1 files changed, 68 insertions, 0 deletions
diff --git a/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch b/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch
new file mode 100644
index 000000000..9fd53da29
--- /dev/null
+++ b/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch
@@ -0,0 +1,68 @@
+# HG changeset patch
+# User Petr Písař <ppisar@redhat.com>
+# Date 1560181859 25200
+#      Mon Jun 10 08:50:59 2019 -0700
+# Branch SDL-1.2
+# Node ID a6e3d2f5183e1cc300ad993e10e9ce077e13bd9c
+# Parent  388987dff7bf8f1e214e69c2e4f1aa31e06396b5
+CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode
+If data chunk was shorter than expected based on a WAV format
+definition, IMA_ADPCM_decode() tried to read past the data chunk
+buffer. This patch fixes it.
+CVE-2019-7574
+https://bugzilla.libsdl.org/show_bug.cgi?id=4496
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+CVE: CVE-2019-7574
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+diff -r 388987dff7bf -r a6e3d2f5183e src/audio/SDL_wave.c
+--- a/src/audio/SDL_wave.c      Sat Jun 08 18:02:09 2019 -0700
+++ b/src/audio/SDL_wave.c      Mon Jun 10 08:50:59 2019 -0700
+@@ -331,7 +331,7 @@
+ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+        struct IMA_ADPCM_decodestate *state;
+-       Uint8 *freeable, *encoded, *decoded;
+       Uint8 *freeable, *encoded, *encoded_end, *decoded;
+        Sint32 encoded_len, samplesleft;
+        unsigned int c, channels;
+ 
+@@ -347,6 +347,7 @@
+        /* Allocate the proper sized output buffer */
+        encoded_len = *audio_len;
+        encoded = *audio_buf;
+       encoded_end = encoded + encoded_len;
+        freeable = *audio_buf;
+        *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) * 
+                                IMA_ADPCM_state.wSamplesPerBlock*
+@@ -362,6 +363,7 @@
+        while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
+                /* Grab the initial information for this block */
+                for ( c=0; c<channels; ++c ) {
+                       if (encoded + 4 > encoded_end) goto invalid_size;
+                        /* Fill the state information for this block */
+                        state[c].sample = ((encoded[1]<<8)|encoded[0]);
+                        encoded += 2;
+@@ -384,6 +386,7 @@
+                samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
+                while ( samplesleft > 0 ) {
+                        for ( c=0; c<channels; ++c ) {
+                               if (encoded + 4 > encoded_end) goto invalid_size;
+                                Fill_IMA_ADPCM_block(decoded, encoded,
+                                                c, channels, &state[c]);
+                                encoded += 4;
+@@ -395,6 +398,10 @@
+        }
+        SDL_free(freeable);
+        return(0);
+invalid_size:
+       SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder");
+       SDL_free(freeable);
+       return(-1);
+ }
+ 
+ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,

diff --git a/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch b/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch new file mode 100644 index 000000000..9fd53da29 --- /dev/null +++ b/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch
@@ -0,0 +1,68 @@
	1	# HG changeset patch
	2	# User Petr Písař <ppisar@redhat.com>
	3	# Date 1560181859 25200
	4	# Mon Jun 10 08:50:59 2019 -0700
	5	# Branch SDL-1.2
	6	# Node ID a6e3d2f5183e1cc300ad993e10e9ce077e13bd9c
	7	# Parent 388987dff7bf8f1e214e69c2e4f1aa31e06396b5
	8	CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode
	9	If data chunk was shorter than expected based on a WAV format
	10	definition, IMA_ADPCM_decode() tried to read past the data chunk
	11	buffer. This patch fixes it.
	12
	13	CVE-2019-7574
	14	https://bugzilla.libsdl.org/show_bug.cgi?id=4496
	15
	16	Signed-off-by: Petr Písař <ppisar@redhat.com>
	17
	18	CVE: CVE-2019-7574
	19	Upstream-Status: Backport
	20	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
	21
	22	diff -r 388987dff7bf -r a6e3d2f5183e src/audio/SDL_wave.c
	23	--- a/src/audio/SDL_wave.c Sat Jun 08 18:02:09 2019 -0700
	24	+++ b/src/audio/SDL_wave.c Mon Jun 10 08:50:59 2019 -0700
	25	@@ -331,7 +331,7 @@
	26	static int IMA_ADPCM_decode(Uint8 *audio_buf, Uint32 audio_len)
	27	{
	28	struct IMA_ADPCM_decodestate *state;
	29	- Uint8 freeable, encoded, *decoded;
	30	+ Uint8 freeable, encoded, encoded_end, decoded;
	31	Sint32 encoded_len, samplesleft;
	32	unsigned int c, channels;
	33
	34	@@ -347,6 +347,7 @@
	35	/* Allocate the proper sized output buffer */
	36	encoded_len = *audio_len;
	37	encoded = *audio_buf;
	38	+ encoded_end = encoded + encoded_len;
	39	freeable = *audio_buf;
	40	audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign)
	41	IMA_ADPCM_state.wSamplesPerBlock*
	42	@@ -362,6 +363,7 @@
	43	while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
	44	/* Grab the initial information for this block */
	45	for ( c=0; c<channels; ++c ) {
	46	+ if (encoded + 4 > encoded_end) goto invalid_size;
	47	/* Fill the state information for this block */
	48	state[c].sample = ((encoded[1]<<8)\|encoded[0]);
	49	encoded += 2;
	50	@@ -384,6 +386,7 @@
	51	samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
	52	while ( samplesleft > 0 ) {
	53	for ( c=0; c<channels; ++c ) {
	54	+ if (encoded + 4 > encoded_end) goto invalid_size;
	55	Fill_IMA_ADPCM_block(decoded, encoded,
	56	c, channels, &state[c]);
	57	encoded += 4;
	58	@@ -395,6 +398,10 @@
	59	}
	60	SDL_free(freeable);
	61	return(0);
	62	+invalid_size:
	63	+ SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder");
	64	+ SDL_free(freeable);
	65	+ return(-1);
	66	}
	67
	68	SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,