From 993ab767b6941bd4d1447545a9bceac9594ef97a Mon Sep 17 00:00:00 2001
From: tildearrow <tildearrow@protonmail.com>
Date: Mon, 24 Jan 2022 12:47:18 -0500
Subject: [PATCH] ADPCM memory safety

---
 src/engine/engine.cpp | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/engine/engine.cpp b/src/engine/engine.cpp
index 96319afcd..94098ee04 100644
--- a/src/engine/engine.cpp
+++ b/src/engine/engine.cpp
@@ -2872,6 +2872,7 @@ void DivEngine::renderSamples() {
     }
     s->rendData=new short[s->rendLength];
     size_t adpcmLen=((s->rendLength>>1)+255)&0xffffff00;
+    if (adpcmLen>1048576) adpcmLen=1048576;
     s->adpcmRendLength=adpcmLen;
     s->adpcmRendData=new unsigned char[adpcmLen];
     memset(s->adpcmRendData,0,adpcmLen);
@@ -2968,7 +2969,16 @@ void DivEngine::renderSamples() {
     if ((memPos&0xf00000)!=((memPos+s->adpcmRendLength)&0xf00000)) {
       memPos=(memPos+0xfffff)&0xf00000;
     }
-    memcpy(adpcmMem+memPos,s->adpcmRendData,s->adpcmRendLength);
+    if (memPos>=16777216) {
+      logW("out of ADPCM memory for sample %d!\n",i);
+      break;
+    }
+    if (memPos+s->adpcmRendLength>=16777216) {
+      memcpy(adpcmMem+memPos,s->adpcmRendData,16777216-memPos);
+      logW("out of ADPCM memory for sample %d!\n",i);
+    } else {
+      memcpy(adpcmMem+memPos,s->adpcmRendData,s->adpcmRendLength);
+    }
     s->rendOff=memPos;
     memPos+=s->adpcmRendLength;
   }