rpms / SDL

Clone
Source Code
GIT

Blame SOURCES/0004-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-beta c7-ppc64le c8 c8-beta c8-containeronly-stream-flatpak c8s c9-beta
  1.   54e6141cb0d98cc3cffec2b7bbd16582c08474a1
  2.   SOURCES
  3.   0004-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
Blob History Raw
6ed69d 
From d5ec943db7d51fccd7230c9df0c7a2e46d611f50 Mon Sep 17 00:00:00 2001
6ed69d 
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
6ed69d 
Date: Mon, 10 Jun 2019 08:54:11 -0700
6ed69d 
Subject: [PATCH 04/11] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
6ed69d 
 If RIFF/WAV data chunk length is shorter then expected for an audio format
6ed69d 
 defined in preceeding RIFF/WAV format headers, a buffer overread can happen.
6ed69d 
MIME-Version: 1.0
6ed69d 
Content-Type: text/plain; charset=UTF-8
6ed69d 
Content-Transfer-Encoding: 8bit
6ed69d
6ed69d 
This patch fixes it by checking a MS ADPCM data to be decoded are not
6ed69d 
past the initialized buffer.
6ed69d
6ed69d 
CVE-2019-7577
6ed69d 
Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
6ed69d
6ed69d 
Signed-off-by: Petr Písař <ppisar@redhat.com>
6ed69d
6ed69d 
--HG--
6ed69d 
branch : SDL-1.2
6ed69d 
---
6ed69d 
 src/audio/SDL_wave.c | 10 +++++++++-
6ed69d 
 1 file changed, 9 insertions(+), 1 deletion(-)
6ed69d
6ed69d 
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
6ed69d 
index 66f804421..6c6eb14eb 100644
6ed69d 
--- a/src/audio/SDL_wave.c
6ed69d 
+++ b/src/audio/SDL_wave.c
6ed69d 
@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
6ed69d 
 static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
6ed69d 
 {
6ed69d 
 	struct MS_ADPCM_decodestate *state[2];
6ed69d 
-	Uint8 *freeable, *encoded, *decoded;
6ed69d 
+	Uint8 *freeable, *encoded, *encoded_end, *decoded;
6ed69d 
 	Sint32 encoded_len, samplesleft;
6ed69d 
 	Sint8 nybble, stereo;
6ed69d 
 	Sint16 *coeff[2];
6ed69d 
@@ -124,6 +124,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
6ed69d 
 	/* Allocate the proper sized output buffer */
6ed69d 
 	encoded_len = *audio_len;
6ed69d 
 	encoded = *audio_buf;
6ed69d 
+	encoded_end = encoded + encoded_len;
6ed69d 
 	freeable = *audio_buf;
6ed69d 
 	*audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) *
6ed69d 
 				MS_ADPCM_state.wSamplesPerBlock*
6ed69d 
@@ -141,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
6ed69d 
 	state[1] = &MS_ADPCM_state.state[stereo];
6ed69d 
 	while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
6ed69d 
 		/* Grab the initial information for this block */
6ed69d 
+		if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
6ed69d 
 		state[0]->hPredictor = *encoded++;
6ed69d 
 		if ( stereo ) {
6ed69d 
 			state[1]->hPredictor = *encoded++;
6ed69d 
@@ -188,6 +190,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
6ed69d 
 		samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
6ed69d 
 					MS_ADPCM_state.wavefmt.channels;
6ed69d 
 		while ( samplesleft > 0 ) {
6ed69d 
+			if (encoded + 1 > encoded_end) goto too_short;
6ed69d 
+
6ed69d 
 			nybble = (*encoded)>>4;
6ed69d 
 			new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
6ed69d 
 			decoded[0] = new_sample&0xFF;
6ed69d 
@@ -209,6 +213,10 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
6ed69d 
 	}
6ed69d 
 	SDL_free(freeable);
6ed69d 
 	return(0);
6ed69d 
+too_short:
6ed69d 
+	SDL_SetError("Too short chunk for a MS ADPCM decoder");
6ed69d 
+	SDL_free(freeable);
6ed69d 
+	return(-1);
6ed69d 
 }
6ed69d
6ed69d 
 struct IMA_ADPCM_decodestate {
6ed69d 
--
6ed69d 
2.21.0
6ed69d

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation