summaryrefslogtreecommitdiffstats
path: root/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch
diff options
context:
space:
mode:
authorAnuj Mittal <anuj.mittal@intel.com>2019-07-25 12:03:05 +0800
committerArmin Kuster <akuster808@gmail.com>2019-08-09 20:19:19 -0700
commit145ac96bffc421a970f34e669cda3c1493c485ff (patch)
treeaa6dc2d59aab0d84a3ec95662a0a2c08510d1a3a /meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch
parentd451c37e5f5765440efd77e4c7b0951875f03b33 (diff)
downloadopenembedded-core-contrib-145ac96bffc421a970f34e669cda3c1493c485ff.tar.gz
libsdl: CVE fixes
Fixes CVE-2019-7572, CVE-2019-7574, CVE-2019-7575, CVE-2019-7576, CVE-2019-7577, CVE-2019-7578, CVE-2019-7635, CVE-2019-7637, CVE-2019-7638. Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch')
-rw-r--r--meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch68
1 files changed, 68 insertions, 0 deletions
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch
new file mode 100644
index 0000000000..9fd53da29b
--- /dev/null
+++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch
@@ -0,0 +1,68 @@
+# HG changeset patch
+# User Petr Písař <ppisar@redhat.com>
+# Date 1560181859 25200
+# Mon Jun 10 08:50:59 2019 -0700
+# Branch SDL-1.2
+# Node ID a6e3d2f5183e1cc300ad993e10e9ce077e13bd9c
+# Parent 388987dff7bf8f1e214e69c2e4f1aa31e06396b5
+CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode
+If data chunk was shorter than expected based on a WAV format
+definition, IMA_ADPCM_decode() tried to read past the data chunk
+buffer. This patch fixes it.
+
+CVE-2019-7574
+https://bugzilla.libsdl.org/show_bug.cgi?id=4496
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+CVE: CVE-2019-7574
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+diff -r 388987dff7bf -r a6e3d2f5183e src/audio/SDL_wave.c
+--- a/src/audio/SDL_wave.c Sat Jun 08 18:02:09 2019 -0700
++++ b/src/audio/SDL_wave.c Mon Jun 10 08:50:59 2019 -0700
+@@ -331,7 +331,7 @@
+ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ struct IMA_ADPCM_decodestate *state;
+- Uint8 *freeable, *encoded, *decoded;
++ Uint8 *freeable, *encoded, *encoded_end, *decoded;
+ Sint32 encoded_len, samplesleft;
+ unsigned int c, channels;
+
+@@ -347,6 +347,7 @@
+ /* Allocate the proper sized output buffer */
+ encoded_len = *audio_len;
+ encoded = *audio_buf;
++ encoded_end = encoded + encoded_len;
+ freeable = *audio_buf;
+ *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) *
+ IMA_ADPCM_state.wSamplesPerBlock*
+@@ -362,6 +363,7 @@
+ while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
+ /* Grab the initial information for this block */
+ for ( c=0; c<channels; ++c ) {
++ if (encoded + 4 > encoded_end) goto invalid_size;
+ /* Fill the state information for this block */
+ state[c].sample = ((encoded[1]<<8)|encoded[0]);
+ encoded += 2;
+@@ -384,6 +386,7 @@
+ samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
+ while ( samplesleft > 0 ) {
+ for ( c=0; c<channels; ++c ) {
++ if (encoded + 4 > encoded_end) goto invalid_size;
+ Fill_IMA_ADPCM_block(decoded, encoded,
+ c, channels, &state[c]);
+ encoded += 4;
+@@ -395,6 +398,10 @@
+ }
+ SDL_free(freeable);
+ return(0);
++invalid_size:
++ SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder");
++ SDL_free(freeable);
++ return(-1);
+ }
+
+ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,