diff options
Diffstat (limited to 'meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch')
-rw-r--r-- | meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch | 118 |
1 files changed, 118 insertions, 0 deletions
diff --git a/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch b/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch new file mode 100644 index 0000000000..63680b8b7f --- /dev/null +++ b/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch @@ -0,0 +1,118 @@ +# HG changeset patch +# User Petr Písař <ppisar@redhat.com> +# Date 1560182051 25200 +# Mon Jun 10 08:54:11 2019 -0700 +# Branch SDL-1.2 +# Node ID 416136310b88cbeeff8773e573e90ac1e22b3526 +# Parent a6e3d2f5183e1cc300ad993e10e9ce077e13bd9c +CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode +If RIFF/WAV data chunk length is shorter then expected for an audio +format defined in preceeding RIFF/WAV format headers, a buffer +overread can happen. + +This patch fixes it by checking a MS ADPCM data to be decoded are not +past the initialized buffer. + +CVE-2019-7577 +Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 + +Signed-off-by: Petr Písař <ppisar@redhat.com> + +# HG changeset patch +# User Petr Písař <ppisar@redhat.com> +# Date 1560182069 25200 +# Mon Jun 10 08:54:29 2019 -0700 +# Branch SDL-1.2 +# Node ID faf9abbcfb5fe0d0ca23c4bf0394aa226ceccf02 +# Parent 416136310b88cbeeff8773e573e90ac1e22b3526 +CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble and MS_ADPCM_decode +If a chunk of RIFF/WAV file with MS ADPCM encoding contains an invalid +predictor (a valid predictor's value is between 0 and 6 inclusive), +a buffer overread can happen when the predictor is used as an index +into an array of MS ADPCM coefficients. + +The overead happens when indexing MS_ADPCM_state.aCoeff[] array in +MS_ADPCM_decode() and later when dereferencing a coef pointer in +MS_ADPCM_nibble(). + +This patch fixes it by checking the MS ADPCM predictor values fit +into the valid range. + +CVE-2019-7577 +Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 + +Signed-off-by: Petr Písař <ppisar@redhat.com> + +CVE: CVE-2019-7577 +Upstream-Status: Backport +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> + +Refresh CVE-2019-7577.patch as it can't be applyed when using PATCHTOOL = "patch". +Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> +--- + src/audio/SDL_wave.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index b4ad6c7..0bcf7e2 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, + static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct MS_ADPCM_decodestate *state[2]; +- Uint8 *freeable, *encoded, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded; + Sint32 encoded_len, samplesleft; + Sint8 nybble, stereo; + Sint16 *coeff[2]; +@@ -124,6 +124,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + /* Allocate the proper sized output buffer */ + encoded_len = *audio_len; + encoded = *audio_buf; ++ encoded_end = encoded + encoded_len; + freeable = *audio_buf; + *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) * + MS_ADPCM_state.wSamplesPerBlock* +@@ -141,10 +142,14 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + state[1] = &MS_ADPCM_state.state[stereo]; + while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) { + /* Grab the initial information for this block */ ++ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short; + state[0]->hPredictor = *encoded++; + if ( stereo ) { + state[1]->hPredictor = *encoded++; + } ++ if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) { ++ goto invalid_predictor; ++ } + state[0]->iDelta = ((encoded[1]<<8)|encoded[0]); + encoded += sizeof(Sint16); + if ( stereo ) { +@@ -188,6 +193,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)* + MS_ADPCM_state.wavefmt.channels; + while ( samplesleft > 0 ) { ++ if (encoded + 1 > encoded_end) goto too_short; ++ + nybble = (*encoded)>>4; + new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]); + decoded[0] = new_sample&0xFF; +@@ -209,6 +216,14 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + } + SDL_free(freeable); + return(0); ++too_short: ++ SDL_SetError("Too short chunk for a MS ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); ++invalid_predictor: ++ SDL_SetError("Invalid predictor value for a MS ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); + } + + struct IMA_ADPCM_decodestate { +-- +2.7.4 + |