From eff0034488fe6c6bed0232b68399b52839445304 Mon Sep 17 00:00:00 2001 From: aizu-m Date: Fri, 5 Jun 2026 19:02:40 +0530 Subject: [PATCH 1/2] Bounds-check the bits field in legacy get_word3 --- src/unpack3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/unpack3.c b/src/unpack3.c index 47cb7d21..9107a6e8 100644 --- a/src/unpack3.c +++ b/src/unpack3.c @@ -1467,6 +1467,9 @@ static int32_t FASTCALL get_word3 (WavpackStream3 *wps, int chan) return 0L; if (wps->wphdr.bits && dbits > wps->wphdr.bits) { + if (wps->wphdr.bits & ~31) + return WORD_EOF; + getbits (&value, wps->wphdr.bits, &wps->wvbits); if (value & bitset [wps->wphdr.bits - 1]) From e12039fc2590cd109548b6123407ce1f558e648a Mon Sep 17 00:00:00 2001 From: aizu-m Date: Sat, 6 Jun 2026 13:13:34 +0530 Subject: [PATCH 2/2] validate bits field when opening legacy version-3 files --- src/unpack3.c | 3 --- src/unpack3_open.c | 4 ++-- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/src/unpack3.c b/src/unpack3.c index 9107a6e8..47cb7d21 100644 --- a/src/unpack3.c +++ b/src/unpack3.c @@ -1467,9 +1467,6 @@ static int32_t FASTCALL get_word3 (WavpackStream3 *wps, int chan) return 0L; if (wps->wphdr.bits && dbits > wps->wphdr.bits) { - if (wps->wphdr.bits & ~31) - return WORD_EOF; - getbits (&value, wps->wphdr.bits, &wps->wvbits); if (value & bitset [wps->wphdr.bits - 1]) diff --git a/src/unpack3_open.c b/src/unpack3_open.c index 1971de88..ab9afc21 100644 --- a/src/unpack3_open.c +++ b/src/unpack3_open.c @@ -170,9 +170,9 @@ WavpackContext *open_file3 (WavpackContext *wpc, char *error) WavpackLittleEndianToNative (&wphdr, WavpackHeader3Format); - // make sure this is a version we know about + // make sure this is a version we know about (and valid) - if (strncmp (wphdr.ckID, "wvpk", 4) || wphdr.version < 1 || wphdr.version > 3) { + if (strncmp (wphdr.ckID, "wvpk", 4) || wphdr.version < 1 || wphdr.version > 3 || wphdr.bits < 0) { if (error) strcpy (error, "not a valid WavPack file!"); return WavpackCloseFile (wpc); }