import SDL-1.2.15-38.el8

This commit is contained in:
CentOS Sources 2020-07-28 09:06:36 -04:00 committed by Stepan Oksanichenko
parent 5b8b7147ba
commit 7365e85059
12 changed files with 937 additions and 1 deletions

View File

@ -0,0 +1,61 @@
From 4b4cac39ba7988df9d8def32360dd842b707ba74 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Sat, 8 Jun 2019 17:57:43 -0700
Subject: [PATCH 01/11] CVE-2019-7572: Fix a buffer overread in
IMA_ADPCM_nibble If an IMA ADPCM block contained an initial index out of step
table range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used
this bogus value and that lead to a buffer overread.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch fixes it by moving clamping the index value at the
beginning of IMA_ADPCM_nibble() function instead of the end after
an update.
CVE-2019-7572
https://bugzilla.libsdl.org/show_bug.cgi?id=4495
Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
---
src/audio/SDL_wave.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index b4ad6c787..ba1fb5252 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -264,6 +264,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
};
Sint32 delta, step;
+ /* Clamp index value. The inital value can be invalid. */
+ if ( state->index > 88 ) {
+ state->index = 88;
+ } else
+ if ( state->index < 0 ) {
+ state->index = 0;
+ }
+
/* Compute difference and new sample value */
step = step_table[state->index];
delta = step >> 3;
@@ -275,12 +283,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
/* Update index value */
state->index += index_table[nybble];
- if ( state->index > 88 ) {
- state->index = 88;
- } else
- if ( state->index < 0 ) {
- state->index = 0;
- }
/* Clamp output sample */
if ( state->sample > max_audioval ) {
--
2.21.0

View File

@ -0,0 +1,69 @@
From 210e68f70a5a007b0664239aa557e6b9d1b3e830 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Sat, 8 Jun 2019 18:02:09 -0700
Subject: [PATCH 02/11] CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it could
read past the end of chunk data. This patch fixes it.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2019-7578
https://bugzilla.libsdl.org/show_bug.cgi?id=4494
Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
---
src/audio/SDL_wave.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index ba1fb5252..21ee4dc3c 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -222,11 +222,12 @@ static struct IMA_ADPCM_decoder {
struct IMA_ADPCM_decodestate state[2];
} IMA_ADPCM_state;
-static int InitIMA_ADPCM(WaveFMT *format)
+static int InitIMA_ADPCM(WaveFMT *format, int length)
{
- Uint8 *rogue_feel;
+ Uint8 *rogue_feel, *rogue_feel_end;
/* Set the rogue pointer to the IMA_ADPCM specific data */
+ if (length < sizeof(*format)) goto too_short;
IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
@@ -235,11 +236,16 @@ static int InitIMA_ADPCM(WaveFMT *format)
IMA_ADPCM_state.wavefmt.bitspersample =
SDL_SwapLE16(format->bitspersample);
rogue_feel = (Uint8 *)format+sizeof(*format);
+ rogue_feel_end = (Uint8 *)format + length;
if ( sizeof(*format) == 16 ) {
rogue_feel += sizeof(Uint16);
}
+ if (rogue_feel + 2 > rogue_feel_end) goto too_short;
IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
return(0);
+too_short:
+ SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format");
+ return(-1);
}
static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
@@ -471,7 +477,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
break;
case IMA_ADPCM_CODE:
/* Try to understand this */
- if ( InitIMA_ADPCM(format) < 0 ) {
+ if ( InitIMA_ADPCM(format, lenread) < 0 ) {
was_error = 1;
goto done;
}
--
2.21.0

