1# HG changeset patch 2# User Petr Písař <ppisar@redhat.com> 3# Date 1560182783 25200 4# Mon Jun 10 09:06:23 2019 -0700 5# Branch SDL-1.2 6# Node ID fcbecae427951bac1684baaba2ade68221315140 7# Parent a8afedbcaea0e84921dc770195c4699bda3ccdc5 8CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in InitMS_ADPCM 9If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it 10could read past the end of chunk data. This patch fixes it. 11 12CVE-2019-7573 13https://bugzilla.libsdl.org/show_bug.cgi?id=4491 14CVE-2019-7576 15https://bugzilla.libsdl.org/show_bug.cgi?id=4490 16 17Signed-off-by: Petr Písař <ppisar@redhat.com> 18 19CVE: CVE-2019-7573 20CVE: CVE-2019-7576 21Upstream-Status: Backport 22Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> 23 24diff -r a8afedbcaea0 -r fcbecae42795 src/audio/SDL_wave.c 25--- a/src/audio/SDL_wave.c Mon Jun 10 08:57:11 2019 -0700 26+++ b/src/audio/SDL_wave.c Mon Jun 10 09:06:23 2019 -0700 27@@ -44,12 +44,13 @@ 28 struct MS_ADPCM_decodestate state[2]; 29 } MS_ADPCM_state; 30 31-static int InitMS_ADPCM(WaveFMT *format) 32+static int InitMS_ADPCM(WaveFMT *format, int length) 33 { 34- Uint8 *rogue_feel; 35+ Uint8 *rogue_feel, *rogue_feel_end; 36 int i; 37 38 /* Set the rogue pointer to the MS_ADPCM specific data */ 39+ if (length < sizeof(*format)) goto too_short; 40 MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); 41 MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); 42 MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); 43@@ -58,9 +59,11 @@ 44 MS_ADPCM_state.wavefmt.bitspersample = 45 SDL_SwapLE16(format->bitspersample); 46 rogue_feel = (Uint8 *)format+sizeof(*format); 47+ rogue_feel_end = (Uint8 *)format + length; 48 if ( sizeof(*format) == 16 ) { 49 rogue_feel += sizeof(Uint16); 50 } 51+ if (rogue_feel + 4 > rogue_feel_end) goto too_short; 52 MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); 53 rogue_feel += sizeof(Uint16); 54 MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]); 55@@ -70,12 +73,16 @@ 56 return(-1); 57 } 58 for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) { 59+ if (rogue_feel + 4 > rogue_feel_end) goto too_short; 60 MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]); 61 rogue_feel += sizeof(Uint16); 62 MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]); 63 rogue_feel += sizeof(Uint16); 64 } 65 return(0); 66+too_short: 67+ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format"); 68+ return(-1); 69 } 70 71 static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, 72@@ -495,7 +502,7 @@ 73 break; 74 case MS_ADPCM_CODE: 75 /* Try to understand this */ 76- if ( InitMS_ADPCM(format) < 0 ) { 77+ if ( InitMS_ADPCM(format, lenread) < 0 ) { 78 was_error = 1; 79 goto done; 80 } 81