From 6086741bda4d43cc227500bc7645a829380e6326 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Fri, 15 Feb 2019 09:21:45 +0100 Subject: [PATCH] CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If data chunk was longer than expected based on a WAV format definition, IMA_ADPCM_decode() tried to write past the output buffer. This patch fixes it. Based on patch from . CVE-2019-7572 https://bugzilla.libsdl.org/show_bug.cgi?id=4495 Signed-off-by: Petr Písař --- src/audio/SDL_wave.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c index 69d62dc..91e89e8 100644 --- a/src/audio/SDL_wave.c +++ b/src/audio/SDL_wave.c @@ -336,7 +336,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded, static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) { struct IMA_ADPCM_decodestate *state; - Uint8 *freeable, *encoded, *encoded_end, *decoded; + Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; Sint32 encoded_len, samplesleft; unsigned int c, channels; @@ -363,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) return(-1); } decoded = *audio_buf; + decoded_end = decoded + *audio_len; /* Get ready... Go! */ while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) { @@ -382,6 +383,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) } /* Store the initial sample we start with */ + if (decoded + 2 > decoded_end) goto invalid_size; decoded[0] = (Uint8)(state[c].sample&0xFF); decoded[1] = (Uint8)(state[c].sample>>8); decoded += 2; @@ -392,6 +394,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) while ( samplesleft > 0 ) { for ( c=0; c encoded_end) goto invalid_size; + if (decoded + 4 * 4 * channels > decoded_end) + goto invalid_size; Fill_IMA_ADPCM_block(decoded, encoded, c, channels, &state[c]); encoded += 4; -- 2.20.1