From 8552dcc017978544384e8139ac38e48be6a3dcfd Mon Sep 17 00:00:00 2001 From: holub Date: Tue, 28 Jan 2025 08:22:59 -0500 Subject: [PATCH] formats/cassimg.cpp: prevent regression in cass images (#13292) --- src/lib/formats/cassimg.cpp | 13 +++++++++++-- src/lib/formats/tzx_cas.cpp | 5 ++++- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/src/lib/formats/cassimg.cpp b/src/lib/formats/cassimg.cpp index 03a0dd23214..599b2698a81 100644 --- a/src/lib/formats/cassimg.cpp +++ b/src/lib/formats/cassimg.cpp @@ -820,7 +820,6 @@ cassette_image::error cassette_image::legacy_construct(const LegacyWaveFiller *l goto done; } - LOG_FORMATS("Image size: %x\n", size); std::vector bytes(size); image_read(&bytes[0], 0, size); sample_count = args.chunk_sample_calc(&bytes[0], (int)size); @@ -865,7 +864,17 @@ cassette_image::error cassette_image::legacy_construct(const LegacyWaveFiller *l image_read(&chunk[0], offset, args.chunk_size); offset += args.chunk_size; - length = args.fill_wave(&samples[pos], args.chunk_size, &chunk[0]); + /* + This approach is problematic because we don't have control on incomming image size when processing the data + (at least in tap implementation). + The method sending the size of output (calculated in 'chunk_sample_calc' above) which uses same data as a input but + without knowing how much data available in the image. Having wrong header with size bigger than image couses illegal + access beyond image data. + Desired state is: + length = args.fill_wave(&samples[pos], args.chunk_size, &chunk[0]); + aslo the fix for tap is commented out in 'tap_cas_fill_wave' + */ + length = args.fill_wave(&samples[pos], sample_count - pos, &chunk[0]); if (length < 0) { err = error::INVALID_IMAGE; diff --git a/src/lib/formats/tzx_cas.cpp b/src/lib/formats/tzx_cas.cpp index f254624e80a..8c9d34e44d4 100644 --- a/src/lib/formats/tzx_cas.cpp +++ b/src/lib/formats/tzx_cas.cpp @@ -833,16 +833,19 @@ static int tap_cas_fill_wave( int16_t *buffer, int length, const uint8_t *bytes int16_t *p = buffer; int size = 0; - while (length > 0) + //while (length > 0) + while (size < length) { int data_size = get_u16le(&bytes[0]); int pilot_length = (bytes[2] == 0x00) ? 8063 : 3223; LOG_FORMATS("tap_cas_fill_wave: Handling TAP block containing 0x%X bytes\n", data_size); + /* length -= data_size; if (length < 0) { data_size += length; // Take as much as we can. } + */ bytes += 2; size += tzx_cas_handle_block(&p, bytes, 1000, data_size, 2168, pilot_length, 667, 735, 855, 1710, 8); bytes += data_size;