Author: sagamusix
Date: Wed Apr 17 19:00:21 2024
New Revision: 20613
URL: https://source.openmpt.org/browse/openmpt/?op=revision&rev=20613
Log:
[Mod] MO3: Reject chunks that are bigger than the file. Optimize loader code to not keep two copies of string length.
Modified:
trunk/OpenMPT/soundlib/Load_mo3.cpp
Modified: trunk/OpenMPT/soundlib/Load_mo3.cpp
==============================================================================
--- trunk/OpenMPT/soundlib/Load_mo3.cpp Wed Apr 17 18:59:33 2024 (r20612)
+++ trunk/OpenMPT/soundlib/Load_mo3.cpp Wed Apr 17 19:00:21 2024 (r20613)
@@ -180,7 +180,7 @@
uint8le midiPatch;
uint8le midiBend;
uint8le globalVol; // 0...128
- uint16le panning; // 0...256 if enabled, 0xFFFF otherwise
+ uint16le panning; // 0...256 if enabled, 0xFFFF otherwise
uint8le nna;
uint8le pps;
uint8le ppc;
@@ -488,8 +488,7 @@
strLen -= 3;
if(strLen < 0)
{
- // means LZ ptr with same previous relative LZ ptr (saved one)
- m_strOffset = m_previousPtr; // restore previous Ptr
+ // reuse same previous relative LZ ptr (m_strOffset is not re-computed)
strLen++;
} else
{
@@ -505,8 +504,9 @@
lengthAdjust++; // length is always at least 1
if(m_strOffset < -32000)
lengthAdjust++;
- m_previousPtr = m_strOffset; // save current Ptr
}
+ if(m_strOffset >= 0 || -static_cast<ptrdiff_t>(streamCache.size()) > m_strOffset)
+ break;
// read the next 2 bits as part of strLen
READ_CTRL_BIT;
@@ -523,8 +523,6 @@
if(strLen <= 0 || m_totalRemain < static_cast<uint32>(strLen))
break;
- if(m_strOffset >= 0 || -static_cast<ptrdiff_t>(streamCache.size()) > m_strOffset)
- break;
// Copy previous string
// Need to do this in two steps (allocate, then copy) as source and destination may overlap (e.g. strOffset = -1, strLen = 2 repeats last character twice)
@@ -561,7 +559,6 @@
mutable uint16 m_data = 0;
mutable int32 m_strLen = 0; // Length of repeated string
mutable int32 m_strOffset = 0; // Offset of repeated string
- mutable uint32 m_previousPtr = 0;
mutable uint32 m_totalRemain = 0;
};
@@ -794,7 +791,7 @@
struct MO3ContainerHeader
{
- char magic[3]; // MO3
+ char magic[3]; // MO3
uint8le version;
uint32le musicSize;
};
@@ -1389,7 +1386,10 @@
PLUGINDEX plug = musicChunk.ReadUint8();
if(!plug)
break;
- FileReader pluginChunk = musicChunk.ReadChunk(musicChunk.ReadUint32LE());
+ uint32 len = musicChunk.ReadUint32LE();
+ if(len >= containerHeader.musicSize || containerHeader.musicSize - len < musicChunk.GetPosition())
+ return false;
+ FileReader pluginChunk = musicChunk.ReadChunk(len);
#ifndef NO_PLUGINS
if(plug <= MAX_MIXPLUGINS)
{
@@ -1406,6 +1406,8 @@
{
uint32 id = musicChunk.ReadUint32LE();
uint32 len = musicChunk.ReadUint32LE();
+ if(len >= containerHeader.musicSize || containerHeader.musicSize - len < musicChunk.GetPosition())
+ return false;
FileReader chunk = musicChunk.ReadChunk(len);
switch(id)
{
|