View File

@ -0,0 +1,73 @@
From db0282cbe00a64cc65ba445ea21928d72dc26d97 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 08:50:59 -0700
Subject: [PATCH 03/11] CVE-2019-7574: Fix a buffer overread in
IMA_ADPCM_decode If data chunk was shorter than expected based on a WAV
format definition, IMA_ADPCM_decode() tried to read past the data chunk
buffer. This patch fixes it.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2019-7574
https://bugzilla.libsdl.org/show_bug.cgi?id=4496
Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
---
src/audio/SDL_wave.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 21ee4dc3c..66f804421 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -331,7 +331,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
{
struct IMA_ADPCM_decodestate *state;
- Uint8 *freeable, *encoded, *decoded;
+ Uint8 *freeable, *encoded, *encoded_end, *decoded;
Sint32 encoded_len, samplesleft;
unsigned int c, channels;
@@ -347,6 +347,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
/* Allocate the proper sized output buffer */
encoded_len = *audio_len;
encoded = *audio_buf;
+ encoded_end = encoded + encoded_len;
freeable = *audio_buf;
*audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) *
IMA_ADPCM_state.wSamplesPerBlock*
@@ -362,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
/* Grab the initial information for this block */
for ( c=0; c<channels; ++c ) {
+ if (encoded + 4 > encoded_end) goto invalid_size;
/* Fill the state information for this block */
state[c].sample = ((encoded[1]<<8)|encoded[0]);
encoded += 2;
@@ -384,6 +386,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
while ( samplesleft > 0 ) {
for ( c=0; c<channels; ++c ) {
+ if (encoded + 4 > encoded_end) goto invalid_size;
Fill_IMA_ADPCM_block(decoded, encoded,
c, channels, &state[c]);
encoded += 4;
@@ -395,6 +398,10 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
}
SDL_free(freeable);
return(0);
+invalid_size:
+ SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder");
+ SDL_free(freeable);
+ return(-1);
}
SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
--
2.21.0

View File

@ -0,0 +1,76 @@
From d5ec943db7d51fccd7230c9df0c7a2e46d611f50 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 08:54:11 -0700
Subject: [PATCH 04/11] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
If RIFF/WAV data chunk length is shorter then expected for an audio format
defined in preceeding RIFF/WAV format headers, a buffer overread can happen.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch fixes it by checking a MS ADPCM data to be decoded are not
past the initialized buffer.
CVE-2019-7577
Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
---
src/audio/SDL_wave.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 66f804421..6c6eb14eb 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
{
struct MS_ADPCM_decodestate *state[2];
- Uint8 *freeable, *encoded, *decoded;
+ Uint8 *freeable, *encoded, *encoded_end, *decoded;
Sint32 encoded_len, samplesleft;
Sint8 nybble, stereo;
Sint16 *coeff[2];
@@ -124,6 +124,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
/* Allocate the proper sized output buffer */
encoded_len = *audio_len;
encoded = *audio_buf;
+ encoded_end = encoded + encoded_len;
freeable = *audio_buf;
*audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) *
MS_ADPCM_state.wSamplesPerBlock*
@@ -141,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
state[1] = &MS_ADPCM_state.state[stereo];
while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
/* Grab the initial information for this block */
+ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
state[0]->hPredictor = *encoded++;
if ( stereo ) {
state[1]->hPredictor = *encoded++;
@@ -188,6 +190,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
MS_ADPCM_state.wavefmt.channels;
while ( samplesleft > 0 ) {
+ if (encoded + 1 > encoded_end) goto too_short;
+
nybble = (*encoded)>>4;
new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
decoded[0] = new_sample&0xFF;
@@ -209,6 +213,10 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
}
SDL_free(freeable);
return(0);
+too_short:
+ SDL_SetError("Too short chunk for a MS ADPCM decoder");
+ SDL_free(freeable);
+ return(-1);
}
struct IMA_ADPCM_decodestate {
--
2.21.0

View File

@ -0,0 +1,58 @@
From 06d20617d0d5bb89a6caf5f2201c93baf03c43c2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 08:54:29 -0700
Subject: [PATCH 05/11] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble
and MS_ADPCM_decode If a chunk of RIFF/WAV file with MS ADPCM encoding
contains an invalid predictor (a valid predictor's value is between 0 and 6
inclusive), a buffer overread can happen when the predictor is used as an
index into an array of MS ADPCM coefficients.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The overead happens when indexing MS_ADPCM_state.aCoeff[] array in
MS_ADPCM_decode() and later when dereferencing a coef pointer in
MS_ADPCM_nibble().
This patch fixes it by checking the MS ADPCM predictor values fit
into the valid range.
CVE-2019-7577
Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
---
src/audio/SDL_wave.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 6c6eb14eb..3eedd20a1 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -147,6 +147,9 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
if ( stereo ) {
state[1]->hPredictor = *encoded++;
}
+ if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) {
+ goto invalid_predictor;
+ }
state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
encoded += sizeof(Sint16);
if ( stereo ) {
@@ -217,6 +220,10 @@ too_short:
SDL_SetError("Too short chunk for a MS ADPCM decoder");
SDL_free(freeable);
return(-1);
+invalid_predictor:
+ SDL_SetError("Invalid predictor value for a MS ADPCM decoder");
+ SDL_free(freeable);
+ return(-1);
}
struct IMA_ADPCM_decodestate {
--
2.21.0

