Potential Integer Overflow vulnerability in src/Stk.cpp

[KSB21ST]

It seems that there exists a potential integer overflow. Please find the following description:

1. Call to function FileRead :: open(...)
   

   stk/src/FileLoop.cpp

   Line 50 in 1fec6e0

   file_.open( fileName, raw );

2. In FileRead :: open(...), Call to function getWavInfo(...)
   

   stk/src/FileRead.cpp

   Line 100 in 1fec6e0

   result = getWavInfo( fileName.c_str() );

3. In getWavInfo(...), variable temp is read from external source
   

   stk/src/FileRead.cpp

   Line 223 in 1fec6e0

   if ( fread(&temp, 2, 1, fd_) != 1 ) goto error;

4. channels_ can be an arbitrary integer
   

   stk/src/FileRead.cpp

   Line 227 in 1fec6e0

   channels_ = (unsigned int ) temp;

5. Back to function in FileWrite: fix warnings #1, call to fileSize(...)
   

   stk/src/FileLoop.cpp

   Line 53 in 1fec6e0

   if ( file_.fileSize() > chunkThreshold_ ) {

   
   

   stk/include/FileRead.h

   Line 77 in 1fec6e0

   unsigned long fileSize( void ) const { return fileSize_; };

6. In the same function with make casts in Fir.h explicit #6, Call to function StkFrames :: resize(...) with channels_ as second argument
   

   stk/include/FileRead.h

   Line 80 in 1fec6e0

   unsigned int channels( void ) const { return channels_; };

   
   

   stk/src/FileLoop.cpp

   Line 56 in 1fec6e0

   data_.resize( chunkSize_ + 1, file_.channels() );

7. In function StkFrames :: resize(...), if channels_ is large enough, the multiplication can cause integer overflow
   

   stk/src/Stk.cpp

   Line 296 in 1fec6e0

   nFrames_ = nFrames;

   
   

   stk/src/Stk.cpp

   Line 299 in 1fec6e0

   size_ = nFrames_ * nChannels_;

8. In the same function with iOS-friendly static library #8, if channels_ is large enough (from iOS-friendly static library #8), allocation of memory with multiplication may cause integer overflow
   

   stk/src/Stk.cpp

   Line 302 in 1fec6e0

   data_ = (StkFloat *) malloc( size_ * sizeof( StkFloat ) );