CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble SDL-1.2
authorPetr Písař <ppisar@redhat.com>
Sat, 08 Jun 2019 17:57:43 -0700
branchSDL-1.2
changeset 12800e52413f52586
parent 12786 4e73be7b4787
child 12801 388987dff7bf
CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble
If an IMA ADPCM block contained an initial index out of step table
range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used
this bogus value and that lead to a buffer overread.

This patch fixes it by moving clamping the index value at the
beginning of IMA_ADPCM_nibble() function instead of the end after
an update.

CVE-2019-7572
https://bugzilla.libsdl.org/show_bug.cgi?id=4495

Signed-off-by: Petr Písař <ppisar@redhat.com>
src/audio/SDL_wave.c
     1.1 --- a/src/audio/SDL_wave.c	Sat Jun 01 18:27:46 2019 +0100
     1.2 +++ b/src/audio/SDL_wave.c	Sat Jun 08 17:57:43 2019 -0700
     1.3 @@ -264,6 +264,14 @@
     1.4  	};
     1.5  	Sint32 delta, step;
     1.6  
     1.7 +	/* Clamp index value. The inital value can be invalid. */
     1.8 +	if ( state->index > 88 ) {
     1.9 +		state->index = 88;
    1.10 +	} else
    1.11 +	if ( state->index < 0 ) {
    1.12 +		state->index = 0;
    1.13 +	}
    1.14 +
    1.15  	/* Compute difference and new sample value */
    1.16  	step = step_table[state->index];
    1.17  	delta = step >> 3;
    1.18 @@ -275,12 +283,6 @@
    1.19  
    1.20  	/* Update index value */
    1.21  	state->index += index_table[nybble];
    1.22 -	if ( state->index > 88 ) {
    1.23 -		state->index = 88;
    1.24 -	} else
    1.25 -	if ( state->index < 0 ) {
    1.26 -		state->index = 0;
    1.27 -	}
    1.28  
    1.29  	/* Clamp output sample */
    1.30  	if ( state->sample > max_audioval ) {