From 158bfc563b018ba4e0068ff4202f6d2ad1001aa1 Mon Sep 17 00:00:00 2001
From: Andrew Productengine <adyukov@productengine.com>
Date: Mon, 25 Oct 2010 18:56:04 +0300
Subject: STORM-95 FIXED Fixed hanging of client when incorrect WAV file was
 passed.

As Aimee has found: "The data chunk of nexfire.wav has an incorrect length specified in its header which we blindly trust when reading
the file in check_for_invalid_wav_formats() in llvorbisencode.cpp. It causes an overflow of the file position pointer when reading the file which makes
it start over from the beginning, hanging it in an infinite loop."

- To avoid this situation in future, check for chunk size was added, and if it is declared bigger then it may be, function is interrupted and returns error.
---
 indra/llaudio/llvorbisencode.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'indra/llaudio/llvorbisencode.cpp')

diff --git a/indra/llaudio/llvorbisencode.cpp b/indra/llaudio/llvorbisencode.cpp
index 9f479189d7..0e0c80a456 100644
--- a/indra/llaudio/llvorbisencode.cpp
+++ b/indra/llaudio/llvorbisencode.cpp
@@ -120,6 +120,13 @@ S32 check_for_invalid_wav_formats(const std::string& in_fname, std::string& erro
 			+ ((U32) wav_header[5] << 8) 
 			+ wav_header[4];
 
+		if (chunk_length > physical_file_size - file_pos - 4)
+		{
+			infile.close();
+			error_msg = "SoundFileInvalidChunkSize";
+			return(LLVORBISENC_CHUNK_SIZE_ERR);
+		}
+
 //		llinfos << "chunk found: '" << wav_header[0] << wav_header[1] << wav_header[2] << wav_header[3] << "'" << llendl;
 
 		if (!(strncmp((char *)&(wav_header[0]),"fmt ",4)))
-- 
cgit v1.2.3