CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
authorSam Lantinga <slouken@libsdl.org>
Sat, 08 Jun 2019 18:07:58 -0700
changeset 12802f9a9d6c76b21
parent 12799 302904fa669a
child 12803 70d338e248c8
CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it
could read past the end of chunk data. This patch fixes it.

CVE-2019-7578
https://bugzilla.libsdl.org/show_bug.cgi?id=4494

Signed-off-by: Petr Písař <ppisar@redhat.com>
src/audio/SDL_wave.c
     1.1 --- a/src/audio/SDL_wave.c	Sat Jun 08 17:43:23 2019 -0700
     1.2 +++ b/src/audio/SDL_wave.c	Sat Jun 08 18:07:58 2019 -0700
     1.3 @@ -229,25 +229,30 @@
     1.4  } IMA_ADPCM_state;
     1.5  
     1.6  static int
     1.7 -InitIMA_ADPCM(WaveFMT * format)
     1.8 +InitIMA_ADPCM(WaveFMT * format, int length)
     1.9  {
    1.10 -    Uint8 *rogue_feel;
    1.11 +    Uint8 *rogue_feel, *rogue_feel_end;
    1.12  
    1.13      /* Set the rogue pointer to the IMA_ADPCM specific data */
    1.14 +    if (length < sizeof(*format)) goto too_short;
    1.15      IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
    1.16      IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
    1.17      IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
    1.18      IMA_ADPCM_state.wavefmt.byterate = SDL_SwapLE32(format->byterate);
    1.19      IMA_ADPCM_state.wavefmt.blockalign = SDL_SwapLE16(format->blockalign);
    1.20 -    IMA_ADPCM_state.wavefmt.bitspersample =
    1.21 -        SDL_SwapLE16(format->bitspersample);
    1.22 +    IMA_ADPCM_state.wavefmt.bitspersample = SDL_SwapLE16(format->bitspersample);
    1.23      rogue_feel = (Uint8 *) format + sizeof(*format);
    1.24 +    rogue_feel_end = (Uint8 *) format + length;
    1.25      if (sizeof(*format) == 16) {
    1.26          /* const Uint16 extra_info = ((rogue_feel[1] << 8) | rogue_feel[0]); */
    1.27          rogue_feel += sizeof(Uint16);
    1.28      }
    1.29 +    if (rogue_feel + 2 > rogue_feel_end) goto too_short;
    1.30      IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1] << 8) | rogue_feel[0]);
    1.31      return (0);
    1.32 +too_short:
    1.33 +    SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format");
    1.34 +    return (-1);
    1.35  }
    1.36  
    1.37  static Sint32
    1.38 @@ -530,7 +535,7 @@
    1.39          break;
    1.40      case IMA_ADPCM_CODE:
    1.41          /* Try to understand this */
    1.42 -        if (InitIMA_ADPCM(format) < 0) {
    1.43 +        if (InitIMA_ADPCM(format, lenread) < 0) {
    1.44              was_error = 1;
    1.45              goto done;
    1.46          }