View File

@ -0,0 +1,66 @@
From b637e14f849130449544c8899aed716a2f049b75 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 08:57:11 -0700
Subject: [PATCH 06/11] CVE-2019-7572: Fix a buffer overwrite in
IMA_ADPCM_decode If data chunk was longer than expected based on a WAV format
definition, IMA_ADPCM_decode() tried to write past the output buffer. This
patch fixes it.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Based on patch from
<https://bugzilla.libsdl.org/show_bug.cgi?id=4496>.
CVE-2019-7572
https://bugzilla.libsdl.org/show_bug.cgi?id=4495
Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
---
src/audio/SDL_wave.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 3eedd20a1..4159eb710 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -346,7 +346,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
{
struct IMA_ADPCM_decodestate *state;
- Uint8 *freeable, *encoded, *encoded_end, *decoded;
+ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
Sint32 encoded_len, samplesleft;
unsigned int c, channels;
@@ -373,6 +373,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
return(-1);
}
decoded = *audio_buf;
+ decoded_end = decoded + *audio_len;
/* Get ready... Go! */
while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
@@ -392,6 +393,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
}
/* Store the initial sample we start with */
+ if (decoded + 2 > decoded_end) goto invalid_size;
decoded[0] = (Uint8)(state[c].sample&0xFF);
decoded[1] = (Uint8)(state[c].sample>>8);
decoded += 2;
@@ -402,6 +404,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
while ( samplesleft > 0 ) {
for ( c=0; c<channels; ++c ) {
if (encoded + 4 > encoded_end) goto invalid_size;
+ if (decoded + 4 * 4 * channels > decoded_end)
+ goto invalid_size;
Fill_IMA_ADPCM_block(decoded, encoded,
c, channels, &state[c]);
encoded += 4;
--
2.21.0

View File

@ -0,0 +1,84 @@
From 45ef356d8c01a3941286b35b90eb319959f20f2c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 09:06:23 -0700
Subject: [PATCH 07/11] CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in
InitMS_ADPCM If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing
it could read past the end of chunk data. This patch fixes it.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2019-7573
https://bugzilla.libsdl.org/show_bug.cgi?id=4491
CVE-2019-7576
https://bugzilla.libsdl.org/show_bug.cgi?id=4490
Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
---
src/audio/SDL_wave.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 4159eb710..88ac2cca6 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -44,12 +44,13 @@ static struct MS_ADPCM_decoder {
struct MS_ADPCM_decodestate state[2];
} MS_ADPCM_state;
-static int InitMS_ADPCM(WaveFMT *format)
+static int InitMS_ADPCM(WaveFMT *format, int length)
{
- Uint8 *rogue_feel;
+ Uint8 *rogue_feel, *rogue_feel_end;
int i;
/* Set the rogue pointer to the MS_ADPCM specific data */
+ if (length < sizeof(*format)) goto too_short;
MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
@@ -58,9 +59,11 @@ static int InitMS_ADPCM(WaveFMT *format)
MS_ADPCM_state.wavefmt.bitspersample =
SDL_SwapLE16(format->bitspersample);
rogue_feel = (Uint8 *)format+sizeof(*format);
+ rogue_feel_end = (Uint8 *)format + length;
if ( sizeof(*format) == 16 ) {
rogue_feel += sizeof(Uint16);
}
+ if (rogue_feel + 4 > rogue_feel_end) goto too_short;
MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
rogue_feel += sizeof(Uint16);
MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]);
@@ -70,12 +73,16 @@ static int InitMS_ADPCM(WaveFMT *format)
return(-1);
}
for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) {
+ if (rogue_feel + 4 > rogue_feel_end) goto too_short;
MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]);
rogue_feel += sizeof(Uint16);
MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]);
rogue_feel += sizeof(Uint16);
}
return(0);
+too_short:
+ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format");
+ return(-1);
}
static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
@@ -495,7 +502,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
break;
case MS_ADPCM_CODE:
/* Try to understand this */
- if ( InitMS_ADPCM(format) < 0 ) {
+ if ( InitMS_ADPCM(format, lenread) < 0 ) {
was_error = 1;
goto done;
}
--
2.21.0

