read overflow

This is CVE-2018-19758.

Change-Id: Ic3a6e706448cabbe8bdfd85cc471655607713aa2
Closes: https://github.com/erikd/libsndfile/issues/435

diff --git a/src/wav.c b/src/wav.c
index 0f8d8e8..ca2e75b 100644 (file)
--- a/src/wav.c
+++ b/src/wav.c
@@ -1,5 +1,5 @@
 /*
-** Copyright (C) 1999-2017 Erik de Castro Lopo <erikd@mega-nerd.com>
+** Copyright (C) 1999-2019 Erik de Castro Lopo <erikd@mega-nerd.com>
 ** Copyright (C) 2004-2005 David Viens <davidv@plogue.com>
 **
 ** This program is free software; you can redistribute it and/or modify
@@ -1087,6 +1087,8 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
                psf_binheader_writef (psf, "44", BHW4 (0), BHW4 (0)) ; /* SMTPE format */
                psf_binheader_writef (psf, "44", BHW4 (psf->instrument->loop_count), BHW4 (0)) ;
 
+               /* Loop count is signed 16 bit number so we limit it range to something sensible. */
+               psf->instrument->loop_count &= 0x7fff ;
                for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
                {       int type ;
 
@@ -1353,7 +1355,7 @@ wav_read_smpl_chunk (SF_PRIVATE *psf, uint32_t chunklen)
                } ;
 
        psf->instrument->basenote = note ;
-       psf->instrument->detune = (int8_t)(pitch / (0x40000000 / 25.0) + 0.5) ;
+       psf->instrument->detune = (int8_t) (pitch / (0x40000000 / 25.0) + 0.5) ;
        psf->instrument->gain = 1 ;
        psf->instrument->velocity_lo = psf->instrument->key_lo = 0 ;
        psf->instrument->velocity_hi = psf->instrument->key_hi = 127 ;