From c57c32e6cfeda40b3f006a5ba63a3ff161e8d497 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Tue, 6 Dec 2022 11:31:31 +0000
Subject: [PATCH] CVE-2022-23477

Prevent buffer overflow for oversized audio format from client
---
 sesman/chansrv/audin.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/sesman/chansrv/audin.c b/sesman/chansrv/audin.c
index cd802fa5..36a8027a 100644
--- a/sesman/chansrv/audin.c
+++ b/sesman/chansrv/audin.c
@@ -181,15 +181,16 @@ audin_send_open(int chan_id)
     int error;
     int bytes;
     struct stream *s;
-    struct xr_wave_format_ex *wf;
+    struct xr_wave_format_ex *wf = g_client_formats[g_current_format];
 
     LOG_DEVEL(LOG_LEVEL_INFO, "audin_send_open:");
     make_stream(s);
-    init_stream(s, 8192);
+    /* wf->cbSize was checked when the format was received */
+    init_stream(s, wf->cbSize + 64);
+
     out_uint8(s, MSG_SNDIN_OPEN);
     out_uint32_le(s, 2048); /* FramesPerPacket */
     out_uint32_le(s, g_current_format); /* initialFormat */
-    wf = g_client_formats[g_current_format];
     out_uint16_le(s, wf->wFormatTag);
     out_uint16_le(s, wf->nChannels);
     out_uint32_le(s, wf->nSamplesPerSec);
-- 
2.39.0