Skip to content
Permalink
Browse files
CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it
could read past the end of chunk data. This patch fixes it.

CVE-2019-7578
https://bugzilla.libsdl.org/show_bug.cgi?id=4494

Signed-off-by: Petr P?sa? <ppisar@redhat.com>
  • Loading branch information
slouken committed Jun 9, 2019
1 parent 316ff38 commit 3f19a6d5e85c71df0fb2b4626b943457d38c2031
Showing with 10 additions and 5 deletions.
  1. +10 −5 src/audio/SDL_wave.c
@@ -229,25 +229,30 @@ static struct IMA_ADPCM_decoder
} IMA_ADPCM_state;

static int
InitIMA_ADPCM(WaveFMT * format)
InitIMA_ADPCM(WaveFMT * format, int length)
{
Uint8 *rogue_feel;
Uint8 *rogue_feel, *rogue_feel_end;

/* Set the rogue pointer to the IMA_ADPCM specific data */
if (length < sizeof(*format)) goto too_short;
IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
IMA_ADPCM_state.wavefmt.byterate = SDL_SwapLE32(format->byterate);
IMA_ADPCM_state.wavefmt.blockalign = SDL_SwapLE16(format->blockalign);
IMA_ADPCM_state.wavefmt.bitspersample =
SDL_SwapLE16(format->bitspersample);
IMA_ADPCM_state.wavefmt.bitspersample = SDL_SwapLE16(format->bitspersample);
rogue_feel = (Uint8 *) format + sizeof(*format);
rogue_feel_end = (Uint8 *) format + length;
if (sizeof(*format) == 16) {
/* const Uint16 extra_info = ((rogue_feel[1] << 8) | rogue_feel[0]); */
rogue_feel += sizeof(Uint16);
}
if (rogue_feel + 2 > rogue_feel_end) goto too_short;
IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1] << 8) | rogue_feel[0]);
return (0);
too_short:
SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format");
return (-1);
}

static Sint32
@@ -530,7 +535,7 @@ SDL_LoadWAV_RW(SDL_RWops * src, int freesrc,
break;
case IMA_ADPCM_CODE:
/* Try to understand this */
if (InitIMA_ADPCM(format) < 0) {
if (InitIMA_ADPCM(format, lenread) < 0) {
was_error = 1;
goto done;
}

0 comments on commit 3f19a6d

Please sign in to comment.