meta-openembedded/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7576.patch - mdmillerii/openbmc - Gitiles

 # HG changeset patch
 # User Petr Písař <ppisar@redhat.com>
 # Date 1560182783 25200
 #      Mon Jun 10 09:06:23 2019 -0700
 # Branch SDL-1.2
 # Node ID fcbecae427951bac1684baaba2ade68221315140
 # Parent  a8afedbcaea0e84921dc770195c4699bda3ccdc5
 CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in InitMS_ADPCM
 If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it
 could read past the end of chunk data. This patch fixes it.

 CVE-2019-7573
 https://bugzilla.libsdl.org/show_bug.cgi?id=4491
 CVE-2019-7576
 https://bugzilla.libsdl.org/show_bug.cgi?id=4490

 Signed-off-by: Petr Písař <ppisar@redhat.com>

 CVE: CVE-2019-7573
 CVE: CVE-2019-7576
 Upstream-Status: Backport
 Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>

 diff -r a8afedbcaea0 -r fcbecae42795 src/audio/SDL_wave.c
 --- a/src/audio/SDL_wave.c	Mon Jun 10 08:57:11 2019 -0700
 +++ b/src/audio/SDL_wave.c	Mon Jun 10 09:06:23 2019 -0700
 @@ -44,12 +44,13 @@
  	struct MS_ADPCM_decodestate state[2];
  } MS_ADPCM_state;

 -static int InitMS_ADPCM(WaveFMT *format)
 +static int InitMS_ADPCM(WaveFMT *format, int length)
  {
 -	Uint8 *rogue_feel;
 +	Uint8 *rogue_feel, *rogue_feel_end;
  	int i;

  	/* Set the rogue pointer to the MS_ADPCM specific data */
 +	if (length < sizeof(*format)) goto too_short;
  	MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
  	MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
  	MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
 @@ -58,9 +59,11 @@
  	MS_ADPCM_state.wavefmt.bitspersample =
  					 SDL_SwapLE16(format->bitspersample);
  	rogue_feel = (Uint8 *)format+sizeof(*format);
 +	rogue_feel_end = (Uint8 *)format + length;
  	if ( sizeof(*format) == 16 ) {
  		rogue_feel += sizeof(Uint16);
  	}
 +	if (rogue_feel + 4 > rogue_feel_end) goto too_short;
  	MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
  	rogue_feel += sizeof(Uint16);
  	MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]);
 @@ -70,12 +73,16 @@
  		return(-1);
  	}
  	for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) {
 +		if (rogue_feel + 4 > rogue_feel_end) goto too_short;
  		MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]);
  		rogue_feel += sizeof(Uint16);
  		MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]);
  		rogue_feel += sizeof(Uint16);
  	}
  	return(0);
 +too_short:
 +	SDL_SetError("Unexpected length of a chunk with a MS ADPCM format");
 +	return(-1);
  }

  static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
 @@ -495,7 +502,7 @@
  			break;
  		case MS_ADPCM_CODE:
  			/* Try to understand this */
 -			if ( InitMS_ADPCM(format) < 0 ) {
 +			if ( InitMS_ADPCM(format, lenread) < 0 ) {
  				was_error = 1;
  				goto done;
  			}
	# HG changeset patch
	# User Petr Písař <ppisar@redhat.com>
	# Date 1560182783 25200
	# Mon Jun 10 09:06:23 2019 -0700
	# Branch SDL-1.2
	# Node ID fcbecae427951bac1684baaba2ade68221315140
	# Parent a8afedbcaea0e84921dc770195c4699bda3ccdc5
	CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in InitMS_ADPCM
	If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it
	could read past the end of chunk data. This patch fixes it.

	CVE-2019-7573
	https://bugzilla.libsdl.org/show_bug.cgi?id=4491
	CVE-2019-7576
	https://bugzilla.libsdl.org/show_bug.cgi?id=4490

	Signed-off-by: Petr Písař <ppisar@redhat.com>

	CVE: CVE-2019-7573
	CVE: CVE-2019-7576
	Upstream-Status: Backport
	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>

	diff -r a8afedbcaea0 -r fcbecae42795 src/audio/SDL_wave.c
	--- a/src/audio/SDL_wave.c Mon Jun 10 08:57:11 2019 -0700
	+++ b/src/audio/SDL_wave.c Mon Jun 10 09:06:23 2019 -0700
	@@ -44,12 +44,13 @@
	struct MS_ADPCM_decodestate state[2];
	} MS_ADPCM_state;

	-static int InitMS_ADPCM(WaveFMT *format)
	+static int InitMS_ADPCM(WaveFMT *format, int length)
	{
	- Uint8 *rogue_feel;
	+ Uint8 rogue_feel, rogue_feel_end;
	int i;

	/* Set the rogue pointer to the MS_ADPCM specific data */
	+ if (length < sizeof(*format)) goto too_short;
	MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
	MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
	MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
	@@ -58,9 +59,11 @@
	MS_ADPCM_state.wavefmt.bitspersample =
	SDL_SwapLE16(format->bitspersample);
	rogue_feel = (Uint8 )format+sizeof(format);
	+ rogue_feel_end = (Uint8 *)format + length;
	if ( sizeof(*format) == 16 ) {
	rogue_feel += sizeof(Uint16);
	}
	+ if (rogue_feel + 4 > rogue_feel_end) goto too_short;
	MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)\|rogue_feel[0]);
	rogue_feel += sizeof(Uint16);
	MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)\|rogue_feel[0]);
	@@ -70,12 +73,16 @@
	return(-1);
	}
	for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) {
	+ if (rogue_feel + 4 > rogue_feel_end) goto too_short;
	MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)\|rogue_feel[0]);
	rogue_feel += sizeof(Uint16);
	MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)\|rogue_feel[0]);
	rogue_feel += sizeof(Uint16);
	}
	return(0);
	+too_short:
	+ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format");
	+ return(-1);
	}

	static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
	@@ -495,7 +502,7 @@
	break;
	case MS_ADPCM_CODE:
	/* Try to understand this */
	- if ( InitMS_ADPCM(format) < 0 ) {
	+ if ( InitMS_ADPCM(format, lenread) < 0 ) {
	was_error = 1;
	goto done;
	}