View File

@ -0,0 +1,86 @@
From 730c8b917e7deecc3cdf9ac9eb20e2b7e6450356 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 09:25:05 -0700
Subject: [PATCH 08/11] CVE-2019-7575: Fix a buffer overwrite in
MS_ADPCM_decode If a WAV format defines shorter audio stream and decoded MS
ADPCM data chunk is longer, decoding continued past the output audio buffer.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This fix is based on a patch from
<https://bugzilla.libsdl.org/show_bug.cgi?id=4492>.
https://bugzilla.libsdl.org/show_bug.cgi?id=4493
CVE-2019-7575
Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
---
src/audio/SDL_wave.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 88ac2cca6..5f9365147 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -122,7 +122,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
{
struct MS_ADPCM_decodestate *state[2];
- Uint8 *freeable, *encoded, *encoded_end, *decoded;
+ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
Sint32 encoded_len, samplesleft;
Sint8 nybble, stereo;
Sint16 *coeff[2];
@@ -142,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
return(-1);
}
decoded = *audio_buf;
+ decoded_end = decoded + *audio_len;
/* Get ready... Go! */
stereo = (MS_ADPCM_state.wavefmt.channels == 2);
@@ -149,7 +150,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
state[1] = &MS_ADPCM_state.state[stereo];
while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
/* Grab the initial information for this block */
- if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
+ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size;
state[0]->hPredictor = *encoded++;
if ( stereo ) {
state[1]->hPredictor = *encoded++;
@@ -179,6 +180,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
/* Store the two initial samples we start with */
+ if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size;
decoded[0] = state[0]->iSamp2&0xFF;
decoded[1] = state[0]->iSamp2>>8;
decoded += 2;
@@ -200,7 +202,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
MS_ADPCM_state.wavefmt.channels;
while ( samplesleft > 0 ) {
- if (encoded + 1 > encoded_end) goto too_short;
+ if (encoded + 1 > encoded_end) goto invalid_size;
+ if (decoded + 4 > decoded_end) goto invalid_size;
nybble = (*encoded)>>4;
new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
@@ -223,8 +226,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
}
SDL_free(freeable);
return(0);
-too_short:
- SDL_SetError("Too short chunk for a MS ADPCM decoder");
+invalid_size:
+ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
SDL_free(freeable);
return(-1);
invalid_predictor:
--
2.21.0

View File

@ -0,0 +1,68 @@
From 974b6b063b652317f1a2df12834c829415529bc5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Tue, 11 Jun 2019 06:28:12 -0700
Subject: [PATCH 09/11] CVE-2019-7635: Reject BMP images with pixel colors out
the palette If a 1-, 4-, or 8-bit per pixel BMP image declares less used
colors than the palette offers an SDL_Surface with a palette of the indicated
number of used colors is created. If some of the image's pixel refer to a
color number higher then the maximal used colors, a subsequent bliting
operation on the surface will look up a color past a blit map (that is based
on the palette) memory. I.e. passing such SDL_Surface to e.g. an
SDL_DisplayFormat() function will result in a buffer overread in a blit
function.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch fixes it by validing each pixel's color to be less than the
maximal color number in the palette. A validation failure raises an
error from a SDL_LoadBMP_RW() function.
CVE-2019-7635
https://bugzilla.libsdl.org/show_bug.cgi?id=4498
Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
---
src/video/SDL_bmp.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
index d56cfd83a..8acae3bcb 100644
--- a/src/video/SDL_bmp.c
+++ b/src/video/SDL_bmp.c
@@ -296,6 +296,12 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
}
*(bits+i) = (pixel>>shift);
pixel <<= ExpandBMP;
+ if ( bits[i] >= biClrUsed ) {
+ SDL_SetError(
+ "A BMP image contains a pixel with a color out of the palette");
+ was_error = SDL_TRUE;
+ goto done;
+ }
} }
break;
@@ -306,6 +312,16 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
was_error = SDL_TRUE;
goto done;
}
+ if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) {
+ for ( i=0; i<surface->w; ++i ) {
+ if ( bits[i] >= biClrUsed ) {
+ SDL_SetError(
+ "A BMP image contains a pixel with a color out of the palette");
+ was_error = SDL_TRUE;
+ goto done;
+ }
+ }
+ }
#if SDL_BYTEORDER == SDL_BIG_ENDIAN
/* Byte-swap the pixels if needed. Note that the 24bpp
case has already been taken care of above. */
--
2.21.0

