Skip to content

Commit

Permalink
CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode
Browse files Browse the repository at this point in the history
If data chunk was longer than expected based on a WAV format
definition, IMA_ADPCM_decode() tried to write past the output
buffer. This patch fixes it.

Based on patch from
<https://bugzilla.libsdl.org/show_bug.cgi?id=4496>.

CVE-2019-7572
https://bugzilla.libsdl.org/show_bug.cgi?id=4495

Signed-off-by: Petr P?sa? <ppisar@redhat.com>
  • Loading branch information
ppisar committed Jun 10, 2019
1 parent 68f914a commit f22cbe4
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion src/audio/SDL_wave.c
Original file line number Diff line number Diff line change
Expand Up @@ -346,7 +346,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
{
struct IMA_ADPCM_decodestate *state;
Uint8 *freeable, *encoded, *encoded_end, *decoded;
Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
Sint32 encoded_len, samplesleft;
unsigned int c, channels;

Expand All @@ -373,6 +373,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
return(-1);
}
decoded = *audio_buf;
decoded_end = decoded + *audio_len;

/* Get ready... Go! */
while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
Expand All @@ -392,6 +393,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
}

/* Store the initial sample we start with */
if (decoded + 2 > decoded_end) goto invalid_size;
decoded[0] = (Uint8)(state[c].sample&0xFF);
decoded[1] = (Uint8)(state[c].sample>>8);
decoded += 2;
Expand All @@ -402,6 +404,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
while ( samplesleft > 0 ) {
for ( c=0; c<channels; ++c ) {
if (encoded + 4 > encoded_end) goto invalid_size;
if (decoded + 4 * 4 * channels > decoded_end)
goto invalid_size;
Fill_IMA_ADPCM_block(decoded, encoded,
c, channels, &state[c]);
encoded += 4;
Expand Down

0 comments on commit f22cbe4

Please sign in to comment.