CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode SDL-1.2
authorPetr Písař <ppisar@redhat.com>
Mon, 10 Jun 2019 08:54:11 -0700
branchSDL-1.2
changeset 12816416136310b88
parent 12815 a6e3d2f5183e
child 12817 faf9abbcfb5f
CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
If RIFF/WAV data chunk length is shorter then expected for an audio
format defined in preceeding RIFF/WAV format headers, a buffer
overread can happen.

This patch fixes it by checking a MS ADPCM data to be decoded are not
past the initialized buffer.

CVE-2019-7577
Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492

Signed-off-by: Petr Písař <ppisar@redhat.com>
src/audio/SDL_wave.c
     1.1 --- a/src/audio/SDL_wave.c	Mon Jun 10 08:50:59 2019 -0700
     1.2 +++ b/src/audio/SDL_wave.c	Mon Jun 10 08:54:11 2019 -0700
     1.3 @@ -115,7 +115,7 @@
     1.4  static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
     1.5  {
     1.6  	struct MS_ADPCM_decodestate *state[2];
     1.7 -	Uint8 *freeable, *encoded, *decoded;
     1.8 +	Uint8 *freeable, *encoded, *encoded_end, *decoded;
     1.9  	Sint32 encoded_len, samplesleft;
    1.10  	Sint8 nybble, stereo;
    1.11  	Sint16 *coeff[2];
    1.12 @@ -124,6 +124,7 @@
    1.13  	/* Allocate the proper sized output buffer */
    1.14  	encoded_len = *audio_len;
    1.15  	encoded = *audio_buf;
    1.16 +	encoded_end = encoded + encoded_len;
    1.17  	freeable = *audio_buf;
    1.18  	*audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) * 
    1.19  				MS_ADPCM_state.wSamplesPerBlock*
    1.20 @@ -141,6 +142,7 @@
    1.21  	state[1] = &MS_ADPCM_state.state[stereo];
    1.22  	while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
    1.23  		/* Grab the initial information for this block */
    1.24 +		if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
    1.25  		state[0]->hPredictor = *encoded++;
    1.26  		if ( stereo ) {
    1.27  			state[1]->hPredictor = *encoded++;
    1.28 @@ -188,6 +190,8 @@
    1.29  		samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
    1.30  					MS_ADPCM_state.wavefmt.channels;
    1.31  		while ( samplesleft > 0 ) {
    1.32 +			if (encoded + 1 > encoded_end) goto too_short;
    1.33 +
    1.34  			nybble = (*encoded)>>4;
    1.35  			new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
    1.36  			decoded[0] = new_sample&0xFF;
    1.37 @@ -209,6 +213,10 @@
    1.38  	}
    1.39  	SDL_free(freeable);
    1.40  	return(0);
    1.41 +too_short:
    1.42 +	SDL_SetError("Too short chunk for a MS ADPCM decoder");
    1.43 +	SDL_free(freeable);
    1.44 +	return(-1);
    1.45  }
    1.46  
    1.47  struct IMA_ADPCM_decodestate {