File CVE-2019-7572.patch of Package SDL2.10487

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2019-7572.patch of Package SDL2.10487

diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 9341f83..e125ac4 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -284,6 +284,13 @@ IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state, Uint8 nybble)
     };
     Sint32 delta, step;
 
+   if ( state->index > 88 ) {
+       state->index = 88;
+   } else
+   if ( state->index < 0 ) {
+       state->index = 0;
+   }
+
     /* Compute difference and new sample value */
     if (state->index > 88) {
         state->index = 88;
@@ -349,7 +356,7 @@ static int
 IMA_ADPCM_decode(Uint8 ** audio_buf, Uint32 * audio_len)
 {
     struct IMA_ADPCM_decodestate *state;
-    Uint8 *freeable, *encoded, *encoded_end, *decoded;
+    Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
     Sint32 encoded_len, samplesleft;
     unsigned int c, channels;
 
@@ -375,6 +382,7 @@ IMA_ADPCM_decode(Uint8 ** audio_buf, Uint32 * audio_len)
         return SDL_OutOfMemory();
     }
     decoded = *audio_buf;
+    decoded_end = decoded + *audio_len;
 
     /* Get ready... Go! */
     while (encoded_len >= IMA_ADPCM_state.wavefmt.blockalign) {
@@ -394,6 +402,7 @@ IMA_ADPCM_decode(Uint8 ** audio_buf, Uint32 * audio_len)
             }
 
             /* Store the initial sample we start with */
+            if (decoded + 2 > decoded_end) goto invalid_size;
             decoded[0] = (Uint8) (state[c].sample & 0xFF);
             decoded[1] = (Uint8) (state[c].sample >> 8);
             decoded += 2;
@@ -404,6 +413,7 @@ IMA_ADPCM_decode(Uint8 ** audio_buf, Uint32 * audio_len)
         while (samplesleft > 0) {
             for (c = 0; c < channels; ++c) {
                 if (encoded + 4 > encoded_end) goto invalid_size;
+                if (decoded + 4 * 4 * channels > decoded_end) goto invalid_size;
                 Fill_IMA_ADPCM_block(decoded, encoded,
                                      c, channels, &state[c]);
                 encoded += 4;

Places

File CVE-2019-7572.patch of Package SDL2.10487

Places