File CVE-2019-7575.patch of Package SDL

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2019-7575.patch of Package SDL

diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index e42d01c..b6c49de 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
 static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 {
 	struct MS_ADPCM_decodestate *state[2];
-	Uint8 *freeable, *encoded, *encoded_end, *decoded;
+	Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
 	Sint32 encoded_len, samplesleft;
 	Sint8 nybble, stereo;
 	Sint16 *coeff[2];
@@ -135,6 +135,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 		return(-1);
 	}
 	decoded = *audio_buf;
+	decoded_end = decoded + *audio_len;
 
 	/* Get ready... Go! */
 	stereo = (MS_ADPCM_state.wavefmt.channels == 2);
@@ -142,7 +143,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 	state[1] = &MS_ADPCM_state.state[stereo];
 	while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
 		/* Grab the initial information for this block */
-		if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
+		if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size;
 		state[0]->hPredictor = *encoded++;
 		if ( stereo ) {
 			state[1]->hPredictor = *encoded++;
@@ -169,6 +170,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 		coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
 
 		/* Store the two initial samples we start with */
+		if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size;
 		decoded[0] = state[0]->iSamp2&0xFF;
 		decoded[1] = state[0]->iSamp2>>8;
 		decoded += 2;
@@ -190,7 +192,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 		samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
 					MS_ADPCM_state.wavefmt.channels;
 		while ( samplesleft > 0 ) {
-			if (encoded + 1 > encoded_end) goto too_short;
+			if (encoded + 1 > encoded_end) goto invalid_size;
+			if (decoded + 4 > decoded_end) goto invalid_size;
 
 			nybble = (*encoded)>>4;
 			new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
@@ -213,8 +216,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 	}
 	SDL_free(freeable);
 	return(0);
-too_short:
-	SDL_SetError("Too short chunk for a MS ADPCM decoder");
+invalid_size:
+	SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
 	SDL_free(freeable);
 	return(-1);
 }

Places

File CVE-2019-7575.patch of Package SDL

Places