File CVE-2019-7574.patch of Package SDL2.10487

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2019-7574.patch of Package SDL2.10487

diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index b2c3955..9341f83 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -349,7 +349,7 @@ static int
 IMA_ADPCM_decode(Uint8 ** audio_buf, Uint32 * audio_len)
 {
     struct IMA_ADPCM_decodestate *state;
-    Uint8 *freeable, *encoded, *decoded;
+    Uint8 *freeable, *encoded, *encoded_end, *decoded;
     Sint32 encoded_len, samplesleft;
     unsigned int c, channels;
 
@@ -365,6 +365,7 @@ IMA_ADPCM_decode(Uint8 ** audio_buf, Uint32 * audio_len)
     /* Allocate the proper sized output buffer */
     encoded_len = *audio_len;
     encoded = *audio_buf;
+    encoded_end = encoded + encoded_len;
     freeable = *audio_buf;
     *audio_len = (encoded_len / IMA_ADPCM_state.wavefmt.blockalign) *
         IMA_ADPCM_state.wSamplesPerBlock *
@@ -379,6 +380,7 @@ IMA_ADPCM_decode(Uint8 ** audio_buf, Uint32 * audio_len)
     while (encoded_len >= IMA_ADPCM_state.wavefmt.blockalign) {
         /* Grab the initial information for this block */
         for (c = 0; c < channels; ++c) {
+            if (encoded + 4 > encoded_end) goto invalid_size;
             /* Fill the state information for this block */
             state[c].sample = ((encoded[1] << 8) | encoded[0]);
             encoded += 2;
@@ -401,6 +403,7 @@ IMA_ADPCM_decode(Uint8 ** audio_buf, Uint32 * audio_len)
         samplesleft = (IMA_ADPCM_state.wSamplesPerBlock - 1) * channels;
         while (samplesleft > 0) {
             for (c = 0; c < channels; ++c) {
+                if (encoded + 4 > encoded_end) goto invalid_size;
                 Fill_IMA_ADPCM_block(decoded, encoded,
                                      c, channels, &state[c]);
                 encoded += 4;
@@ -412,6 +415,10 @@ IMA_ADPCM_decode(Uint8 ** audio_buf, Uint32 * audio_len)
     }
     SDL_free(freeable);
     return (0);
+invalid_size:
+   SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder");
+   SDL_free(freeable);
+   return(-1);
 }

Places

File CVE-2019-7574.patch of Package SDL2.10487

Places