View File

@ -0,0 +1,56 @@
From 73161afdf77e2cf90f47c9be0bc970dadedb5d7c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Fri, 15 Feb 2019 16:52:27 +0100
Subject: [PATCH 10/11] CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images
with too high number of colors
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If a BMP file that defines more colors than can fit into
a palette of color depth defined in the same BMP file is loaded by
SDL_LoadBMP_RW() function, invalid number of colors is set into
resulting SDL surface.
Then if the SDL surface is passed to SDL_DisplayFormat() function to
convert the surface format into a native video format, a buffer
overread will happen in Map1to1() or Map1toN() function
(CVE-2019-7638). (The choice of the mapping function depends on
a actual video hardware.)
In addition SDL_GetRGB() called indirectly from SDL_DisplayFormat()
performs the same buffer overread (CVE-2019-7636).
There is also probably a buffer overwrite when the SDL_LoadBMP_RW()
loads colors from a file.
This patch fixes it by refusing loading such badly damaged BMP files.
CVE-2019-7638
https://bugzilla.libsdl.org/show_bug.cgi?id=4500
CVE-2019-7636
https://bugzilla.libsdl.org/show_bug.cgi?id=4499
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
src/video/SDL_bmp.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
index 8acae3bcb..8eadc5f66 100644
--- a/src/video/SDL_bmp.c
+++ b/src/video/SDL_bmp.c
@@ -233,6 +233,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
if ( palette ) {
if ( biClrUsed == 0 ) {
biClrUsed = 1 << biBitCount;
+ } else if ( biClrUsed > (1 << biBitCount) ) {
+ SDL_SetError("BMP file has an invalid number of colors");
+ was_error = SDL_TRUE;
+ goto done;
}
if ( biSize == 12 ) {
for ( i = 0; i < (int)biClrUsed; ++i ) {
--
2.21.0

