1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
Description: CVE-2019-7577
a buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c.
---
Author: Abhijith PA <abhijith@debian.org>
Origin: https://bugzilla.libsdl.org/attachment.cgi?id=3694
Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
Last-Update: 2019-03-13
--- libsdl1.2-1.2.15.orig/src/audio/SDL_wave.c
+++ libsdl1.2-1.2.15/src/audio/SDL_wave.c
@@ -155,6 +155,9 @@ static int MS_ADPCM_decode(Uint8 **audio
if ( stereo ) {
state[1]->hPredictor = *encoded++;
}
+ if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) {
+ goto invalid_predictor;
+ }
state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
encoded += sizeof(Sint16);
if ( stereo ) {
@@ -227,6 +230,10 @@ invalid_size:
SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
SDL_free(freeable);
return(-1);
+invalid_predictor:
+ SDL_SetError("Invalid predictor value for a MS ADPCM decoder");
+ SDL_free(freeable);
+ return(-1);
}
struct IMA_ADPCM_decodestate {
|
