60 lines
1.7 KiB
Diff
60 lines
1.7 KiB
Diff
From bb11ffcff5ae2f25bead921c2a299e7e63d8a759 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
|
Date: Thu, 14 Feb 2019 16:51:54 +0100
|
|
Subject: [PATCH] CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
If an IMA ADPCM block contained an initial index out of step table
|
|
range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used
|
|
this bogus value and that lead to a buffer overread.
|
|
|
|
This patch fixes it by moving clamping the index value at the
|
|
beginning of IMA_ADPCM_nibble() function instead of the end after
|
|
an update.
|
|
|
|
CVE-2019-7572
|
|
https://bugzilla.libsdl.org/show_bug.cgi?id=4495
|
|
|
|
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
---
|
|
src/audio/SDL_wave.c | 14 ++++++++------
|
|
1 file changed, 8 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
|
|
index 2968b3d..69d62dc 100644
|
|
--- a/src/audio/SDL_wave.c
|
|
+++ b/src/audio/SDL_wave.c
|
|
@@ -275,6 +275,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
|
|
};
|
|
Sint32 delta, step;
|
|
|
|
+ /* Clamp index value. The inital value can be invalid. */
|
|
+ if ( state->index > 88 ) {
|
|
+ state->index = 88;
|
|
+ } else
|
|
+ if ( state->index < 0 ) {
|
|
+ state->index = 0;
|
|
+ }
|
|
+
|
|
/* Compute difference and new sample value */
|
|
step = step_table[state->index];
|
|
delta = step >> 3;
|
|
@@ -286,12 +294,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
|
|
|
|
/* Update index value */
|
|
state->index += index_table[nybble];
|
|
- if ( state->index > 88 ) {
|
|
- state->index = 88;
|
|
- } else
|
|
- if ( state->index < 0 ) {
|
|
- state->index = 0;
|
|
- }
|
|
|
|
/* Clamp output sample */
|
|
if ( state->sample > max_audioval ) {
|
|
--
|
|
2.20.1
|
|
|