summaryrefslogtreecommitdiffstats
path: root/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7572.patch
blob: c41c2de0f3b0ace0cd59ed33fab13c75f5782cf6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# HG changeset patch
# User Petr Písař <ppisar@redhat.com>
# Date 1560182231 25200
#      Mon Jun 10 08:57:11 2019 -0700
# Branch SDL-1.2
# Node ID a8afedbcaea0e84921dc770195c4699bda3ccdc5
# Parent  faf9abbcfb5fe0d0ca23c4bf0394aa226ceccf02
CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode
If data chunk was longer than expected based on a WAV format
definition, IMA_ADPCM_decode() tried to write past the output
buffer. This patch fixes it.

Based on patch from
<https://bugzilla.libsdl.org/show_bug.cgi?id=4496>.

CVE-2019-7572
https://bugzilla.libsdl.org/show_bug.cgi?id=4495

Signed-off-by: Petr Písař <ppisar@redhat.com>

# HG changeset patch
# User Petr Písař <ppisar@redhat.com>
# Date 1560041863 25200
#      Sat Jun 08 17:57:43 2019 -0700
# Branch SDL-1.2
# Node ID e52413f5258600878f9a10d2f92605a729aa8976
# Parent  4e73be7b47877ae11d2279bd916910d469d18f8e
CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble
If an IMA ADPCM block contained an initial index out of step table
range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used
this bogus value and that lead to a buffer overread.

This patch fixes it by moving clamping the index value at the
beginning of IMA_ADPCM_nibble() function instead of the end after
an update.

CVE-2019-7572
https://bugzilla.libsdl.org/show_bug.cgi?id=4495

Signed-off-by: Petr Písař <ppisar@redhat.com>

CVE: CVE-2019-7572
Upstream-Status: Backport
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>

diff -r faf9abbcfb5f -r a8afedbcaea0 src/audio/SDL_wave.c
--- a/src/audio/SDL_wave.c	Mon Jun 10 08:54:29 2019 -0700
+++ b/src/audio/SDL_wave.c	Mon Jun 10 08:57:11 2019 -0700
@@ -346,7 +346,7 @@
 static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 {
 	struct IMA_ADPCM_decodestate *state;
-	Uint8 *freeable, *encoded, *encoded_end, *decoded;
+	Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
 	Sint32 encoded_len, samplesleft;
 	unsigned int c, channels;
 
@@ -373,6 +373,7 @@
 		return(-1);
 	}
 	decoded = *audio_buf;
+	decoded_end = decoded + *audio_len;
 
 	/* Get ready... Go! */
 	while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
@@ -392,6 +393,7 @@
 			}
 
 			/* Store the initial sample we start with */
+			if (decoded + 2 > decoded_end) goto invalid_size;
 			decoded[0] = (Uint8)(state[c].sample&0xFF);
 			decoded[1] = (Uint8)(state[c].sample>>8);
 			decoded += 2;
@@ -402,6 +404,8 @@
 		while ( samplesleft > 0 ) {
 			for ( c=0; c<channels; ++c ) {
 				if (encoded + 4 > encoded_end) goto invalid_size;
+				if (decoded + 4 * 4 * channels > decoded_end)
+					goto invalid_size;
 				Fill_IMA_ADPCM_block(decoded, encoded,
 						c, channels, &state[c]);
 				encoded += 4;

diff -r 4e73be7b4787 -r e52413f52586 src/audio/SDL_wave.c
--- a/src/audio/SDL_wave.c	Sat Jun 01 18:27:46 2019 +0100
+++ b/src/audio/SDL_wave.c	Sat Jun 08 17:57:43 2019 -0700
@@ -264,6 +264,14 @@
 	};
 	Sint32 delta, step;
 
+	/* Clamp index value. The inital value can be invalid. */
+	if ( state->index > 88 ) {
+		state->index = 88;
+	} else
+	if ( state->index < 0 ) {
+		state->index = 0;
+	}
+
 	/* Compute difference and new sample value */
 	step = step_table[state->index];
 	delta = step >> 3;
@@ -275,12 +283,6 @@
 
 	/* Update index value */
 	state->index += index_table[nybble];
-	if ( state->index > 88 ) {
-		state->index = 88;
-	} else
-	if ( state->index < 0 ) {
-		state->index = 0;
-	}
 
 	/* Clamp output sample */
 	if ( state->sample > max_audioval ) {