mirror/86Box
1
0
Fork 0
mirror of https://github.com/86Box/86Box.git synced 2026-02-23 09:58:19 -07:00
Code Issues Packages Projects Releases Activity

CodeQL fix for load_wav-function. Check the filename to be proper filename

Browse Source
This commit is contained in:
Toni Riikonen
2025-09-20 17:48:34 +03:00
parent e15d1031dd
commit 542e188a5d
1 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/floppy/fdd_audio.c
View File

@@ -17,6 +17,7 @@
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <ctype.h>
#define HAVE_STDARG_H
#include <86box/86box.h>
@@ -165,6 +166,20 @@ load_wav(const char *filename, int *sample_count)
FILE *f = NULL;
char full_path[2048];
if (!filename || strlen(filename) == 0) {
return NULL;
}
if (strstr(filename, "..") != NULL || strchr(filename, '/') != NULL || strchr(filename, '\\') != NULL) {
return NULL;
}
for (const char *p = filename; *p; p++) {
if (!isalnum(*p) && *p != '.' && *p != '_' && *p != '-') {
return NULL;
}
}
path_append_filename(full_path, exe_path, "samples");
path_append_filename(full_path, full_path, filename);