src/(sd2|wav).c : Fix potential read beyond end of buffer.

2024-11-23 18:09:59 +00:00 · 2009-03-01 20:43:30 +11:00 · 2009-03-01 20:43:30 +11:00 · 9ebb270fb1
commit 9ebb270fb1
parent cc3b9cfaca
2 changed files with 4 additions and 4 deletions
--- a/src/sd2.c
+++ b/src/sd2.c
@ -480,8 +480,8 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf)
 		goto parse_rsrc_fork_cleanup ;
 		} ;

-	if (rsrc.map_offset + 26 >= rsrc.rsrc_len)
-	{	psf_log_printf (psf, "Bad map offset (%d + 26 > %d).\n", rsrc.map_offset, rsrc.rsrc_len) ;
+	if (rsrc.map_offset + 28 >= rsrc.rsrc_len)
+	{	psf_log_printf (psf, "Bad map offset (%d + 28 > %d).\n", rsrc.map_offset, rsrc.rsrc_len) ;
 		error = SFE_SD2_BAD_RSRC ;
 		goto parse_rsrc_fork_cleanup ;
 		} ;
--- a/src/wav.c
+++ b/src/wav.c
@ -1330,7 +1330,7 @@ wav_subchunk_parse (SF_PRIVATE *psf, int chunk)
 			case ISRC_MARKER :
 					bytesread += psf_binheader_readf (psf, "4", &dword) ;
 					dword += (dword & 1) ;
-					if (dword > SIGNED_SIZEOF (psf->u.cbuf))
+					if (dword >= SIGNED_SIZEOF (psf->u.cbuf))
 					{	psf_log_printf (psf, "  *** %M : %d (too big)\n", chunk, dword) ;
 						psf_binheader_readf (psf, "j", dword) ;
 						break ;
@ -1769,7 +1769,7 @@ exif_subchunk_parse (SF_PRIVATE *psf, unsigned int length)
 				bytesread += sizeof (dword) ;
 				dword += (dword & 1) ;

-				if (dword > sizeof (buf))
+				if (dword >= sizeof (buf))
 				{	psf_log_printf (psf, "*** Marker '%M' is too big %u\n\n", marker, dword) ;
 					return bytesread ;
 					} ;