From 6e8d58cbcc2c283a889418386ac413e7ed5e5a07 Mon Sep 17 00:00:00 2001
From: oparviai <oparviai@f3a24b6a-cf45-0410-b55a-8c22e2698227>
Date: Sun, 27 Aug 2017 15:23:28 +0000
Subject: [PATCH] Added sanity checks against illegal input audio stream
 parameters e.g. wildly excessive samplerate

---
 source/SoundStretch/WavFile.cpp  | 25 +++++++++++++++++--------
 source/SoundStretch/WavFile.h    | 22 +++++++++++-----------
 source/SoundTouch/SoundTouch.cpp |  2 +-
 source/SoundTouch/TDStretch.cpp  |  9 +++++++--
 4 files changed, 36 insertions(+), 22 deletions(-)

diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp
index e0c7fce..761dd16 100644
--- a/source/SoundStretch/WavFile.cpp
+++ b/source/SoundStretch/WavFile.cpp
@@ -222,8 +222,17 @@ void WavInFile::init()
     if (hdrsOk != 0) 
     {
         // Something didn't match in the wav file headers 
-        string msg = "Input file is corrupt or not a WAV file";
-        ST_THROW_RT_ERROR(msg.c_str());
+        ST_THROW_RT_ERROR("Input file is corrupt or not a WAV file");
+    }
+
+    // sanity check for format parameters
+    if ((header.format.channel_number < 1)  || (header.format.channel_number > 9) ||
+        (header.format.sample_rate < 4000)  || (header.format.sample_rate > 192000) ||
+        (header.format.byte_per_sample < 1) || (header.format.byte_per_sample > 320) ||
+        (header.format.bits_per_sample < 8) || (header.format.bits_per_sample > 32))
+    {
+        // Something didn't match in the wav file headers 
+        ST_THROW_RT_ERROR("Error: Illegal wav file header format parameters.");
     }
 
     /* Ignore 'fixed' field value as 32bit signed linear data can have other value than 1.
@@ -544,12 +553,12 @@ int WavInFile::readHeaderBlock()
         if (fread(&(header.format.fixed), nLen, 1, fptr) != 1) return -1;
 
         // swap byte order if necessary
-        _swap16(header.format.fixed);            // short int fixed;
-        _swap16(header.format.channel_number);   // short int channel_number;
-        _swap32((int &)header.format.sample_rate);      // int sample_rate;
-        _swap32((int &)header.format.byte_rate);        // int byte_rate;
-        _swap16(header.format.byte_per_sample);  // short int byte_per_sample;
-        _swap16(header.format.bits_per_sample);  // short int bits_per_sample;
+        _swap16((short &)header.format.fixed);            // short int fixed;
+        _swap16((short &)header.format.channel_number);   // short int channel_number;
+        _swap32((int &)header.format.sample_rate);        // int sample_rate;
+        _swap32((int &)header.format.byte_rate);          // int byte_rate;
+        _swap16((short &)header.format.byte_per_sample);  // short int byte_per_sample;
+        _swap16((short &)header.format.bits_per_sample);  // short int bits_per_sample;
 
         // if format_len is larger than expected, skip the extra data
         if (nDump > 0)
diff --git a/source/SoundStretch/WavFile.h b/source/SoundStretch/WavFile.h
index aff6a96..79af827 100644
--- a/source/SoundStretch/WavFile.h
+++ b/source/SoundStretch/WavFile.h
@@ -58,7 +58,7 @@ typedef unsigned int uint;
 typedef struct 
 {
     char riff_char[4];
-    int  package_len;
+    uint package_len;
     char wave[4];
 } WavRiff;
 
@@ -66,21 +66,21 @@ typedef struct
 typedef struct 
 {
     char  fmt[4];
-    int   format_len;
-    short fixed;
-    short channel_number;
-    int   sample_rate;
-    int   byte_rate;
-    short byte_per_sample;
-    short bits_per_sample;
+    unsigned int   format_len;
+    unsigned short fixed;
+    unsigned short channel_number;
+    unsigned int   sample_rate;
+    unsigned int   byte_rate;
+    unsigned short byte_per_sample;
+    unsigned short bits_per_sample;
 } WavFormat;
 
 /// WAV audio file 'fact' section header
 typedef struct 
 {
-    char  fact_field[4];
-    int   fact_len;
-    uint  fact_sample_len;
+    char fact_field[4];
+    uint fact_len;
+    uint fact_sample_len;
 } WavFact;
 
 /// WAV audio file 'data' section header
diff --git a/source/SoundTouch/SoundTouch.cpp b/source/SoundTouch/SoundTouch.cpp
index 7617f97..f163733 100644
--- a/source/SoundTouch/SoundTouch.cpp
+++ b/source/SoundTouch/SoundTouch.cpp
@@ -286,9 +286,9 @@ void SoundTouch::calcEffectiveRateAndTempo()
 // Sets sample rate.
 void SoundTouch::setSampleRate(uint srate)
 {
-    bSrateSet = true;
     // set sample rate, leave other tempo changer parameters as they are.
     pTDStretch->setParameters((int)srate);
+    bSrateSet = true;
 }
 
 
diff --git a/source/SoundTouch/TDStretch.cpp b/source/SoundTouch/TDStretch.cpp
index 3403969..228889b 100644
--- a/source/SoundTouch/TDStretch.cpp
+++ b/source/SoundTouch/TDStretch.cpp
@@ -134,8 +134,13 @@ void TDStretch::setParameters(int aSampleRate, int aSequenceMS,
                               int aSeekWindowMS, int aOverlapMS)
 {
     // accept only positive parameter values - if zero or negative, use old values instead
-    if (aSampleRate > 0)   this->sampleRate = aSampleRate;
-    if (aOverlapMS > 0)    this->overlapMs = aOverlapMS;
+    if (aSampleRate > 0)
+    {
+        if (aSampleRate > 192000) ST_THROW_RT_ERROR("Error: Excessive samplerate");
+        this->sampleRate = aSampleRate;
+    }
+
+    if (aOverlapMS > 0) this->overlapMs = aOverlapMS;
 
     if (aSequenceMS > 0)
     {