[OMPT-svn-commit] OpenMPT r20613 - trunk/OpenMPT/soundlib

[<sv...@op...>]

Author: sagamusix
Date: Wed Apr 17 19:00:21 2024
New Revision: 20613
URL: https://source.openmpt.org/browse/openmpt/?op=revision&rev=20613

Log:
[Mod] MO3: Reject chunks that are bigger than the file. Optimize loader code to not keep two copies of string length.

Modified:
   trunk/OpenMPT/soundlib/Load_mo3.cpp

Modified: trunk/OpenMPT/soundlib/Load_mo3.cpp
==============================================================================
--- trunk/OpenMPT/soundlib/Load_mo3.cpp	Wed Apr 17 18:59:33 2024	(r20612)
+++ trunk/OpenMPT/soundlib/Load_mo3.cpp	Wed Apr 17 19:00:21 2024	(r20613)
@@ -180,7 +180,7 @@
 	uint8le  midiPatch;
 	uint8le  midiBend;
 	uint8le  globalVol;  // 0...128
-	uint16le panning;   // 0...256 if enabled, 0xFFFF otherwise
+	uint16le panning;    // 0...256 if enabled, 0xFFFF otherwise
 	uint8le  nna;
 	uint8le  pps;
 	uint8le  ppc;
@@ -488,8 +488,7 @@
 				strLen -= 3;
 				if(strLen < 0)
 				{
-					// means LZ ptr with same previous relative LZ ptr (saved one)
-					m_strOffset = m_previousPtr;  // restore previous Ptr
+					// reuse same previous relative LZ ptr (m_strOffset is not re-computed)
 					strLen++;
 				} else
 				{
@@ -505,8 +504,9 @@
 					lengthAdjust++;  // length is always at least 1
 					if(m_strOffset < -32000)
 						lengthAdjust++;
-					m_previousPtr = m_strOffset;  // save current Ptr
 				}
+				if(m_strOffset >= 0 || -static_cast<ptrdiff_t>(streamCache.size()) > m_strOffset)
+					break;
 
 				// read the next 2 bits as part of strLen
 				READ_CTRL_BIT;
@@ -523,8 +523,6 @@
 
 				if(strLen <= 0 || m_totalRemain < static_cast<uint32>(strLen))
 					break;
-				if(m_strOffset >= 0 || -static_cast<ptrdiff_t>(streamCache.size()) > m_strOffset)
-					break;
 
 				// Copy previous string
 				// Need to do this in two steps (allocate, then copy) as source and destination may overlap (e.g. strOffset = -1, strLen = 2 repeats last character twice)
@@ -561,7 +559,6 @@
 	mutable uint16 m_data = 0;
 	mutable int32 m_strLen = 0;     // Length of repeated string
 	mutable int32 m_strOffset = 0;  // Offset of repeated string
-	mutable uint32 m_previousPtr = 0;
 	mutable uint32 m_totalRemain = 0;
 };
 
@@ -794,7 +791,7 @@
 
 struct MO3ContainerHeader
 {
-	char     magic[3];   // MO3
+	char     magic[3];  // MO3
 	uint8le  version;
 	uint32le musicSize;
 };
@@ -1389,7 +1386,10 @@
 			PLUGINDEX plug = musicChunk.ReadUint8();
 			if(!plug)
 				break;
-			FileReader pluginChunk = musicChunk.ReadChunk(musicChunk.ReadUint32LE());
+			uint32 len = musicChunk.ReadUint32LE();
+			if(len >= containerHeader.musicSize || containerHeader.musicSize - len < musicChunk.GetPosition())
+				return false;
+			FileReader pluginChunk = musicChunk.ReadChunk(len);
 #ifndef NO_PLUGINS
 			if(plug <= MAX_MIXPLUGINS)
 			{
@@ -1406,6 +1406,8 @@
 	{
 		uint32 id = musicChunk.ReadUint32LE();
 		uint32 len = musicChunk.ReadUint32LE();
+		if(len >= containerHeader.musicSize || containerHeader.musicSize - len < musicChunk.GetPosition())
+			return false;
 		FileReader chunk = musicChunk.ReadChunk(len);
 		switch(id)
 		{