From 78e239d883505e1ad64232812bce6ea8b726632f Mon Sep 17 00:00:00 2001
From: Alibek Omarov <a1ba.omarov@gmail.com>
Date: Tue, 2 May 2023 08:54:37 +0300
Subject: [PATCH] engine: soundlib: wav: attempt to make FindNextChunk more
 safe

---
 engine/common/soundlib/snd_wav.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/engine/common/soundlib/snd_wav.c b/engine/common/soundlib/snd_wav.c
index 97c268e3..b5466439 100644
--- a/engine/common/soundlib/snd_wav.c
+++ b/engine/common/soundlib/snd_wav.c
@@ -62,11 +62,14 @@ FindNextChunk
 */
 static void FindNextChunk( const char *name )
 {
+	int remaining;
+
 	while( 1 )
 	{
 		iff_dataPtr = iff_lastChunk;
+		remaining = iff_end - iff_dataPtr;
 
-		if( iff_dataPtr >= iff_end )
+		if( remaining < 8 )
 		{
 			// didn't find the chunk
 			iff_dataPtr = NULL;
@@ -76,14 +79,24 @@ static void FindNextChunk( const char *name )
 		iff_dataPtr += 4;
 		iff_chunkLen = GetLittleLong();
 
+		remaining -= 8;
+
 		if( iff_chunkLen < 0 )
 		{
 			iff_dataPtr = NULL;
 			return;
 		}
 
+		if( iff_chunkLen > remaining )
+		{
+			iff_chunkLen = remaining;
+		}
+
+		remaining -= iff_chunkLen;
 		iff_dataPtr -= 8;
-		iff_lastChunk = iff_dataPtr + 8 + ((iff_chunkLen + 1) & ~1);
+		iff_lastChunk = iff_dataPtr + 8 + iff_chunkLen;
+		if( iff_chunkLen & 1 && remaining )
+			iff_chunkLen++;
 
 		if( !Q_strncmp( (const char *)iff_dataPtr, name, 4 ))
 			return;