1*4882a593Smuzhiyun# HG changeset patch
2*4882a593Smuzhiyun# User Petr Písař <ppisar@redhat.com>
3*4882a593Smuzhiyun# Date 1560181859 25200
4*4882a593Smuzhiyun#      Mon Jun 10 08:50:59 2019 -0700
5*4882a593Smuzhiyun# Branch SDL-1.2
6*4882a593Smuzhiyun# Node ID a6e3d2f5183e1cc300ad993e10e9ce077e13bd9c
7*4882a593Smuzhiyun# Parent  388987dff7bf8f1e214e69c2e4f1aa31e06396b5
8*4882a593SmuzhiyunCVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode
9*4882a593SmuzhiyunIf data chunk was shorter than expected based on a WAV format
10*4882a593Smuzhiyundefinition, IMA_ADPCM_decode() tried to read past the data chunk
11*4882a593Smuzhiyunbuffer. This patch fixes it.
12*4882a593Smuzhiyun
13*4882a593SmuzhiyunCVE-2019-7574
14*4882a593Smuzhiyunhttps://bugzilla.libsdl.org/show_bug.cgi?id=4496
15*4882a593Smuzhiyun
16*4882a593SmuzhiyunSigned-off-by: Petr Písař <ppisar@redhat.com>
17*4882a593Smuzhiyun
18*4882a593SmuzhiyunCVE: CVE-2019-7574
19*4882a593SmuzhiyunUpstream-Status: Backport
20*4882a593SmuzhiyunSigned-off-by: Anuj Mittal <anuj.mittal@intel.com>
21*4882a593Smuzhiyun
22*4882a593Smuzhiyundiff -r 388987dff7bf -r a6e3d2f5183e src/audio/SDL_wave.c
23*4882a593Smuzhiyun--- a/src/audio/SDL_wave.c	Sat Jun 08 18:02:09 2019 -0700
24*4882a593Smuzhiyun+++ b/src/audio/SDL_wave.c	Mon Jun 10 08:50:59 2019 -0700
25*4882a593Smuzhiyun@@ -331,7 +331,7 @@
26*4882a593Smuzhiyun static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
27*4882a593Smuzhiyun {
28*4882a593Smuzhiyun 	struct IMA_ADPCM_decodestate *state;
29*4882a593Smuzhiyun-	Uint8 *freeable, *encoded, *decoded;
30*4882a593Smuzhiyun+	Uint8 *freeable, *encoded, *encoded_end, *decoded;
31*4882a593Smuzhiyun 	Sint32 encoded_len, samplesleft;
32*4882a593Smuzhiyun 	unsigned int c, channels;
33*4882a593Smuzhiyun
34*4882a593Smuzhiyun@@ -347,6 +347,7 @@
35*4882a593Smuzhiyun 	/* Allocate the proper sized output buffer */
36*4882a593Smuzhiyun 	encoded_len = *audio_len;
37*4882a593Smuzhiyun 	encoded = *audio_buf;
38*4882a593Smuzhiyun+	encoded_end = encoded + encoded_len;
39*4882a593Smuzhiyun 	freeable = *audio_buf;
40*4882a593Smuzhiyun 	*audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) *
41*4882a593Smuzhiyun 				IMA_ADPCM_state.wSamplesPerBlock*
42*4882a593Smuzhiyun@@ -362,6 +363,7 @@
43*4882a593Smuzhiyun 	while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
44*4882a593Smuzhiyun 		/* Grab the initial information for this block */
45*4882a593Smuzhiyun 		for ( c=0; c<channels; ++c ) {
46*4882a593Smuzhiyun+			if (encoded + 4 > encoded_end) goto invalid_size;
47*4882a593Smuzhiyun 			/* Fill the state information for this block */
48*4882a593Smuzhiyun 			state[c].sample = ((encoded[1]<<8)|encoded[0]);
49*4882a593Smuzhiyun 			encoded += 2;
50*4882a593Smuzhiyun@@ -384,6 +386,7 @@
51*4882a593Smuzhiyun 		samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
52*4882a593Smuzhiyun 		while ( samplesleft > 0 ) {
53*4882a593Smuzhiyun 			for ( c=0; c<channels; ++c ) {
54*4882a593Smuzhiyun+				if (encoded + 4 > encoded_end) goto invalid_size;
55*4882a593Smuzhiyun 				Fill_IMA_ADPCM_block(decoded, encoded,
56*4882a593Smuzhiyun 						c, channels, &state[c]);
57*4882a593Smuzhiyun 				encoded += 4;
58*4882a593Smuzhiyun@@ -395,6 +398,10 @@
59*4882a593Smuzhiyun 	}
60*4882a593Smuzhiyun 	SDL_free(freeable);
61*4882a593Smuzhiyun 	return(0);
62*4882a593Smuzhiyun+invalid_size:
63*4882a593Smuzhiyun+	SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder");
64*4882a593Smuzhiyun+	SDL_free(freeable);
65*4882a593Smuzhiyun+	return(-1);
66*4882a593Smuzhiyun }
67*4882a593Smuzhiyun
68*4882a593Smuzhiyun SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
69