From bb11ffcff5ae2f25bead921c2a299e7e63d8a759 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Thu, 14 Feb 2019 16:51:54 +0100 Subject: [PATCH] CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If an IMA ADPCM block contained an initial index out of step table range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used this bogus value and that lead to a buffer overread. This patch fixes it by moving clamping the index value at the beginning of IMA_ADPCM_nibble() function instead of the end after an update. CVE-2019-7572 https://bugzilla.libsdl.org/show_bug.cgi?id=4495 Signed-off-by: Petr Písař --- src/audio/SDL_wave.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c index 2968b3d..69d62dc 100644 --- a/src/audio/SDL_wave.c +++ b/src/audio/SDL_wave.c @@ -275,6 +275,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) }; Sint32 delta, step; + /* Clamp index value. The inital value can be invalid. */ + if ( state->index > 88 ) { + state->index = 88; + } else + if ( state->index < 0 ) { + state->index = 0; + } + /* Compute difference and new sample value */ step = step_table[state->index]; delta = step >> 3; @@ -286,12 +294,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) /* Update index value */ state->index += index_table[nybble]; - if ( state->index > 88 ) { - state->index = 88; - } else - if ( state->index < 0 ) { - state->index = 0; - } /* Clamp output sample */ if ( state->sample > max_audioval ) { -- 2.20.1