File CVE-2019-7575.patch of Package SDL2.10487

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2019-7575.patch of Package SDL2.10487

diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 1ead549..b2c3955 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -119,7 +119,7 @@ static int
 MS_ADPCM_decode(Uint8 ** audio_buf, Uint32 * audio_len)
 {
     struct MS_ADPCM_decodestate *state[2];
-    Uint8 *freeable, *encoded, *encoded_end, *decoded;
+    Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
     Sint32 encoded_len, samplesleft;
     Sint8 nybble;
     Uint8 stereo;
@@ -139,6 +139,7 @@ MS_ADPCM_decode(Uint8 ** audio_buf, Uint32 * audio_len)
         return SDL_OutOfMemory();
     }
     decoded = *audio_buf;
+    decoded_end = decoded + *audio_len;
 
     /* Get ready... Go! */
     stereo = (MS_ADPCM_state.wavefmt.channels == 2);
@@ -146,7 +147,7 @@ MS_ADPCM_decode(Uint8 ** audio_buf, Uint32 * audio_len)
     state[1] = &MS_ADPCM_state.state[stereo];
     while (encoded_len >= MS_ADPCM_state.wavefmt.blockalign) {
         /* Grab the initial information for this block */
-        if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
+        if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size;
         state[0]->hPredictor = *encoded++;
         if (stereo) {
             state[1]->hPredictor = *encoded++;
@@ -173,6 +174,7 @@ MS_ADPCM_decode(Uint8 ** audio_buf, Uint32 * audio_len)
         coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
 
         /* Store the two initial samples we start with */
+        if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size;
         decoded[0] = state[0]->iSamp2 & 0xFF;
         decoded[1] = state[0]->iSamp2 >> 8;
         decoded += 2;
@@ -194,7 +196,8 @@ MS_ADPCM_decode(Uint8 ** audio_buf, Uint32 * audio_len)
         samplesleft = (MS_ADPCM_state.wSamplesPerBlock - 2) *
             MS_ADPCM_state.wavefmt.channels;
         while (samplesleft > 0) {
-            if (encoded + 1 > encoded_end) goto too_short;
+            if (encoded + 1 > encoded_end) goto invalid_size;
+            if (decoded + 4 > decoded_end) goto invalid_size;
 
             nybble = (*encoded) >> 4;
             new_sample = MS_ADPCM_nibble(state[0], nybble, coeff[0]);
@@ -217,8 +220,8 @@ MS_ADPCM_decode(Uint8 ** audio_buf, Uint32 * audio_len)
     }
     SDL_free(freeable);
     return (0);
-too_short:
-    SDL_SetError("Too short chunk for a MS ADPCM decoder");
+invalid_size:
+    SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
     SDL_free(freeable);
     return(-1);
 }

Places

File CVE-2019-7575.patch of Package SDL2.10487

Places