CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM

If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it could read past the end of chunk data. This patch fixes it. CVE-2019-7578 https://bugzilla.libsdl.org/show_bug.cgi?id=4494 Signed-off-by: Petr P?sa? <ppisar@redhat.com>
libsdl-org · Jun 9, 2019 · 3f19a6d · 3f19a6d
1 parent 316ff38
commit 3f19a6d
Showing 1 changed file with 10 additions and 5 deletions.
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
@@ -229,25 +229,30 @@ static struct IMA_ADPCM_decoder
 } IMA_ADPCM_state;
 
 static int
-InitIMA_ADPCM(WaveFMT * format)
+InitIMA_ADPCM(WaveFMT * format, int length)
 {
-    Uint8 *rogue_feel;
+    Uint8 *rogue_feel, *rogue_feel_end;
 
     /* Set the rogue pointer to the IMA_ADPCM specific data */
+    if (length < sizeof(*format)) goto too_short;
     IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
     IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
     IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
     IMA_ADPCM_state.wavefmt.byterate = SDL_SwapLE32(format->byterate);
     IMA_ADPCM_state.wavefmt.blockalign = SDL_SwapLE16(format->blockalign);
-    IMA_ADPCM_state.wavefmt.bitspersample =
-        SDL_SwapLE16(format->bitspersample);
+    IMA_ADPCM_state.wavefmt.bitspersample = SDL_SwapLE16(format->bitspersample);
     rogue_feel = (Uint8 *) format + sizeof(*format);
+    rogue_feel_end = (Uint8 *) format + length;
     if (sizeof(*format) == 16) {
         /* const Uint16 extra_info = ((rogue_feel[1] << 8) | rogue_feel[0]); */
         rogue_feel += sizeof(Uint16);
     }
+    if (rogue_feel + 2 > rogue_feel_end) goto too_short;
     IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1] << 8) | rogue_feel[0]);
     return (0);
+too_short:
+    SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format");
+    return (-1);
 }
 
 static Sint32
@@ -530,7 +535,7 @@ SDL_LoadWAV_RW(SDL_RWops * src, int freesrc,
         break;
     case IMA_ADPCM_CODE:
         /* Try to understand this */
-        if (InitIMA_ADPCM(format) < 0) {
+        if (InitIMA_ADPCM(format, lenread) < 0) {
             was_error = 1;
             goto done;
         }