diff options
Diffstat (limited to 'libre/sdl/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch')
-rw-r--r-- | libre/sdl/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch | 75 |
1 files changed, 0 insertions, 75 deletions
diff --git a/libre/sdl/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch b/libre/sdl/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch deleted file mode 100644 index 23cbf9819..000000000 --- a/libre/sdl/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch +++ /dev/null @@ -1,75 +0,0 @@ -From ac3d0d365b1f01a6782565feda0c7432a5795671 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> -Date: Thu, 14 Feb 2019 14:12:22 +0100 -Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If RIFF/WAV data chunk length is shorter then expected for an audio -format defined in preceeding RIFF/WAV format headers, a buffer -overread can happen. - -This patch fixes it by checking a MS ADPCM data to be decoded are not -past the initialized buffer. - -CVE-2019-7577 -Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 - -Signed-off-by: Petr Písař <ppisar@redhat.com> ---- - src/audio/SDL_wave.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c -index b4ad6c7..e42d01c 100644 ---- a/src/audio/SDL_wave.c -+++ b/src/audio/SDL_wave.c -@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, - static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - { - struct MS_ADPCM_decodestate *state[2]; -- Uint8 *freeable, *encoded, *decoded; -+ Uint8 *freeable, *encoded, *encoded_end, *decoded; - Sint32 encoded_len, samplesleft; - Sint8 nybble, stereo; - Sint16 *coeff[2]; -@@ -124,6 +124,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - /* Allocate the proper sized output buffer */ - encoded_len = *audio_len; - encoded = *audio_buf; -+ encoded_end = encoded + encoded_len; - freeable = *audio_buf; - *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) * - MS_ADPCM_state.wSamplesPerBlock* -@@ -141,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - state[1] = &MS_ADPCM_state.state[stereo]; - while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) { - /* Grab the initial information for this block */ -+ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short; - state[0]->hPredictor = *encoded++; - if ( stereo ) { - state[1]->hPredictor = *encoded++; -@@ -188,6 +190,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)* - MS_ADPCM_state.wavefmt.channels; - while ( samplesleft > 0 ) { -+ if (encoded + 1 > encoded_end) goto too_short; -+ - nybble = (*encoded)>>4; - new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]); - decoded[0] = new_sample&0xFF; -@@ -209,6 +213,10 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - } - SDL_free(freeable); - return(0); -+too_short: -+ SDL_SetError("Too short chunk for a MS ADPCM decoder"); -+ SDL_free(freeable); -+ return(-1); - } - - struct IMA_ADPCM_decodestate { --- -2.20.1 - |