1*4882a593Smuzhiyun# HG changeset patch 2*4882a593Smuzhiyun# User Petr Písař <ppisar@redhat.com> 3*4882a593Smuzhiyun# Date 1560182783 25200 4*4882a593Smuzhiyun# Mon Jun 10 09:06:23 2019 -0700 5*4882a593Smuzhiyun# Branch SDL-1.2 6*4882a593Smuzhiyun# Node ID fcbecae427951bac1684baaba2ade68221315140 7*4882a593Smuzhiyun# Parent a8afedbcaea0e84921dc770195c4699bda3ccdc5 8*4882a593SmuzhiyunCVE-2019-7573, CVE-2019-7576: Fix buffer overreads in InitMS_ADPCM 9*4882a593SmuzhiyunIf MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it 10*4882a593Smuzhiyuncould read past the end of chunk data. This patch fixes it. 11*4882a593Smuzhiyun 12*4882a593SmuzhiyunCVE-2019-7573 13*4882a593Smuzhiyunhttps://bugzilla.libsdl.org/show_bug.cgi?id=4491 14*4882a593SmuzhiyunCVE-2019-7576 15*4882a593Smuzhiyunhttps://bugzilla.libsdl.org/show_bug.cgi?id=4490 16*4882a593Smuzhiyun 17*4882a593SmuzhiyunSigned-off-by: Petr Písař <ppisar@redhat.com> 18*4882a593Smuzhiyun 19*4882a593SmuzhiyunCVE: CVE-2019-7573 20*4882a593SmuzhiyunCVE: CVE-2019-7576 21*4882a593SmuzhiyunUpstream-Status: Backport 22*4882a593SmuzhiyunSigned-off-by: Anuj Mittal <anuj.mittal@intel.com> 23*4882a593Smuzhiyun 24*4882a593Smuzhiyundiff -r a8afedbcaea0 -r fcbecae42795 src/audio/SDL_wave.c 25*4882a593Smuzhiyun--- a/src/audio/SDL_wave.c Mon Jun 10 08:57:11 2019 -0700 26*4882a593Smuzhiyun+++ b/src/audio/SDL_wave.c Mon Jun 10 09:06:23 2019 -0700 27*4882a593Smuzhiyun@@ -44,12 +44,13 @@ 28*4882a593Smuzhiyun struct MS_ADPCM_decodestate state[2]; 29*4882a593Smuzhiyun } MS_ADPCM_state; 30*4882a593Smuzhiyun 31*4882a593Smuzhiyun-static int InitMS_ADPCM(WaveFMT *format) 32*4882a593Smuzhiyun+static int InitMS_ADPCM(WaveFMT *format, int length) 33*4882a593Smuzhiyun { 34*4882a593Smuzhiyun- Uint8 *rogue_feel; 35*4882a593Smuzhiyun+ Uint8 *rogue_feel, *rogue_feel_end; 36*4882a593Smuzhiyun int i; 37*4882a593Smuzhiyun 38*4882a593Smuzhiyun /* Set the rogue pointer to the MS_ADPCM specific data */ 39*4882a593Smuzhiyun+ if (length < sizeof(*format)) goto too_short; 40*4882a593Smuzhiyun MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); 41*4882a593Smuzhiyun MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); 42*4882a593Smuzhiyun MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); 43*4882a593Smuzhiyun@@ -58,9 +59,11 @@ 44*4882a593Smuzhiyun MS_ADPCM_state.wavefmt.bitspersample = 45*4882a593Smuzhiyun SDL_SwapLE16(format->bitspersample); 46*4882a593Smuzhiyun rogue_feel = (Uint8 *)format+sizeof(*format); 47*4882a593Smuzhiyun+ rogue_feel_end = (Uint8 *)format + length; 48*4882a593Smuzhiyun if ( sizeof(*format) == 16 ) { 49*4882a593Smuzhiyun rogue_feel += sizeof(Uint16); 50*4882a593Smuzhiyun } 51*4882a593Smuzhiyun+ if (rogue_feel + 4 > rogue_feel_end) goto too_short; 52*4882a593Smuzhiyun MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); 53*4882a593Smuzhiyun rogue_feel += sizeof(Uint16); 54*4882a593Smuzhiyun MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]); 55*4882a593Smuzhiyun@@ -70,12 +73,16 @@ 56*4882a593Smuzhiyun return(-1); 57*4882a593Smuzhiyun } 58*4882a593Smuzhiyun for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) { 59*4882a593Smuzhiyun+ if (rogue_feel + 4 > rogue_feel_end) goto too_short; 60*4882a593Smuzhiyun MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]); 61*4882a593Smuzhiyun rogue_feel += sizeof(Uint16); 62*4882a593Smuzhiyun MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]); 63*4882a593Smuzhiyun rogue_feel += sizeof(Uint16); 64*4882a593Smuzhiyun } 65*4882a593Smuzhiyun return(0); 66*4882a593Smuzhiyun+too_short: 67*4882a593Smuzhiyun+ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format"); 68*4882a593Smuzhiyun+ return(-1); 69*4882a593Smuzhiyun } 70*4882a593Smuzhiyun 71*4882a593Smuzhiyun static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, 72*4882a593Smuzhiyun@@ -495,7 +502,7 @@ 73*4882a593Smuzhiyun break; 74*4882a593Smuzhiyun case MS_ADPCM_CODE: 75*4882a593Smuzhiyun /* Try to understand this */ 76*4882a593Smuzhiyun- if ( InitMS_ADPCM(format) < 0 ) { 77*4882a593Smuzhiyun+ if ( InitMS_ADPCM(format, lenread) < 0 ) { 78*4882a593Smuzhiyun was_error = 1; 79*4882a593Smuzhiyun goto done; 80*4882a593Smuzhiyun } 81