meta-openembedded/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7578.patch - mdmillerii/openbmc - Gitiles

 # HG changeset patch
 # User Petr Písař <ppisar@redhat.com>
 # Date 1560042129 25200
 #      Sat Jun 08 18:02:09 2019 -0700
 # Branch SDL-1.2
 # Node ID 388987dff7bf8f1e214e69c2e4f1aa31e06396b5
 # Parent  e52413f5258600878f9a10d2f92605a729aa8976
 CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
 If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it
 could read past the end of chunk data. This patch fixes it.

 CVE-2019-7578
 https://bugzilla.libsdl.org/show_bug.cgi?id=4494

 Signed-off-by: Petr Písař <ppisar@redhat.com>

 CVE: CVE-2019-7578
 Upstream-Status: Backport
 Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>

 diff -r e52413f52586 -r 388987dff7bf src/audio/SDL_wave.c
 --- a/src/audio/SDL_wave.c	Sat Jun 08 17:57:43 2019 -0700
 +++ b/src/audio/SDL_wave.c	Sat Jun 08 18:02:09 2019 -0700
 @@ -222,11 +222,12 @@
  	struct IMA_ADPCM_decodestate state[2];
  } IMA_ADPCM_state;

 -static int InitIMA_ADPCM(WaveFMT *format)
 +static int InitIMA_ADPCM(WaveFMT *format, int length)
  {
 -	Uint8 *rogue_feel;
 +	Uint8 *rogue_feel, *rogue_feel_end;

  	/* Set the rogue pointer to the IMA_ADPCM specific data */
 +	if (length < sizeof(*format)) goto too_short;
  	IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
  	IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
  	IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
 @@ -235,11 +236,16 @@
  	IMA_ADPCM_state.wavefmt.bitspersample =
  					 SDL_SwapLE16(format->bitspersample);
  	rogue_feel = (Uint8 *)format+sizeof(*format);
 +	rogue_feel_end = (Uint8 *)format + length;
  	if ( sizeof(*format) == 16 ) {
  		rogue_feel += sizeof(Uint16);
  	}
 +	if (rogue_feel + 2 > rogue_feel_end) goto too_short;
  	IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
  	return(0);
 +too_short:
 +	SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format");
 +	return(-1);
  }

  static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
 @@ -471,7 +477,7 @@
  			break;
  		case IMA_ADPCM_CODE:
  			/* Try to understand this */
 -			if ( InitIMA_ADPCM(format) < 0 ) {
 +			if ( InitIMA_ADPCM(format, lenread) < 0 ) {
  				was_error = 1;
  				goto done;
  			}
	# HG changeset patch
	# User Petr Písař <ppisar@redhat.com>
	# Date 1560042129 25200
	# Sat Jun 08 18:02:09 2019 -0700
	# Branch SDL-1.2
	# Node ID 388987dff7bf8f1e214e69c2e4f1aa31e06396b5
	# Parent e52413f5258600878f9a10d2f92605a729aa8976
	CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
	If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it
	could read past the end of chunk data. This patch fixes it.

	CVE-2019-7578
	https://bugzilla.libsdl.org/show_bug.cgi?id=4494

	Signed-off-by: Petr Písař <ppisar@redhat.com>

	CVE: CVE-2019-7578
	Upstream-Status: Backport
	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>

	diff -r e52413f52586 -r 388987dff7bf src/audio/SDL_wave.c
	--- a/src/audio/SDL_wave.c Sat Jun 08 17:57:43 2019 -0700
	+++ b/src/audio/SDL_wave.c Sat Jun 08 18:02:09 2019 -0700
	@@ -222,11 +222,12 @@
	struct IMA_ADPCM_decodestate state[2];
	} IMA_ADPCM_state;

	-static int InitIMA_ADPCM(WaveFMT *format)
	+static int InitIMA_ADPCM(WaveFMT *format, int length)
	{
	- Uint8 *rogue_feel;
	+ Uint8 rogue_feel, rogue_feel_end;

	/* Set the rogue pointer to the IMA_ADPCM specific data */
	+ if (length < sizeof(*format)) goto too_short;
	IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
	IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
	IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
	@@ -235,11 +236,16 @@
	IMA_ADPCM_state.wavefmt.bitspersample =
	SDL_SwapLE16(format->bitspersample);
	rogue_feel = (Uint8 )format+sizeof(format);
	+ rogue_feel_end = (Uint8 *)format + length;
	if ( sizeof(*format) == 16 ) {
	rogue_feel += sizeof(Uint16);
	}
	+ if (rogue_feel + 2 > rogue_feel_end) goto too_short;
	IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)\|rogue_feel[0]);
	return(0);
	+too_short:
	+ SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format");
	+ return(-1);
	}

	static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
	@@ -471,7 +477,7 @@
	break;
	case IMA_ADPCM_CODE:
	/* Try to understand this */
	- if ( InitIMA_ADPCM(format) < 0 ) {
	+ if ( InitIMA_ADPCM(format, lenread) < 0 ) {
	was_error = 1;
	goto done;
	}