Skip to content

Commit 9e69d60

Browse files
committed
CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in InitMS_ADPCM
If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it could read past the end of chunk data. This patch fixes it. CVE-2019-7573 https://bugzilla.libsdl.org/show_bug.cgi?id=4491 CVE-2019-7576 https://bugzilla.libsdl.org/show_bug.cgi?id=4490 Signed-off-by: Petr P?sa? <ppisar@redhat.com>
1 parent f22cbe4 commit 9e69d60

File tree

1 file changed

+10
-3
lines changed

1 file changed

+10
-3
lines changed

src/audio/SDL_wave.c

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -44,12 +44,13 @@ static struct MS_ADPCM_decoder {
4444
struct MS_ADPCM_decodestate state[2];
4545
} MS_ADPCM_state;
4646

47-
static int InitMS_ADPCM(WaveFMT *format)
47+
static int InitMS_ADPCM(WaveFMT *format, int length)
4848
{
49-
Uint8 *rogue_feel;
49+
Uint8 *rogue_feel, *rogue_feel_end;
5050
int i;
5151

5252
/* Set the rogue pointer to the MS_ADPCM specific data */
53+
if (length < sizeof(*format)) goto too_short;
5354
MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
5455
MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
5556
MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
@@ -58,9 +59,11 @@ static int InitMS_ADPCM(WaveFMT *format)
5859
MS_ADPCM_state.wavefmt.bitspersample =
5960
SDL_SwapLE16(format->bitspersample);
6061
rogue_feel = (Uint8 *)format+sizeof(*format);
62+
rogue_feel_end = (Uint8 *)format + length;
6163
if ( sizeof(*format) == 16 ) {
6264
rogue_feel += sizeof(Uint16);
6365
}
66+
if (rogue_feel + 4 > rogue_feel_end) goto too_short;
6467
MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
6568
rogue_feel += sizeof(Uint16);
6669
MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]);
@@ -70,12 +73,16 @@ static int InitMS_ADPCM(WaveFMT *format)
7073
return(-1);
7174
}
7275
for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) {
76+
if (rogue_feel + 4 > rogue_feel_end) goto too_short;
7377
MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]);
7478
rogue_feel += sizeof(Uint16);
7579
MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]);
7680
rogue_feel += sizeof(Uint16);
7781
}
7882
return(0);
83+
too_short:
84+
SDL_SetError("Unexpected length of a chunk with a MS ADPCM format");
85+
return(-1);
7986
}
8087

8188
static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
@@ -495,7 +502,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
495502
break;
496503
case MS_ADPCM_CODE:
497504
/* Try to understand this */
498-
if ( InitMS_ADPCM(format) < 0 ) {
505+
if ( InitMS_ADPCM(format, lenread) < 0 ) {
499506
was_error = 1;
500507
goto done;
501508
}

0 commit comments

Comments
 (0)