CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM

If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it
could read past the end of chunk data. This patch fixes it.

CVE-2019-7578
https://bugzilla.libsdl.org/show_bug.cgi?id=4494

Signed-off-by: Petr P?sa? <ppisar@redhat.com>
This commit is contained in:
Sam Lantinga 2019-06-08 18:07:58 -07:00
parent 316ff3847b
commit 3f19a6d5e8

View file

@ -229,25 +229,30 @@ static struct IMA_ADPCM_decoder
} IMA_ADPCM_state;
static int
InitIMA_ADPCM(WaveFMT * format)
InitIMA_ADPCM(WaveFMT * format, int length)
{
Uint8 *rogue_feel;
Uint8 *rogue_feel, *rogue_feel_end;
/* Set the rogue pointer to the IMA_ADPCM specific data */
if (length < sizeof(*format)) goto too_short;
IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
IMA_ADPCM_state.wavefmt.byterate = SDL_SwapLE32(format->byterate);
IMA_ADPCM_state.wavefmt.blockalign = SDL_SwapLE16(format->blockalign);
IMA_ADPCM_state.wavefmt.bitspersample =
SDL_SwapLE16(format->bitspersample);
IMA_ADPCM_state.wavefmt.bitspersample = SDL_SwapLE16(format->bitspersample);
rogue_feel = (Uint8 *) format + sizeof(*format);
rogue_feel_end = (Uint8 *) format + length;
if (sizeof(*format) == 16) {
/* const Uint16 extra_info = ((rogue_feel[1] << 8) | rogue_feel[0]); */
rogue_feel += sizeof(Uint16);
}
if (rogue_feel + 2 > rogue_feel_end) goto too_short;
IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1] << 8) | rogue_feel[0]);
return (0);
too_short:
SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format");
return (-1);
}
static Sint32
@ -530,7 +535,7 @@ SDL_LoadWAV_RW(SDL_RWops * src, int freesrc,
break;
case IMA_ADPCM_CODE:
/* Try to understand this */
if (InitIMA_ADPCM(format) < 0) {
if (InitIMA_ADPCM(format, lenread) < 0) {
was_error = 1;
goto done;
}