# HG changeset patch # User Petr Písař # Date 1560042129 25200 # Sat Jun 08 18:02:09 2019 -0700 # Branch SDL-1.2 # Node ID 388987dff7bf8f1e214e69c2e4f1aa31e06396b5 # Parent e52413f5258600878f9a10d2f92605a729aa8976 CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it could read past the end of chunk data. This patch fixes it. CVE-2019-7578 https://bugzilla.libsdl.org/show_bug.cgi?id=4494 Signed-off-by: Petr Písař CVE: CVE-2019-7578 Upstream-Status: Backport Signed-off-by: Anuj Mittal diff -r e52413f52586 -r 388987dff7bf src/audio/SDL_wave.c --- a/src/audio/SDL_wave.c Sat Jun 08 17:57:43 2019 -0700 +++ b/src/audio/SDL_wave.c Sat Jun 08 18:02:09 2019 -0700 @@ -222,11 +222,12 @@ struct IMA_ADPCM_decodestate state[2]; } IMA_ADPCM_state; -static int InitIMA_ADPCM(WaveFMT *format) +static int InitIMA_ADPCM(WaveFMT *format, int length) { - Uint8 *rogue_feel; + Uint8 *rogue_feel, *rogue_feel_end; /* Set the rogue pointer to the IMA_ADPCM specific data */ + if (length < sizeof(*format)) goto too_short; IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); @@ -235,11 +236,16 @@ IMA_ADPCM_state.wavefmt.bitspersample = SDL_SwapLE16(format->bitspersample); rogue_feel = (Uint8 *)format+sizeof(*format); + rogue_feel_end = (Uint8 *)format + length; if ( sizeof(*format) == 16 ) { rogue_feel += sizeof(Uint16); } + if (rogue_feel + 2 > rogue_feel_end) goto too_short; IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); return(0); +too_short: + SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format"); + return(-1); } static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) @@ -471,7 +477,7 @@ break; case IMA_ADPCM_CODE: /* Try to understand this */ - if ( InitIMA_ADPCM(format) < 0 ) { + if ( InitIMA_ADPCM(format, lenread) < 0 ) { was_error = 1; goto done; }