File CVE-2019-7577.patch of Package SDL2

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2019-7577.patch of Package SDL2 (Revision 28ef4ce912d0673625df6526091fc10d)

Currently displaying revision 28ef4ce912d0673625df6526091fc10d , Show latest

diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 2c76a8c..1ead549 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -119,7 +119,7 @@ static int
 MS_ADPCM_decode(Uint8 ** audio_buf, Uint32 * audio_len)
 {
     struct MS_ADPCM_decodestate *state[2];
-    Uint8 *freeable, *encoded, *decoded;
+    Uint8 *freeable, *encoded, *encoded_end, *decoded;
     Sint32 encoded_len, samplesleft;
     Sint8 nybble;
     Uint8 stereo;
@@ -129,6 +129,7 @@ MS_ADPCM_decode(Uint8 ** audio_buf, Uint32 * audio_len)
     /* Allocate the proper sized output buffer */
     encoded_len = *audio_len;
     encoded = *audio_buf;
+    encoded_end = encoded + encoded_len;
     freeable = *audio_buf;
     *audio_len = (encoded_len / MS_ADPCM_state.wavefmt.blockalign) *
         MS_ADPCM_state.wSamplesPerBlock *
@@ -145,6 +146,7 @@ MS_ADPCM_decode(Uint8 ** audio_buf, Uint32 * audio_len)
     state[1] = &MS_ADPCM_state.state[stereo];
     while (encoded_len >= MS_ADPCM_state.wavefmt.blockalign) {
         /* Grab the initial information for this block */
+        if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
         state[0]->hPredictor = *encoded++;
         if (stereo) {
             state[1]->hPredictor = *encoded++;
@@ -192,6 +194,8 @@ MS_ADPCM_decode(Uint8 ** audio_buf, Uint32 * audio_len)
         samplesleft = (MS_ADPCM_state.wSamplesPerBlock - 2) *
             MS_ADPCM_state.wavefmt.channels;
         while (samplesleft > 0) {
+            if (encoded + 1 > encoded_end) goto too_short;
+
             nybble = (*encoded) >> 4;
             new_sample = MS_ADPCM_nibble(state[0], nybble, coeff[0]);
             decoded[0] = new_sample & 0xFF;
@@ -213,6 +217,10 @@ MS_ADPCM_decode(Uint8 ** audio_buf, Uint32 * audio_len)
     }
     SDL_free(freeable);
     return (0);
+too_short:
+    SDL_SetError("Too short chunk for a MS ADPCM decoder");
+    SDL_free(freeable);
+    return(-1);
 }
 
 struct IMA_ADPCM_decodestate

Places

File CVE-2019-7577.patch of Package SDL2 (Revision 28ef4ce912d0673625df6526091fc10d)

Places