diff options
| author | Omar Vega Ramos <ovruni@gnu.org.pe> | 2020-04-03 14:03:34 -0500 |
|---|---|---|
| committer | Omar Vega Ramos <ovruni@gnu.org.pe> | 2020-04-03 14:04:49 -0500 |
| commit | 9fc410f3ecdc790c30599ea74cc9d74a8792115d (patch) | |
| tree | 6053229bd240fa0d0612c62c84a06d59805a73ac /libre/sdl/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch | |
| parent | 6d40c7a496a53725f05ab36599b185ac9b3780bc (diff) | |
| download | abslibre-9fc410f3ecdc790c30599ea74cc9d74a8792115d.tar.gz abslibre-9fc410f3ecdc790c30599ea74cc9d74a8792115d.tar.bz2 abslibre-9fc410f3ecdc790c30599ea74cc9d74a8792115d.zip | |
sdl-1.2.15-13.parabola1: rebuild
Diffstat (limited to 'libre/sdl/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch')
| -rw-r--r-- | libre/sdl/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/libre/sdl/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch b/libre/sdl/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch new file mode 100644 index 000000000..2c17831df --- /dev/null +++ b/libre/sdl/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch @@ -0,0 +1,64 @@ +From 6086741bda4d43cc227500bc7645a829380e6326 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> +Date: Fri, 15 Feb 2019 09:21:45 +0100 +Subject: [PATCH] CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If data chunk was longer than expected based on a WAV format +definition, IMA_ADPCM_decode() tried to write past the output +buffer. This patch fixes it. + +Based on patch from +<https://bugzilla.libsdl.org/show_bug.cgi?id=4496>. + +CVE-2019-7572 +https://bugzilla.libsdl.org/show_bug.cgi?id=4495 + +Signed-off-by: Petr Písař <ppisar@redhat.com> +--- + src/audio/SDL_wave.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 69d62dc..91e89e8 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -336,7 +336,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded, + static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct IMA_ADPCM_decodestate *state; +- Uint8 *freeable, *encoded, *encoded_end, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; + Sint32 encoded_len, samplesleft; + unsigned int c, channels; + +@@ -363,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + return(-1); + } + decoded = *audio_buf; ++ decoded_end = decoded + *audio_len; + + /* Get ready... Go! */ + while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) { +@@ -382,6 +383,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + } + + /* Store the initial sample we start with */ ++ if (decoded + 2 > decoded_end) goto invalid_size; + decoded[0] = (Uint8)(state[c].sample&0xFF); + decoded[1] = (Uint8)(state[c].sample>>8); + decoded += 2; +@@ -392,6 +394,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + while ( samplesleft > 0 ) { + for ( c=0; c<channels; ++c ) { + if (encoded + 4 > encoded_end) goto invalid_size; ++ if (decoded + 4 * 4 * channels > decoded_end) ++ goto invalid_size; + Fill_IMA_ADPCM_block(decoded, encoded, + c, channels, &state[c]); + encoded += 4; +-- +2.20.1 + |