Skip to content

Commit

Permalink
CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode
Browse files Browse the repository at this point in the history
If a WAV format defines shorter audio stream and decoded MS ADPCM data chunk
is longer, decoding continued past the output audio buffer.

This fix is based on a patch from
<https://bugzilla.libsdl.org/show_bug.cgi?id=4492>.

https://bugzilla.libsdl.org/show_bug.cgi?id=4493
CVE-2019-7575

Signed-off-by: Petr P?sa? <ppisar@redhat.com>
  • Loading branch information
ppisar committed Jun 10, 2019
1 parent 9e69d60 commit c68e000
Showing 1 changed file with 8 additions and 5 deletions.
13 changes: 8 additions & 5 deletions src/audio/SDL_wave.c
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
{
struct MS_ADPCM_decodestate *state[2];
Uint8 *freeable, *encoded, *encoded_end, *decoded;
Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
Sint32 encoded_len, samplesleft;
Sint8 nybble, stereo;
Sint16 *coeff[2];
Expand All @@ -142,14 +142,15 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
return(-1);
}
decoded = *audio_buf;
decoded_end = decoded + *audio_len;

/* Get ready... Go! */
stereo = (MS_ADPCM_state.wavefmt.channels == 2);
state[0] = &MS_ADPCM_state.state[0];
state[1] = &MS_ADPCM_state.state[stereo];
while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
/* Grab the initial information for this block */
if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size;
state[0]->hPredictor = *encoded++;
if ( stereo ) {
state[1]->hPredictor = *encoded++;
Expand Down Expand Up @@ -179,6 +180,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];

/* Store the two initial samples we start with */
if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size;
decoded[0] = state[0]->iSamp2&0xFF;
decoded[1] = state[0]->iSamp2>>8;
decoded += 2;
Expand All @@ -200,7 +202,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
MS_ADPCM_state.wavefmt.channels;
while ( samplesleft > 0 ) {
if (encoded + 1 > encoded_end) goto too_short;
if (encoded + 1 > encoded_end) goto invalid_size;
if (decoded + 4 > decoded_end) goto invalid_size;

nybble = (*encoded)>>4;
new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
Expand All @@ -223,8 +226,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
}
SDL_free(freeable);
return(0);
too_short:
SDL_SetError("Too short chunk for a MS ADPCM decoder");
invalid_size:
SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
SDL_free(freeable);
return(-1);
invalid_predictor:
Expand Down

0 comments on commit c68e000

Please sign in to comment.