1 files changed, 123 insertions, 0 deletions
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch
new file mode 100644
index 0000000000..92e40aec5e
--- /dev/null
+++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch
@@ -0,0 +1,123 @@
+# HG changeset patch
+# User Petr Písař <ppisar@redhat.com>
+# Date 1560182051 25200
+#      Mon Jun 10 08:54:11 2019 -0700
+# Branch SDL-1.2
+# Node ID 416136310b88cbeeff8773e573e90ac1e22b3526
+# Parent  a6e3d2f5183e1cc300ad993e10e9ce077e13bd9c
+CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
+If RIFF/WAV data chunk length is shorter then expected for an audio
+format defined in preceeding RIFF/WAV format headers, a buffer
+overread can happen.
+This patch fixes it by checking a MS ADPCM data to be decoded are not
+past the initialized buffer.
+CVE-2019-7577
+Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+# HG changeset patch
+# User Petr Písař <ppisar@redhat.com>
+# Date 1560182069 25200
+#      Mon Jun 10 08:54:29 2019 -0700
+# Branch SDL-1.2
+# Node ID faf9abbcfb5fe0d0ca23c4bf0394aa226ceccf02
+# Parent  416136310b88cbeeff8773e573e90ac1e22b3526
+CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble and MS_ADPCM_decode
+If a chunk of RIFF/WAV file with MS ADPCM encoding contains an invalid
+predictor (a valid predictor's value is between 0 and 6 inclusive),
+a buffer overread can happen when the predictor is used as an index
+into an array of MS ADPCM coefficients.
+The overead happens when indexing MS_ADPCM_state.aCoeff[] array in
+MS_ADPCM_decode() and later when dereferencing a coef pointer in
+MS_ADPCM_nibble().
+This patch fixes it by checking the MS ADPCM predictor values fit
+into the valid range.
+CVE-2019-7577
+Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+CVE: CVE-2019-7577
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+diff -r a6e3d2f5183e -r 416136310b88 src/audio/SDL_wave.c
+--- a/src/audio/SDL_wave.c      Mon Jun 10 08:50:59 2019 -0700
+++ b/src/audio/SDL_wave.c      Mon Jun 10 08:54:11 2019 -0700
+@@ -115,7 +115,7 @@
+ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+        struct MS_ADPCM_decodestate *state[2];
+-       Uint8 *freeable, *encoded, *decoded;
+       Uint8 *freeable, *encoded, *encoded_end, *decoded;
+        Sint32 encoded_len, samplesleft;
+        Sint8 nybble, stereo;
+        Sint16 *coeff[2];
+@@ -124,6 +124,7 @@
+        /* Allocate the proper sized output buffer */
+        encoded_len = *audio_len;
+        encoded = *audio_buf;
+       encoded_end = encoded + encoded_len;
+        freeable = *audio_buf;
+        *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) * 
+                                MS_ADPCM_state.wSamplesPerBlock*
+@@ -141,6 +142,7 @@
+        state[1] = &MS_ADPCM_state.state[stereo];
+        while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
+                /* Grab the initial information for this block */
+               if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
+                state[0]->hPredictor = *encoded++;
+                if ( stereo ) {
+                        state[1]->hPredictor = *encoded++;
+@@ -188,6 +190,8 @@
+                samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
+                                        MS_ADPCM_state.wavefmt.channels;
+                while ( samplesleft > 0 ) {
+                       if (encoded + 1 > encoded_end) goto too_short;
+
+                        nybble = (*encoded)>>4;
+                        new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
+                        decoded[0] = new_sample&0xFF;
+@@ -209,6 +213,10 @@
+        }
+        SDL_free(freeable);
+        return(0);
+too_short:
+       SDL_SetError("Too short chunk for a MS ADPCM decoder");
+       SDL_free(freeable);
+       return(-1);
+ }
+ 
+ struct IMA_ADPCM_decodestate {
+diff -r 416136310b88 -r faf9abbcfb5f src/audio/SDL_wave.c
+--- a/src/audio/SDL_wave.c      Mon Jun 10 08:54:11 2019 -0700
+++ b/src/audio/SDL_wave.c      Mon Jun 10 08:54:29 2019 -0700
+@@ -147,6 +147,9 @@
+                if ( stereo ) {
+                        state[1]->hPredictor = *encoded++;
+                }
+               if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) {
+                       goto invalid_predictor;
+               }
+                state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
+                encoded += sizeof(Sint16);
+                if ( stereo ) {
+@@ -217,6 +220,10 @@
+        SDL_SetError("Too short chunk for a MS ADPCM decoder");
+        SDL_free(freeable);
+        return(-1);
+invalid_predictor:
+       SDL_SetError("Invalid predictor value for a MS ADPCM decoder");
+       SDL_free(freeable);
+       return(-1);
+ }
+ 
+ struct IMA_ADPCM_decodestate {

diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch new file mode 100644 index 0000000000..92e40aec5e --- /dev/null +++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch
@@ -0,0 +1,123 @@
	1	# HG changeset patch
	2	# User Petr Písař <ppisar@redhat.com>
	3	# Date 1560182051 25200
	4	# Mon Jun 10 08:54:11 2019 -0700
	5	# Branch SDL-1.2
	6	# Node ID 416136310b88cbeeff8773e573e90ac1e22b3526
	7	# Parent a6e3d2f5183e1cc300ad993e10e9ce077e13bd9c
	8	CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
	9	If RIFF/WAV data chunk length is shorter then expected for an audio
	10	format defined in preceeding RIFF/WAV format headers, a buffer
	11	overread can happen.
