CVE-2019-7578.patch (revision 26bdd445) - OpenGrok cross reference for /openbmc/openbmc/meta-openembedded/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7578.patch

# HG changeset patch
# User Petr Písař <ppisar@redhat.com>
# Date 1560042129 25200
#      Sat Jun 08 18:02:09 2019 -0700
# Branch SDL-1.2
# Node ID 388987dff7bf8f1e214e69c2e4f1aa31e06396b5
# Parent  e52413f5258600878f9a10d2f92605a729aa8976
CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it
could read past the end of chunk data. This patch fixes it.

CVE-2019-7578
https://bugzilla.libsdl.org/show_bug.cgi?id=4494

Signed-off-by: Petr Písař <ppisar@redhat.com>

CVE: CVE-2019-7578
Upstream-Status: Backport
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>

diff -r e52413f52586 -r 388987dff7bf src/audio/SDL_wave.c
--- a/src/audio/SDL_wave.c	Sat Jun 08 17:57:43 2019 -0700
+++ b/src/audio/SDL_wave.c	Sat Jun 08 18:02:09 2019 -0700
@@ -222,11 +222,12 @@
 	struct IMA_ADPCM_decodestate state[2];
 } IMA_ADPCM_state;

-static int InitIMA_ADPCM(WaveFMT *format)
+static int InitIMA_ADPCM(WaveFMT *format, int length)
 {
-	Uint8 *rogue_feel;
+	Uint8 *rogue_feel, *rogue_feel_end;

 	/* Set the rogue pointer to the IMA_ADPCM specific data */
+	if (length < sizeof(*format)) goto too_short;
 	IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
 	IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
 	IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
@@ -235,11 +236,16 @@
 	IMA_ADPCM_state.wavefmt.bitspersample =
 					 SDL_SwapLE16(format->bitspersample);
 	rogue_feel = (Uint8 *)format+sizeof(*format);
+	rogue_feel_end = (Uint8 *)format + length;
 	if ( sizeof(*format) == 16 ) {
 		rogue_feel += sizeof(Uint16);
 	}
+	if (rogue_feel + 2 > rogue_feel_end) goto too_short;
 	IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
 	return(0);
+too_short:
+	SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format");
+	return(-1);
 }

 static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
@@ -471,7 +477,7 @@
 			break;
 		case IMA_ADPCM_CODE:
 			/* Try to understand this */
-			if ( InitIMA_ADPCM(format) < 0 ) {
+			if ( InitIMA_ADPCM(format, lenread) < 0 ) {
 				was_error = 1;
 				goto done;
 			}