CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble

ppisar · ppisar · commit 1ead4913fc23 · 2019-06-08T17:57:43.000-07:00
If an IMA ADPCM block contained an initial index out of step table range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used this bogus value and that lead to a buffer overread. This patch fixes it by moving clamping the index value at the beginning of IMA_ADPCM_nibble() function instead of the end after an update. CVE-2019-7572 https://bugzilla.libsdl.org/show_bug.cgi?id=4495 Signed-off-by: Petr P?sa? <ppisar@redhat.com>
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
@@ -264,6 +264,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
 	};
 	Sint32 delta, step;
 
+	/* Clamp index value. The inital value can be invalid. */
+	if ( state->index > 88 ) {
+		state->index = 88;
+	} else
+	if ( state->index < 0 ) {
+		state->index = 0;
+	}
+
 	/* Compute difference and new sample value */
 	step = step_table[state->index];
 	delta = step >> 3;
@@ -275,12 +283,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
 
 	/* Update index value */
 	state->index += index_table[nybble];
-	if ( state->index > 88 ) {
-		state->index = 88;
-	} else
-	if ( state->index < 0 ) {
-		state->index = 0;
-	}
 
 	/* Clamp output sample */
 	if ( state->sample > max_audioval ) {
