|
 |
0ba851 |
From d5ec943db7d51fccd7230c9df0c7a2e46d611f50 Mon Sep 17 00:00:00 2001
|
|
|
0ba851 |
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
|
|
0ba851 |
Date: Mon, 10 Jun 2019 08:54:11 -0700
|
|
|
0ba851 |
Subject: [PATCH 04/11] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
|
|
|
0ba851 |
If RIFF/WAV data chunk length is shorter then expected for an audio format
|
|
|
0ba851 |
defined in preceeding RIFF/WAV format headers, a buffer overread can happen.
|
|
|
0ba851 |
MIME-Version: 1.0
|
|
|
0ba851 |
Content-Type: text/plain; charset=UTF-8
|
|
|
0ba851 |
Content-Transfer-Encoding: 8bit
|
|
|
0ba851 |
|
|
|
0ba851 |
This patch fixes it by checking a MS ADPCM data to be decoded are not
|
|
|
0ba851 |
past the initialized buffer.
|
|
|
0ba851 |
|
|
|
0ba851 |
CVE-2019-7577
|
|
|
0ba851 |
Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
|
|
|
0ba851 |
|
|
|
0ba851 |
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
|
0ba851 |
|
|
|
0ba851 |
--HG--
|
|
|
0ba851 |
branch : SDL-1.2
|
|
|
0ba851 |
---
|
|
|
0ba851 |
src/audio/SDL_wave.c | 10 +++++++++-
|
|
|
0ba851 |
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
|
0ba851 |
|
|
|
0ba851 |
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
|
|
|
0ba851 |
index 66f804421..6c6eb14eb 100644
|
|
|
0ba851 |
--- a/src/audio/SDL_wave.c
|
|
|
0ba851 |
+++ b/src/audio/SDL_wave.c
|
|
|
0ba851 |
@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
|
|
|
0ba851 |
static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
|
|
0ba851 |
{
|
|
|
0ba851 |
struct MS_ADPCM_decodestate *state[2];
|
|
|
0ba851 |
- Uint8 *freeable, *encoded, *decoded;
|
|
|
0ba851 |
+ Uint8 *freeable, *encoded, *encoded_end, *decoded;
|
|
|
0ba851 |
Sint32 encoded_len, samplesleft;
|
|
|
0ba851 |
Sint8 nybble, stereo;
|
|
|
0ba851 |
Sint16 *coeff[2];
|
|
|
0ba851 |
@@ -124,6 +124,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
|
|
0ba851 |
/* Allocate the proper sized output buffer */
|
|
|
0ba851 |
encoded_len = *audio_len;
|
|
|
0ba851 |
encoded = *audio_buf;
|
|
|
0ba851 |
+ encoded_end = encoded + encoded_len;
|
|
|
0ba851 |
freeable = *audio_buf;
|
|
|
0ba851 |
*audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) *
|
|
|
0ba851 |
MS_ADPCM_state.wSamplesPerBlock*
|
|
|
0ba851 |
@@ -141,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
|
|
0ba851 |
state[1] = &MS_ADPCM_state.state[stereo];
|
|
|
0ba851 |
while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
|
|
|
0ba851 |
/* Grab the initial information for this block */
|
|
|
0ba851 |
+ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
|
|
|
0ba851 |
state[0]->hPredictor = *encoded++;
|
|
|
0ba851 |
if ( stereo ) {
|
|
|
0ba851 |
state[1]->hPredictor = *encoded++;
|
|
|
0ba851 |
@@ -188,6 +190,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
|
|
0ba851 |
samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
|
|
|
0ba851 |
MS_ADPCM_state.wavefmt.channels;
|
|
|
0ba851 |
while ( samplesleft > 0 ) {
|
|
|
0ba851 |
+ if (encoded + 1 > encoded_end) goto too_short;
|
|
|
0ba851 |
+
|
|
|
0ba851 |
nybble = (*encoded)>>4;
|
|
|
0ba851 |
new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
|
|
|
0ba851 |
decoded[0] = new_sample&0xFF;
|
|
|
0ba851 |
@@ -209,6 +213,10 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
|
|
0ba851 |
}
|
|
|
0ba851 |
SDL_free(freeable);
|
|
|
0ba851 |
return(0);
|
|
|
0ba851 |
+too_short:
|
|
|
0ba851 |
+ SDL_SetError("Too short chunk for a MS ADPCM decoder");
|
|
|
0ba851 |
+ SDL_free(freeable);
|
|
|
0ba851 |
+ return(-1);
|
|
|
0ba851 |
}
|
|
|
0ba851 |
|
|
|
0ba851 |
struct IMA_ADPCM_decodestate {
|
|
|
0ba851 |
--
|
|
|
0ba851 |
2.21.0
|
|
|
0ba851 |
|