1 files changed, 81 insertions, 0 deletions

diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7575.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7575.patch
new file mode 100644
index 0000000000..a3e8416d0e
--- /dev/null
+++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7575.patch
@@ -0,0 +1,81 @@
+# HG changeset patch
+# User Petr Písař <ppisar@redhat.com>
+# Date 1560183905 25200
+#      Mon Jun 10 09:25:05 2019 -0700
+# Branch SDL-1.2
+# Node ID a936f9bd3e381d67d8ddee8b9243f85799ea4798
+# Parent  fcbecae427951bac1684baaba2ade68221315140
+CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode
+If a WAV format defines shorter audio stream and decoded MS ADPCM data chunk
+is longer, decoding continued past the output audio buffer.
+
+This fix is based on a patch from
+<https://bugzilla.libsdl.org/show_bug.cgi?id=4492>.
+
+https://bugzilla.libsdl.org/show_bug.cgi?id=4493
+CVE-2019-7575
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+CVE: CVE-2019-7575
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+diff -r fcbecae42795 -r a936f9bd3e38 src/audio/SDL_wave.c
+--- a/src/audio/SDL_wave.c      Mon Jun 10 09:06:23 2019 -0700
++++ b/src/audio/SDL_wave.c      Mon Jun 10 09:25:05 2019 -0700
+@@ -122,7 +122,7 @@
+ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+        struct MS_ADPCM_decodestate *state[2];
+-       Uint8 *freeable, *encoded, *encoded_end, *decoded;
++       Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+        Sint32 encoded_len, samplesleft;
+        Sint8 nybble, stereo;
+        Sint16 *coeff[2];
+@@ -142,6 +142,7 @@
+                return(-1);
+        }
+        decoded = *audio_buf;
++       decoded_end = decoded + *audio_len;
+ 
+        /* Get ready... Go! */
+        stereo = (MS_ADPCM_state.wavefmt.channels == 2);
+@@ -149,7 +150,7 @@
+        state[1] = &MS_ADPCM_state.state[stereo];
+        while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
+                /* Grab the initial information for this block */
+-               if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
++               if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size;
+                state[0]->hPredictor = *encoded++;
+                if ( stereo ) {
+                        state[1]->hPredictor = *encoded++;
+@@ -179,6 +180,7 @@
+                coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
+ 
+                /* Store the two initial samples we start with */
++               if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size;
+                decoded[0] = state[0]->iSamp2&0xFF;
+                decoded[1] = state[0]->iSamp2>>8;
+                decoded += 2;
+@@ -200,7 +202,8 @@
+                samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
+                                        MS_ADPCM_state.wavefmt.channels;
+                while ( samplesleft > 0 ) {
+-                       if (encoded + 1 > encoded_end) goto too_short;
++                       if (encoded + 1 > encoded_end) goto invalid_size;
++                       if (decoded + 4 > decoded_end) goto invalid_size;
+ 
+                        nybble = (*encoded)>>4;
+                        new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
+@@ -223,8 +226,8 @@
+        }
+        SDL_free(freeable);
+        return(0);
+-too_short:
+-       SDL_SetError("Too short chunk for a MS ADPCM decoder");
++invalid_size:
++       SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
+        SDL_free(freeable);
+        return(-1);
+ invalid_predictor: