diff options
author | Anuj Mittal <anuj.mittal@intel.com> | 2019-07-29 07:20:54 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-29 10:25:21 +0100 |
commit | 2cfcb3b0fce7e1156eb52260df4330c95d87dc17 (patch) | |
tree | b062c2155c6e7d8637dbfd1f94eb82b47307f93c /meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7575.patch | |
parent | 13ba66338d16cc07cb0129de932f090d0edb7760 (diff) | |
download | openembedded-core-2cfcb3b0fce7e1156eb52260df4330c95d87dc17.tar.gz |
libsdl: CVE fixes
Fixes CVE-2019-7572, CVE-2019-7574, CVE-2019-7575, CVE-2019-7576,
CVE-2019-7577, CVE-2019-7578, CVE-2019-7635, CVE-2019-7637,
CVE-2019-7638.
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7575.patch')
-rw-r--r-- | meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7575.patch | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7575.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7575.patch new file mode 100644 index 0000000000..a3e8416d0e --- /dev/null +++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7575.patch @@ -0,0 +1,81 @@ +# HG changeset patch +# User Petr Písař <ppisar@redhat.com> +# Date 1560183905 25200 +# Mon Jun 10 09:25:05 2019 -0700 +# Branch SDL-1.2 +# Node ID a936f9bd3e381d67d8ddee8b9243f85799ea4798 +# Parent fcbecae427951bac1684baaba2ade68221315140 +CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode +If a WAV format defines shorter audio stream and decoded MS ADPCM data chunk +is longer, decoding continued past the output audio buffer. + +This fix is based on a patch from +<https://bugzilla.libsdl.org/show_bug.cgi?id=4492>. + +https://bugzilla.libsdl.org/show_bug.cgi?id=4493 +CVE-2019-7575 + +Signed-off-by: Petr Písař <ppisar@redhat.com> + +CVE: CVE-2019-7575 +Upstream-Status: Backport +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> + +diff -r fcbecae42795 -r a936f9bd3e38 src/audio/SDL_wave.c +--- a/src/audio/SDL_wave.c Mon Jun 10 09:06:23 2019 -0700 ++++ b/src/audio/SDL_wave.c Mon Jun 10 09:25:05 2019 -0700 +@@ -122,7 +122,7 @@ + static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct MS_ADPCM_decodestate *state[2]; +- Uint8 *freeable, *encoded, *encoded_end, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; + Sint32 encoded_len, samplesleft; + Sint8 nybble, stereo; + Sint16 *coeff[2]; +@@ -142,6 +142,7 @@ + return(-1); + } + decoded = *audio_buf; ++ decoded_end = decoded + *audio_len; + + /* Get ready... Go! */ + stereo = (MS_ADPCM_state.wavefmt.channels == 2); +@@ -149,7 +150,7 @@ + state[1] = &MS_ADPCM_state.state[stereo]; + while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) { + /* Grab the initial information for this block */ +- if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short; ++ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size; + state[0]->hPredictor = *encoded++; + if ( stereo ) { + state[1]->hPredictor = *encoded++; +@@ -179,6 +180,7 @@ + coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor]; + + /* Store the two initial samples we start with */ ++ if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size; + decoded[0] = state[0]->iSamp2&0xFF; + decoded[1] = state[0]->iSamp2>>8; + decoded += 2; +@@ -200,7 +202,8 @@ + samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)* + MS_ADPCM_state.wavefmt.channels; + while ( samplesleft > 0 ) { +- if (encoded + 1 > encoded_end) goto too_short; ++ if (encoded + 1 > encoded_end) goto invalid_size; ++ if (decoded + 4 > decoded_end) goto invalid_size; + + nybble = (*encoded)>>4; + new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]); +@@ -223,8 +226,8 @@ + } + SDL_free(freeable); + return(0); +-too_short: +- SDL_SetError("Too short chunk for a MS ADPCM decoder"); ++invalid_size: ++ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder"); + SDL_free(freeable); + return(-1); + invalid_predictor: |