meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7576.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

# HG changeset patch
# User Petr Písař <ppisar@redhat.com>
# Date 1560182783 25200
#      Mon Jun 10 09:06:23 2019 -0700
# Branch SDL-1.2
# Node ID fcbecae427951bac1684baaba2ade68221315140
# Parent  a8afedbcaea0e84921dc770195c4699bda3ccdc5
CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in InitMS_ADPCM
If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it
could read past the end of chunk data. This patch fixes it.

CVE-2019-7573
https://bugzilla.libsdl.org/show_bug.cgi?id=4491
CVE-2019-7576
https://bugzilla.libsdl.org/show_bug.cgi?id=4490

Signed-off-by: Petr Písař <ppisar@redhat.com>

CVE: CVE-2019-7573
CVE: CVE-2019-7576
Upstream-Status: Backport
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>

diff -r a8afedbcaea0 -r fcbecae42795 src/audio/SDL_wave.c
--- a/src/audio/SDL_wave.c	Mon Jun 10 08:57:11 2019 -0700
+++ b/src/audio/SDL_wave.c	Mon Jun 10 09:06:23 2019 -0700
@@ -44,12 +44,13 @@
 	struct MS_ADPCM_decodestate state[2];
 } MS_ADPCM_state;
 
-static int InitMS_ADPCM(WaveFMT *format)
+static int InitMS_ADPCM(WaveFMT *format, int length)
 {
-	Uint8 *rogue_feel;
+	Uint8 *rogue_feel, *rogue_feel_end;
 	int i;
 
 	/* Set the rogue pointer to the MS_ADPCM specific data */
+	if (length < sizeof(*format)) goto too_short;
 	MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
 	MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
 	MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
@@ -58,9 +59,11 @@
 	MS_ADPCM_state.wavefmt.bitspersample =
 					 SDL_SwapLE16(format->bitspersample);
 	rogue_feel = (Uint8 *)format+sizeof(*format);
+	rogue_feel_end = (Uint8 *)format + length;
 	if ( sizeof(*format) == 16 ) {
 		rogue_feel += sizeof(Uint16);
 	}
+	if (rogue_feel + 4 > rogue_feel_end) goto too_short;
 	MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
 	rogue_feel += sizeof(Uint16);
 	MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]);
@@ -70,12 +73,16 @@
 		return(-1);
 	}
 	for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) {
+		if (rogue_feel + 4 > rogue_feel_end) goto too_short;
 		MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]);
 		rogue_feel += sizeof(Uint16);
 		MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]);
 		rogue_feel += sizeof(Uint16);
 	}
 	return(0);
+too_short:
+	SDL_SetError("Unexpected length of a chunk with a MS ADPCM format");
+	return(-1);
 }
 
 static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
@@ -495,7 +502,7 @@
 			break;
 		case MS_ADPCM_CODE:
 			/* Try to understand this */
-			if ( InitMS_ADPCM(format) < 0 ) {
+			if ( InitMS_ADPCM(format, lenread) < 0 ) {
 				was_error = 1;
 				goto done;
 			}