summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch55
1 files changed, 25 insertions, 30 deletions
diff --git a/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch b/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch
index 92e40aec5e..63680b8b7f 100644
--- a/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch
+++ b/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch
@@ -47,10 +47,17 @@ CVE: CVE-2019-7577
47Upstream-Status: Backport 47Upstream-Status: Backport
48Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> 48Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
49 49
50diff -r a6e3d2f5183e -r 416136310b88 src/audio/SDL_wave.c 50Refresh CVE-2019-7577.patch as it can't be applyed when using PATCHTOOL = "patch".
51--- a/src/audio/SDL_wave.c Mon Jun 10 08:50:59 2019 -0700 51Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
52+++ b/src/audio/SDL_wave.c Mon Jun 10 08:54:11 2019 -0700 52---
53@@ -115,7 +115,7 @@ 53 src/audio/SDL_wave.c | 17 ++++++++++++++++-
54 1 file changed, 16 insertions(+), 1 deletion(-)
55
56diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
57index b4ad6c7..0bcf7e2 100644
58--- a/src/audio/SDL_wave.c
59+++ b/src/audio/SDL_wave.c
60@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
54 static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) 61 static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
55 { 62 {
56 struct MS_ADPCM_decodestate *state[2]; 63 struct MS_ADPCM_decodestate *state[2];
@@ -59,7 +66,7 @@ diff -r a6e3d2f5183e -r 416136310b88 src/audio/SDL_wave.c
59 Sint32 encoded_len, samplesleft; 66 Sint32 encoded_len, samplesleft;
60 Sint8 nybble, stereo; 67 Sint8 nybble, stereo;
61 Sint16 *coeff[2]; 68 Sint16 *coeff[2];
62@@ -124,6 +124,7 @@ 69@@ -124,6 +124,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
63 /* Allocate the proper sized output buffer */ 70 /* Allocate the proper sized output buffer */
64 encoded_len = *audio_len; 71 encoded_len = *audio_len;
65 encoded = *audio_buf; 72 encoded = *audio_buf;
@@ -67,7 +74,7 @@ diff -r a6e3d2f5183e -r 416136310b88 src/audio/SDL_wave.c
67 freeable = *audio_buf; 74 freeable = *audio_buf;
68 *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) * 75 *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) *
69 MS_ADPCM_state.wSamplesPerBlock* 76 MS_ADPCM_state.wSamplesPerBlock*
70@@ -141,6 +142,7 @@ 77@@ -141,10 +142,14 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
71 state[1] = &MS_ADPCM_state.state[stereo]; 78 state[1] = &MS_ADPCM_state.state[stereo];
72 while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) { 79 while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
73 /* Grab the initial information for this block */ 80 /* Grab the initial information for this block */
@@ -75,7 +82,14 @@ diff -r a6e3d2f5183e -r 416136310b88 src/audio/SDL_wave.c
75 state[0]->hPredictor = *encoded++; 82 state[0]->hPredictor = *encoded++;
76 if ( stereo ) { 83 if ( stereo ) {
77 state[1]->hPredictor = *encoded++; 84 state[1]->hPredictor = *encoded++;
78@@ -188,6 +190,8 @@ 85 }
86+ if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) {
87+ goto invalid_predictor;
88+ }
89 state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
90 encoded += sizeof(Sint16);
91 if ( stereo ) {
92@@ -188,6 +193,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
79 samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)* 93 samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
80 MS_ADPCM_state.wavefmt.channels; 94 MS_ADPCM_state.wavefmt.channels;
81 while ( samplesleft > 0 ) { 95 while ( samplesleft > 0 ) {
@@ -84,7 +98,7 @@ diff -r a6e3d2f5183e -r 416136310b88 src/audio/SDL_wave.c
84 nybble = (*encoded)>>4; 98 nybble = (*encoded)>>4;
85 new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]); 99 new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
86 decoded[0] = new_sample&0xFF; 100 decoded[0] = new_sample&0xFF;
87@@ -209,6 +213,10 @@ 101@@ -209,6 +216,14 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
88 } 102 }
89 SDL_free(freeable); 103 SDL_free(freeable);
90 return(0); 104 return(0);
@@ -92,28 +106,6 @@ diff -r a6e3d2f5183e -r 416136310b88 src/audio/SDL_wave.c
92+ SDL_SetError("Too short chunk for a MS ADPCM decoder"); 106+ SDL_SetError("Too short chunk for a MS ADPCM decoder");
93+ SDL_free(freeable); 107+ SDL_free(freeable);
94+ return(-1); 108+ return(-1);
95 }
96
97 struct IMA_ADPCM_decodestate {
98
99
100diff -r 416136310b88 -r faf9abbcfb5f src/audio/SDL_wave.c
101--- a/src/audio/SDL_wave.c Mon Jun 10 08:54:11 2019 -0700
102+++ b/src/audio/SDL_wave.c Mon Jun 10 08:54:29 2019 -0700
103@@ -147,6 +147,9 @@
104 if ( stereo ) {
105 state[1]->hPredictor = *encoded++;
106 }
107+ if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) {
108+ goto invalid_predictor;
109+ }
110 state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
111 encoded += sizeof(Sint16);
112 if ( stereo ) {
113@@ -217,6 +220,10 @@
114 SDL_SetError("Too short chunk for a MS ADPCM decoder");
115 SDL_free(freeable);
116 return(-1);
117+invalid_predictor: 109+invalid_predictor:
118+ SDL_SetError("Invalid predictor value for a MS ADPCM decoder"); 110+ SDL_SetError("Invalid predictor value for a MS ADPCM decoder");
119+ SDL_free(freeable); 111+ SDL_free(freeable);
@@ -121,3 +113,6 @@ diff -r 416136310b88 -r faf9abbcfb5f src/audio/SDL_wave.c
121 } 113 }
122 114
123 struct IMA_ADPCM_decodestate { 115 struct IMA_ADPCM_decodestate {
116--
1172.7.4
118
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-04-22 00:33:47 +0000