Skip to content

Commit 82e503c

Browse files
ppisarppisar
committed
CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
If RIFF/WAV data chunk length is shorter then expected for an audio format defined in preceeding RIFF/WAV format headers, a buffer overread can happen. This patch fixes it by checking a MS ADPCM data to be decoded are not past the initialized buffer. CVE-2019-7577 Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 Signed-off-by: Petr P?sa? <ppisar@redhat.com>
1 parent 76871a1 commit 82e503c

File tree

1 file changed

+9
-1
lines changed

1 file changed

+9
-1
lines changed

src/audio/SDL_wave.c

+9-1
Original file line numberDiff line numberDiff line change
@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
115115
static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
116116
{
117117
struct MS_ADPCM_decodestate *state[2];
118-
Uint8 *freeable, *encoded, *decoded;
118+
Uint8 *freeable, *encoded, *encoded_end, *decoded;
119119
Sint32 encoded_len, samplesleft;
120120
Sint8 nybble, stereo;
121121
Sint16 *coeff[2];
@@ -124,6 +124,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
124124
/* Allocate the proper sized output buffer */
125125
encoded_len = *audio_len;
126126
encoded = *audio_buf;
127+
encoded_end = encoded + encoded_len;
127128
freeable = *audio_buf;
128129
*audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) *
129130
MS_ADPCM_state.wSamplesPerBlock*
@@ -141,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
141142
state[1] = &MS_ADPCM_state.state[stereo];
142143
while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
143144
/* Grab the initial information for this block */
145+
if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
144146
state[0]->hPredictor = *encoded++;
145147
if ( stereo ) {
146148
state[1]->hPredictor = *encoded++;
@@ -188,6 +190,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
188190
samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
189191
MS_ADPCM_state.wavefmt.channels;
190192
while ( samplesleft > 0 ) {
193+
if (encoded + 1 > encoded_end) goto too_short;
194+
191195
nybble = (*encoded)>>4;
192196
new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
193197
decoded[0] = new_sample&0xFF;
@@ -209,6 +213,10 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
209213
}
210214
SDL_free(freeable);
211215
return(0);
216+
too_short:
217+
SDL_SetError("Too short chunk for a MS ADPCM decoder");
218+
SDL_free(freeable);
219+
return(-1);
212220
}
213221

214222
struct IMA_ADPCM_decodestate {

0 commit comments

Comments
 (0)