1*26bdd445SBrad Bishop# HG changeset patch 2*26bdd445SBrad Bishop# User Petr Písař <ppisar@redhat.com> 3*26bdd445SBrad Bishop# Date 1560182783 25200 4*26bdd445SBrad Bishop# Mon Jun 10 09:06:23 2019 -0700 5*26bdd445SBrad Bishop# Branch SDL-1.2 6*26bdd445SBrad Bishop# Node ID fcbecae427951bac1684baaba2ade68221315140 7*26bdd445SBrad Bishop# Parent a8afedbcaea0e84921dc770195c4699bda3ccdc5 8*26bdd445SBrad BishopCVE-2019-7573, CVE-2019-7576: Fix buffer overreads in InitMS_ADPCM 9*26bdd445SBrad BishopIf MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it 10*26bdd445SBrad Bishopcould read past the end of chunk data. This patch fixes it. 11*26bdd445SBrad Bishop 12*26bdd445SBrad BishopCVE-2019-7573 13*26bdd445SBrad Bishophttps://bugzilla.libsdl.org/show_bug.cgi?id=4491 14*26bdd445SBrad BishopCVE-2019-7576 15*26bdd445SBrad Bishophttps://bugzilla.libsdl.org/show_bug.cgi?id=4490 16*26bdd445SBrad Bishop 17*26bdd445SBrad BishopSigned-off-by: Petr Písař <ppisar@redhat.com> 18*26bdd445SBrad Bishop 19*26bdd445SBrad BishopCVE: CVE-2019-7573 20*26bdd445SBrad BishopCVE: CVE-2019-7576 21*26bdd445SBrad BishopUpstream-Status: Backport 22*26bdd445SBrad BishopSigned-off-by: Anuj Mittal <anuj.mittal@intel.com> 23*26bdd445SBrad Bishop 24*26bdd445SBrad Bishopdiff -r a8afedbcaea0 -r fcbecae42795 src/audio/SDL_wave.c 25*26bdd445SBrad Bishop--- a/src/audio/SDL_wave.c Mon Jun 10 08:57:11 2019 -0700 26*26bdd445SBrad Bishop+++ b/src/audio/SDL_wave.c Mon Jun 10 09:06:23 2019 -0700 27*26bdd445SBrad Bishop@@ -44,12 +44,13 @@ 28*26bdd445SBrad Bishop struct MS_ADPCM_decodestate state[2]; 29*26bdd445SBrad Bishop } MS_ADPCM_state; 30*26bdd445SBrad Bishop 31*26bdd445SBrad Bishop-static int InitMS_ADPCM(WaveFMT *format) 32*26bdd445SBrad Bishop+static int InitMS_ADPCM(WaveFMT *format, int length) 33*26bdd445SBrad Bishop { 34*26bdd445SBrad Bishop- Uint8 *rogue_feel; 35*26bdd445SBrad Bishop+ Uint8 *rogue_feel, *rogue_feel_end; 36*26bdd445SBrad Bishop int i; 37*26bdd445SBrad Bishop 38*26bdd445SBrad Bishop /* Set the rogue pointer to the MS_ADPCM specific data */ 39*26bdd445SBrad Bishop+ if (length < sizeof(*format)) goto too_short; 40*26bdd445SBrad Bishop MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); 41*26bdd445SBrad Bishop MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); 42*26bdd445SBrad Bishop MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); 43*26bdd445SBrad Bishop@@ -58,9 +59,11 @@ 44*26bdd445SBrad Bishop MS_ADPCM_state.wavefmt.bitspersample = 45*26bdd445SBrad Bishop SDL_SwapLE16(format->bitspersample); 46*26bdd445SBrad Bishop rogue_feel = (Uint8 *)format+sizeof(*format); 47*26bdd445SBrad Bishop+ rogue_feel_end = (Uint8 *)format + length; 48*26bdd445SBrad Bishop if ( sizeof(*format) == 16 ) { 49*26bdd445SBrad Bishop rogue_feel += sizeof(Uint16); 50*26bdd445SBrad Bishop } 51*26bdd445SBrad Bishop+ if (rogue_feel + 4 > rogue_feel_end) goto too_short; 52*26bdd445SBrad Bishop MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); 53*26bdd445SBrad Bishop rogue_feel += sizeof(Uint16); 54*26bdd445SBrad Bishop MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]); 55*26bdd445SBrad Bishop@@ -70,12 +73,16 @@ 56*26bdd445SBrad Bishop return(-1); 57*26bdd445SBrad Bishop } 58*26bdd445SBrad Bishop for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) { 59*26bdd445SBrad Bishop+ if (rogue_feel + 4 > rogue_feel_end) goto too_short; 60*26bdd445SBrad Bishop MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]); 61*26bdd445SBrad Bishop rogue_feel += sizeof(Uint16); 62*26bdd445SBrad Bishop MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]); 63*26bdd445SBrad Bishop rogue_feel += sizeof(Uint16); 64*26bdd445SBrad Bishop } 65*26bdd445SBrad Bishop return(0); 66*26bdd445SBrad Bishop+too_short: 67*26bdd445SBrad Bishop+ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format"); 68*26bdd445SBrad Bishop+ return(-1); 69*26bdd445SBrad Bishop } 70*26bdd445SBrad Bishop 71*26bdd445SBrad Bishop static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, 72*26bdd445SBrad Bishop@@ -495,7 +502,7 @@ 73*26bdd445SBrad Bishop break; 74*26bdd445SBrad Bishop case MS_ADPCM_CODE: 75*26bdd445SBrad Bishop /* Try to understand this */ 76*26bdd445SBrad Bishop- if ( InitMS_ADPCM(format) < 0 ) { 77*26bdd445SBrad Bishop+ if ( InitMS_ADPCM(format, lenread) < 0 ) { 78*26bdd445SBrad Bishop was_error = 1; 79*26bdd445SBrad Bishop goto done; 80*26bdd445SBrad Bishop } 81