diff options
author | David P <megver83@parabola.nu> | 2022-05-22 16:50:38 -0400 |
---|---|---|
committer | David P <megver83@parabola.nu> | 2022-05-22 16:50:38 -0400 |
commit | a3b5e5acd774ce8d48d647e5a35f2ce2c7e505c7 (patch) | |
tree | 353b8200faef8a8705159d9166e32b88498b0b23 /libre/sdl/SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch | |
parent | be96d1ccac7ec443b1a43f82448fd05408e26d97 (diff) | |
download | abslibre-a3b5e5acd774ce8d48d647e5a35f2ce2c7e505c7.tar.gz abslibre-a3b5e5acd774ce8d48d647e5a35f2ce2c7e505c7.tar.bz2 abslibre-a3b5e5acd774ce8d48d647e5a35f2ce2c7e505c7.zip |
deprecate sdl
Signed-off-by: David P <megver83@parabola.nu>
Diffstat (limited to 'libre/sdl/SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch')
-rw-r--r-- | libre/sdl/SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch | 67 |
1 files changed, 0 insertions, 67 deletions
diff --git a/libre/sdl/SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch b/libre/sdl/SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch deleted file mode 100644 index b0a89de20..000000000 --- a/libre/sdl/SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 0eb76f6cabcffa2104e34c26e0f41e6de95356ff Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> -Date: Fri, 15 Feb 2019 10:56:59 +0100 -Subject: [PATCH] CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it -could read past the end of chunk data. This patch fixes it. - -CVE-2019-7578 -https://bugzilla.libsdl.org/show_bug.cgi?id=4494 - -Signed-off-by: Petr Písař <ppisar@redhat.com> ---- - src/audio/SDL_wave.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c -index 1d446ed..08f65cb 100644 ---- a/src/audio/SDL_wave.c -+++ b/src/audio/SDL_wave.c -@@ -240,11 +240,12 @@ static struct IMA_ADPCM_decoder { - struct IMA_ADPCM_decodestate state[2]; - } IMA_ADPCM_state; - --static int InitIMA_ADPCM(WaveFMT *format) -+static int InitIMA_ADPCM(WaveFMT *format, int length) - { -- Uint8 *rogue_feel; -+ Uint8 *rogue_feel, *rogue_feel_end; - - /* Set the rogue pointer to the IMA_ADPCM specific data */ -+ if (length < sizeof(*format)) goto too_short; - IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); - IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); - IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); -@@ -253,11 +254,16 @@ static int InitIMA_ADPCM(WaveFMT *format) - IMA_ADPCM_state.wavefmt.bitspersample = - SDL_SwapLE16(format->bitspersample); - rogue_feel = (Uint8 *)format+sizeof(*format); -+ rogue_feel_end = (Uint8 *)format + length; - if ( sizeof(*format) == 16 ) { - rogue_feel += sizeof(Uint16); - } -+ if (rogue_feel + 2 > rogue_feel_end) goto too_short; - IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); - return(0); -+too_short: -+ SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format"); -+ return(-1); - } - - static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) -@@ -500,7 +506,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, - break; - case IMA_ADPCM_CODE: - /* Try to understand this */ -- if ( InitIMA_ADPCM(format) < 0 ) { -+ if ( InitIMA_ADPCM(format, lenread) < 0 ) { - was_error = 1; - goto done; - } --- -2.20.1 - |