| Brad Bishop | 26bdd44 | 2019-08-16 17:08:17 -0400 | [diff] [blame] | 1 | # HG changeset patch |
| 2 | # User Petr Písař <ppisar@redhat.com> |
| 3 | # Date 1560183905 25200 |
| 4 | # Mon Jun 10 09:25:05 2019 -0700 |
| 5 | # Branch SDL-1.2 |
| 6 | # Node ID a936f9bd3e381d67d8ddee8b9243f85799ea4798 |
| 7 | # Parent fcbecae427951bac1684baaba2ade68221315140 |
| 8 | CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode |
| 9 | If a WAV format defines shorter audio stream and decoded MS ADPCM data chunk |
| 10 | is longer, decoding continued past the output audio buffer. |
| 11 | |
| 12 | This fix is based on a patch from |
| 13 | <https://bugzilla.libsdl.org/show_bug.cgi?id=4492>. |
| 14 | |
| 15 | https://bugzilla.libsdl.org/show_bug.cgi?id=4493 |
| 16 | CVE-2019-7575 |
| 17 | |
| 18 | Signed-off-by: Petr Písař <ppisar@redhat.com> |
| 19 | |
| 20 | CVE: CVE-2019-7575 |
| 21 | Upstream-Status: Backport |
| 22 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> |
| 23 | |
| 24 | diff -r fcbecae42795 -r a936f9bd3e38 src/audio/SDL_wave.c |
| 25 | --- a/src/audio/SDL_wave.c Mon Jun 10 09:06:23 2019 -0700 |
| 26 | +++ b/src/audio/SDL_wave.c Mon Jun 10 09:25:05 2019 -0700 |
| 27 | @@ -122,7 +122,7 @@ |
| 28 | static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) |
| 29 | { |
| 30 | struct MS_ADPCM_decodestate *state[2]; |
| 31 | - Uint8 *freeable, *encoded, *encoded_end, *decoded; |
| 32 | + Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; |
| 33 | Sint32 encoded_len, samplesleft; |
| 34 | Sint8 nybble, stereo; |
| 35 | Sint16 *coeff[2]; |
| 36 | @@ -142,6 +142,7 @@ |
| 37 | return(-1); |
| 38 | } |
| 39 | decoded = *audio_buf; |
| 40 | + decoded_end = decoded + *audio_len; |
| 41 | |
| 42 | /* Get ready... Go! */ |
| 43 | stereo = (MS_ADPCM_state.wavefmt.channels == 2); |
| 44 | @@ -149,7 +150,7 @@ |
| 45 | state[1] = &MS_ADPCM_state.state[stereo]; |
| 46 | while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) { |
| 47 | /* Grab the initial information for this block */ |
| 48 | - if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short; |
| 49 | + if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size; |
| 50 | state[0]->hPredictor = *encoded++; |
| 51 | if ( stereo ) { |
| 52 | state[1]->hPredictor = *encoded++; |
| 53 | @@ -179,6 +180,7 @@ |
| 54 | coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor]; |
| 55 | |
| 56 | /* Store the two initial samples we start with */ |
| 57 | + if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size; |
| 58 | decoded[0] = state[0]->iSamp2&0xFF; |
| 59 | decoded[1] = state[0]->iSamp2>>8; |
| 60 | decoded += 2; |
| 61 | @@ -200,7 +202,8 @@ |
| 62 | samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)* |
| 63 | MS_ADPCM_state.wavefmt.channels; |
| 64 | while ( samplesleft > 0 ) { |
| 65 | - if (encoded + 1 > encoded_end) goto too_short; |
| 66 | + if (encoded + 1 > encoded_end) goto invalid_size; |
| 67 | + if (decoded + 4 > decoded_end) goto invalid_size; |
| 68 | |
| 69 | nybble = (*encoded)>>4; |
| 70 | new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]); |
| 71 | @@ -223,8 +226,8 @@ |
| 72 | } |
| 73 | SDL_free(freeable); |
| 74 | return(0); |
| 75 | -too_short: |
| 76 | - SDL_SetError("Too short chunk for a MS ADPCM decoder"); |
| 77 | +invalid_size: |
| 78 | + SDL_SetError("Unexpected chunk length for a MS ADPCM decoder"); |
| 79 | SDL_free(freeable); |
| 80 | return(-1); |
| 81 | invalid_predictor: |