Hans Petter Selasky <h...@selasky.org> writes: > On 11/08/17 00:38, Eric Wong wrote: >> @@ -113,7 +113,13 @@ const char *lsx_ms_adpcm_block_expand_i( >> const unsigned char *ip; >> unsigned ch; >> const char *errmsg = NULL; >> - MsState_t state[4]; /* One decompressor state for each channel */ >> + >> + /* One decompressor state for each channel */ >> + MsState_t *state; >> + size_t size = sizeof(*state) * chans; >> + const size_t alloca_max = 1024; >> + > > Hi, > > Just make a fixed buffer on the stack instead of using alloca(). > >> + state = size > alloca_max ? lsx_malloc(size) : alloca(size); >> /* Read the four-byte header for each channel */ >> ip = ibuff; >> @@ -158,6 +164,10 @@ const char *lsx_ms_adpcm_block_expand_i( >> if (++ch2 == chans) ch2 = 0; >> } >> } >> + >> + if (size > alloca_max) >> + free(state); >> + >> return errmsg; >> } > > Is the "chans" argument range-checked anywhere? You should put a limit > how many channels are supported!
The WAV container is limited to 64k channels. We could of course enforce a lower limit. -- Måns Rullgård ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ SoX-devel mailing list SoX-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sox-devel
