summaryrefslogtreecommitdiffstats
path: root/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch
blob: 92e40aec5e300bdd615da6fddf413a81f58f75f0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# HG changeset patch
# User Petr Písař <ppisar@redhat.com>
# Date 1560182051 25200
#      Mon Jun 10 08:54:11 2019 -0700
# Branch SDL-1.2
# Node ID 416136310b88cbeeff8773e573e90ac1e22b3526
# Parent  a6e3d2f5183e1cc300ad993e10e9ce077e13bd9c
CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
If RIFF/WAV data chunk length is shorter then expected for an audio
format defined in preceeding RIFF/WAV format headers, a buffer
overread can happen.

This patch fixes it by checking a MS ADPCM data to be decoded are not
past the initialized buffer.

CVE-2019-7577
Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492

Signed-off-by: Petr Písař <ppisar@redhat.com>

# HG changeset patch
# User Petr Písař <ppisar@redhat.com>
# Date 1560182069 25200
#      Mon Jun 10 08:54:29 2019 -0700
# Branch SDL-1.2
# Node ID faf9abbcfb5fe0d0ca23c4bf0394aa226ceccf02
# Parent  416136310b88cbeeff8773e573e90ac1e22b3526
CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble and MS_ADPCM_decode
If a chunk of RIFF/WAV file with MS ADPCM encoding contains an invalid
predictor (a valid predictor's value is between 0 and 6 inclusive),
a buffer overread can happen when the predictor is used as an index
into an array of MS ADPCM coefficients.

The overead happens when indexing MS_ADPCM_state.aCoeff[] array in
MS_ADPCM_decode() and later when dereferencing a coef pointer in
MS_ADPCM_nibble().

This patch fixes it by checking the MS ADPCM predictor values fit
into the valid range.

CVE-2019-7577
Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492

Signed-off-by: Petr Písař <ppisar@redhat.com>

CVE: CVE-2019-7577
Upstream-Status: Backport
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>

diff -r a6e3d2f5183e -r 416136310b88 src/audio/SDL_wave.c
--- a/src/audio/SDL_wave.c	Mon Jun 10 08:50:59 2019 -0700
+++ b/src/audio/SDL_wave.c	Mon Jun 10 08:54:11 2019 -0700
@@ -115,7 +115,7 @@
 static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 {
 	struct MS_ADPCM_decodestate *state[2];
-	Uint8 *freeable, *encoded, *decoded;
+	Uint8 *freeable, *encoded, *encoded_end, *decoded;
 	Sint32 encoded_len, samplesleft;
 	Sint8 nybble, stereo;
 	Sint16 *coeff[2];
@@ -124,6 +124,7 @@
 	/* Allocate the proper sized output buffer */
 	encoded_len = *audio_len;
 	encoded = *audio_buf;
+	encoded_end = encoded + encoded_len;
 	freeable = *audio_buf;
 	*audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) * 
 				MS_ADPCM_state.wSamplesPerBlock*
@@ -141,6 +142,7 @@
 	state[1] = &MS_ADPCM_state.state[stereo];
 	while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
 		/* Grab the initial information for this block */
+		if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
 		state[0]->hPredictor = *encoded++;
 		if ( stereo ) {
 			state[1]->hPredictor = *encoded++;
@@ -188,6 +190,8 @@
 		samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
 					MS_ADPCM_state.wavefmt.channels;
 		while ( samplesleft > 0 ) {
+			if (encoded + 1 > encoded_end) goto too_short;
+
 			nybble = (*encoded)>>4;
 			new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
 			decoded[0] = new_sample&0xFF;
@@ -209,6 +213,10 @@
 	}
 	SDL_free(freeable);
 	return(0);
+too_short:
+	SDL_SetError("Too short chunk for a MS ADPCM decoder");
+	SDL_free(freeable);
+	return(-1);
 }
 
 struct IMA_ADPCM_decodestate {


diff -r 416136310b88 -r faf9abbcfb5f src/audio/SDL_wave.c
--- a/src/audio/SDL_wave.c	Mon Jun 10 08:54:11 2019 -0700
+++ b/src/audio/SDL_wave.c	Mon Jun 10 08:54:29 2019 -0700
@@ -147,6 +147,9 @@
 		if ( stereo ) {
 			state[1]->hPredictor = *encoded++;
 		}
+		if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) {
+			goto invalid_predictor;
+		}
 		state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
 		encoded += sizeof(Sint16);
 		if ( stereo ) {
@@ -217,6 +220,10 @@
 	SDL_SetError("Too short chunk for a MS ADPCM decoder");
 	SDL_free(freeable);
 	return(-1);
+invalid_predictor:
+	SDL_SetError("Invalid predictor value for a MS ADPCM decoder");
+	SDL_free(freeable);
+	return(-1);
 }
 
 struct IMA_ADPCM_decodestate {