Commit Graph

19 Commits (7a51ad6a501f8b6a4af59fcc73d65aade045cb4a)

Author SHA1 Message Date
Sam Lantinga 990e166a3b Fixed bug 3894 - Fuzzing crashes for SDL_LoadWAV
Simon Hug

I had a look at this and made some additions to SDL_wave.c.

The attached patch adds many checks and error messages. For some reason I also added A-law and ?-law decoders. Forgot exactly why... but hey, they're small.

The WAVE format is seriously underspecified (at least by the documents that are publicly available on the internet) and it's a shame Microsoft never put something better out there. The language used in them is so loose at times, it's not surprising the encoders and decoders behave very differently. The Windows Media Player doesn't even support MS ADPCM correctly.

The patch also adds some hints to make the decoder more strict at the cost of compatibility with weird WAVE files.

I still think it needs a bit of cleaning up (Not happy with the MultiplySize function. Don't like the name and other SDL code may want to use something like this too.) and some duplicated code may be folded together. It does work in this state and I have thrown all kinds of WAVE files at it. The AFL files also pass with it and some even play (obviously just noise). Crafty little fuzzer.

Any critique would be welcome. I have a fork of SDL with a audio-loadwav branch over here if someone wants to use the commenting feature of Bitbucket:

https://bitbucket.org/ChliHug/SDL

I also cobbled some Lua scripts together to create WAVE test files:

https://bitbucket.org/ChliHug/gendat
2019-06-08 19:02:42 -07:00
Sam Lantinga 5e13087b0f Updated copyright for 2019 2019-01-04 22:01:14 -08:00
Sam Lantinga b251876126 commit c6b28f46b8116552ec2b38d1d3c8535df28ba7a1
Author: Anthony Pesch <inolen@gmail.com>
Date:   Fri May 4 20:21:21 2018 -0400

    Added SDL_AUDIO_ALLOW_SAMPLES_CHANGE flag enabling users of SDL_OpenAudioDevice to get
    the sample size of the actual hardware buffer vs having a stream created to handle the
    delta
2018-10-01 09:47:10 -07:00
Sam Lantinga e3cc5b2c6b Updated copyright for 2018 2018-01-03 10:03:25 -08:00
Ryan C. Gordon dbce1341d5 audio: fixed typo in Doxygen comment. 2017-12-09 03:24:01 -05:00
Sam Lantinga fe2b5fec61 Document the SDL audio channel mapping 2017-10-20 14:48:10 -07:00
Sam Lantinga 7a6cf53aea Added SDL_AudioStreamFlush() to the list of new audio stream functions 2017-10-20 10:45:38 -07:00
Ryan C. Gordon 729329068b audio: Added SDL_AudioStreamFlush(). 2017-10-19 18:05:42 -04:00
Sam Lantinga 80f8464d97 Added audio stream conversion functions:
SDL_NewAudioStream
    SDL_AudioStreamPut
    SDL_AudioStreamGet
    SDL_AudioStreamAvailable
    SDL_AudioStreamClear
    SDL_FreeAudioStream
2017-10-18 15:54:05 -07:00
Sam Lantinga 629f8abab4 Updated documentation, you don't need to initialize the audio subsystem to do in-place format conversion. (Thanks Simon Hug!) 2017-08-29 09:02:04 -07:00
Ryan C. Gordon e3e6b4fd35 audio: better docs on conversion APIs, error if not init'd (thanks, Simon!).
Fixes Bugzilla #3662.
2017-08-18 16:52:19 -04:00
Sam Lantinga 553b328664 Fixed bug 3668 - Overflow of SDL_AudioCVT.filters with some downmixes
Simon Hug

There's a chance that an audio conversion from many channels to a few can use more than 9 audio filters. SDL_AudioCVT has 10 SDL_AudioFilter pointers of which one has to be the terminating NULL pointer. The SDL code has no checks for this limit. If it overflows there can be stack or heap corruption or a call to 0xa.

Attached patch adds a function that checks for this limit and throws an error if it is reached. Also adds some documentation.

Test parameters that trigger this issue:
AUDIO_U16MSB with 224 channels at 46359 Hz
                 V
AUDIO_S16MSB with 6 channels at 27463 Hz

The fuzzer program I uploaded in bug 3667 has more of them.
2017-06-12 16:39:15 -07:00
Ryan C. Gordon 1066bcc83a audio: clarified what SDL_AudioSpec::samples is, removed note about power of 2.
These don't have to be power-of-2 sizes anymore because of SDL_AudioStream,
and the new resampler, but also, many platforms don't give you power-of-2 DMA
buffer in the first place!
2017-02-27 10:11:40 -05:00
Ryan C. Gordon 073ff7dea3 Added a note about aligning SDL_AudioCVT data. 2017-01-24 00:55:41 -05:00
Sam Lantinga 45b774e3f7 Updated copyright for 2017 2017-01-01 18:33:28 -08:00
Sam Lantinga 3615633571 Renaming of guard header names to quiet -Wreserved-id-macro
Patch contributed by Sylvain
2016-11-20 21:34:54 -08:00
Ryan C. Gordon 7315390171 audio: Implemented buffer queueing for capture devices (SDL_DequeueAudio()). 2016-08-06 02:47:27 -04:00
Sam Lantinga 42065e785d Updated copyright to 2016 2016-01-02 10:10:34 -08:00
Philipp Wiesemann 0e45984fa0 Fixed crash if initialization of EGL failed but was tried again later.
The internal function SDL_EGL_LoadLibrary() did not delete and remove a mostly
uninitialized data structure if loading the library first failed. A later try to
use EGL then skipped initialization and assumed it was previously successful
because the data structure now already existed. This led to at least one crash
in the internal function SDL_EGL_ChooseConfig() because a NULL pointer was
dereferenced to make a call to eglBindAPI().
2015-06-21 17:33:46 +02:00