	12
	13	This patch fixes it by checking a MS ADPCM data to be decoded are not
	14	past the initialized buffer.
	15
	16	CVE-2019-7577
	17	Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
	18
	19	Signed-off-by: Petr Písař <ppisar@redhat.com>
	20
	21	# HG changeset patch
	22	# User Petr Písař <ppisar@redhat.com>
	23	# Date 1560182069 25200
	24	# Mon Jun 10 08:54:29 2019 -0700
	25	# Branch SDL-1.2
	26	# Node ID faf9abbcfb5fe0d0ca23c4bf0394aa226ceccf02
	27	# Parent 416136310b88cbeeff8773e573e90ac1e22b3526
	28	CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble and MS_ADPCM_decode
	29	If a chunk of RIFF/WAV file with MS ADPCM encoding contains an invalid
	30	predictor (a valid predictor's value is between 0 and 6 inclusive),
	31	a buffer overread can happen when the predictor is used as an index
	32	into an array of MS ADPCM coefficients.
	33
	34	The overead happens when indexing MS_ADPCM_state.aCoeff[] array in
	35	MS_ADPCM_decode() and later when dereferencing a coef pointer in
	36	MS_ADPCM_nibble().
	37
	38	This patch fixes it by checking the MS ADPCM predictor values fit
	39	into the valid range.
	40
	41	CVE-2019-7577
	42	Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
	43
	44	Signed-off-by: Petr Písař <ppisar@redhat.com>
	45
	46	CVE: CVE-2019-7577
	47	Upstream-Status: Backport
	48	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
	49
	50	diff -r a6e3d2f5183e -r 416136310b88 src/audio/SDL_wave.c
	51	--- a/src/audio/SDL_wave.c Mon Jun 10 08:50:59 2019 -0700
	52	+++ b/src/audio/SDL_wave.c Mon Jun 10 08:54:11 2019 -0700
	53	@@ -115,7 +115,7 @@
	54	static int MS_ADPCM_decode(Uint8 *audio_buf, Uint32 audio_len)
	55	{
	56	struct MS_ADPCM_decodestate *state[2];
	57	- Uint8 freeable, encoded, *decoded;
	58	+ Uint8 freeable, encoded, encoded_end, decoded;
	59	Sint32 encoded_len, samplesleft;
	60	Sint8 nybble, stereo;
	61	Sint16 *coeff[2];
	62	@@ -124,6 +124,7 @@
	63	/* Allocate the proper sized output buffer */
	64	encoded_len = *audio_len;
	65	encoded = *audio_buf;
	66	+ encoded_end = encoded + encoded_len;
	67	freeable = *audio_buf;
	68	audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign)
	69	MS_ADPCM_state.wSamplesPerBlock*
	70	@@ -141,6 +142,7 @@
	71	state[1] = &MS_ADPCM_state.state[stereo];
	72	while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
	73	/* Grab the initial information for this block */
	74	+ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
	75	state[0]->hPredictor = *encoded++;
	76	if ( stereo ) {
	77	state[1]->hPredictor = *encoded++;
	78	@@ -188,6 +190,8 @@
	79	samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
	80	MS_ADPCM_state.wavefmt.channels;
	81	while ( samplesleft > 0 ) {
	82	+ if (encoded + 1 > encoded_end) goto too_short;
	83	+
	84	nybble = (*encoded)>>4;
	85	new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
	86	decoded[0] = new_sample&0xFF;
	87	@@ -209,6 +213,10 @@
	88	}
	89	SDL_free(freeable);
	90	return(0);
	91	+too_short:
	92	+ SDL_SetError("Too short chunk for a MS ADPCM decoder");
	93	+ SDL_free(freeable);
	94	+ return(-1);
	95	}
	96
	97	struct IMA_ADPCM_decodestate {
	98
	99
	100	diff -r 416136310b88 -r faf9abbcfb5f src/audio/SDL_wave.c
	101	--- a/src/audio/SDL_wave.c Mon Jun 10 08:54:11 2019 -0700
	102	+++ b/src/audio/SDL_wave.c Mon Jun 10 08:54:29 2019 -0700
	103	@@ -147,6 +147,9 @@
	104	if ( stereo ) {
	105	state[1]->hPredictor = *encoded++;
	106	}
	107	+ if (state[0]->hPredictor >= 7 \|\| state[1]->hPredictor >= 7) {
	108	+ goto invalid_predictor;
	109	+ }
	110	state[0]->iDelta = ((encoded[1]<<8)\|encoded[0]);
	111	encoded += sizeof(Sint16);
	112	if ( stereo ) {
	113	@@ -217,6 +220,10 @@
	114	SDL_SetError("Too short chunk for a MS ADPCM decoder");
	115	SDL_free(freeable);
	116	return(-1);
	117	+invalid_predictor:
	118	+ SDL_SetError("Invalid predictor value for a MS ADPCM decoder");
	119	+ SDL_free(freeable);
	120	+ return(-1);
	121	}
	122
	123	struct IMA_ADPCM_decodestate {