View File

@ -0,0 +1,210 @@
From 7cafd3e820489f17f86d0d897ad9719ef54599f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 18 Feb 2019 13:53:16 +0100
Subject: [PATCH 11/11] CVE-2019-7637: Fix in integer overflow in
SDL_CalculatePitch
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If a too large width is passed to SDL_SetVideoMode() the width travels
to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by
BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch
variable. During this arithmetics an integer overflow can happen (e.g.
the value is clamped as 65532). As a result SDL_Surface with a pitch
smaller than width * BytesPerPixel is created, too small pixel buffer
is allocated and when the SDL_Surface is processed in SDL_FillRect()
a buffer overflow occurs.
This can be reproduced with "./graywin -width 21312312313123213213213"
command.
This patch fixes is by using a very careful arithmetics in
SDL_CalculatePitch(). If an overflow is detected, an error is reported
back as a special 0 value. We assume that 0-width surfaces do not
occur in the wild. Since SDL_CalculatePitch() is a private function,
we can change the semantics.
CVE-2019-7637
https://bugzilla.libsdl.org/show_bug.cgi?id=4497
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
src/video/SDL_pixels.c | 41 +++++++++++++++++++++++++++------
src/video/gapi/SDL_gapivideo.c | 3 +++
src/video/nanox/SDL_nxvideo.c | 4 ++++
src/video/ps2gs/SDL_gsvideo.c | 3 +++
src/video/ps3/SDL_ps3video.c | 3 +++
src/video/windib/SDL_dibvideo.c | 3 +++
src/video/windx5/SDL_dx5video.c | 3 +++
src/video/x11/SDL_x11video.c | 4 ++++
8 files changed, 57 insertions(+), 7 deletions(-)
diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c
index 1a7fd518f..44626b749 100644
--- a/src/video/SDL_pixels.c
+++ b/src/video/SDL_pixels.c
@@ -286,26 +286,53 @@ void SDL_DitherColors(SDL_Color *colors, int bpp)
}
}
/*
- * Calculate the pad-aligned scanline width of a surface
+ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of
+ * an error.
*/
Uint16 SDL_CalculatePitch(SDL_Surface *surface)
{
- Uint16 pitch;
+ unsigned int pitch = 0;
/* Surface should be 4-byte aligned for speed */
- pitch = surface->w*surface->format->BytesPerPixel;
+ /* The code tries to prevent from an Uint16 overflow. */;
+ for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) {
+ pitch += (unsigned int)surface->w;
+ if (pitch < surface->w) {
+ SDL_SetError("A scanline is too wide");
+ return(0);
+ }
+ }
switch (surface->format->BitsPerPixel) {
case 1:
- pitch = (pitch+7)/8;
+ if (pitch % 8) {
+ pitch = pitch / 8 + 1;
+ } else {
+ pitch = pitch / 8;
+ }
break;
case 4:
- pitch = (pitch+1)/2;
+ if (pitch % 2) {
+ pitch = pitch / 2 + 1;
+ } else {
+ pitch = pitch / 2;
+ }
break;
default:
break;
}
- pitch = (pitch + 3) & ~3; /* 4-byte aligning */
- return(pitch);
+ /* 4-byte aligning */
+ if (pitch & 3) {
+ if (pitch + 3 < pitch) {
+ SDL_SetError("A scanline is too wide");
+ return(0);
+ }
+ pitch = (pitch + 3) & ~3;
+ }
+ if (pitch > 0xFFFF) {
+ SDL_SetError("A scanline is too wide");
+ return(0);
+ }
+ return((Uint16)pitch);
}
/*
* Match an RGB value to a particular palette index
diff --git a/src/video/gapi/SDL_gapivideo.c b/src/video/gapi/SDL_gapivideo.c
index 86deadc75..8a0648536 100644
--- a/src/video/gapi/SDL_gapivideo.c
+++ b/src/video/gapi/SDL_gapivideo.c
@@ -733,6 +733,9 @@ SDL_Surface *GAPI_SetVideoMode(_THIS, SDL_Surface *current,
video->w = gapi->w = width;
video->h = gapi->h = height;
video->pitch = SDL_CalculatePitch(video);
+ if (!current->pitch) {
+ return(NULL);
+ }
/* Small fix for WinCE/Win32 - when activating window
SDL_VideoSurface is equal to zero, so activating code
diff --git a/src/video/nanox/SDL_nxvideo.c b/src/video/nanox/SDL_nxvideo.c
index b188e0958..cbdd09a08 100644
--- a/src/video/nanox/SDL_nxvideo.c
+++ b/src/video/nanox/SDL_nxvideo.c
@@ -378,6 +378,10 @@ SDL_Surface * NX_SetVideoMode (_THIS, SDL_Surface * current,
current -> w = width ;
current -> h = height ;
current -> pitch = SDL_CalculatePitch (current) ;
+ if (!current->pitch) {
+ current = NULL;
+ goto done;
+ }
NX_ResizeImage (this, current, flags) ;
}
diff --git a/src/video/ps2gs/SDL_gsvideo.c b/src/video/ps2gs/SDL_gsvideo.c
index e172c60dc..329086680 100644
--- a/src/video/ps2gs/SDL_gsvideo.c
+++ b/src/video/ps2gs/SDL_gsvideo.c
@@ -479,6 +479,9 @@ static SDL_Surface *GS_SetVideoMode(_THIS, SDL_Surface *current,
current->w = width;
current->h = height;
current->pitch = SDL_CalculatePitch(current);
+ if (!current->pitch) {
+ return(NULL);
+ }
/* Memory map the DMA area for block memory transfer */
if ( ! mapped_mem ) {
diff --git a/src/video/ps3/SDL_ps3video.c b/src/video/ps3/SDL_ps3video.c
index d5519e051..17848e33a 100644
--- a/src/video/ps3/SDL_ps3video.c
+++ b/src/video/ps3/SDL_ps3video.c
@@ -339,6 +339,9 @@ static SDL_Surface *PS3_SetVideoMode(_THIS, SDL_Surface * current, int width, in
current->w = width;
current->h = height;
current->pitch = SDL_CalculatePitch(current);
+ if (!current->pitch) {
+ return(NULL);
+ }
/* Alloc aligned mem for current->pixels */
s_pixels = memalign(16, current->h * current->pitch);
diff --git a/src/video/windib/SDL_dibvideo.c b/src/video/windib/SDL_dibvideo.c
index 6187bfcf7..86ebb12a3 100644
--- a/src/video/windib/SDL_dibvideo.c
+++ b/src/video/windib/SDL_dibvideo.c
@@ -675,6 +675,9 @@ SDL_Surface *DIB_SetVideoMode(_THIS, SDL_Surface *current,
video->w = width;
video->h = height;
video->pitch = SDL_CalculatePitch(video);
+ if (!current->pitch) {
+ return(NULL);
+ }
/* Small fix for WinCE/Win32 - when activating window
SDL_VideoSurface is equal to zero, so activating code
diff --git a/src/video/windx5/SDL_dx5video.c b/src/video/windx5/SDL_dx5video.c
index f80ca97b0..39fc4fc37 100644
--- a/src/video/windx5/SDL_dx5video.c
+++ b/src/video/windx5/SDL_dx5video.c
@@ -1127,6 +1127,9 @@ SDL_Surface *DX5_SetVideoMode(_THIS, SDL_Surface *current,
video->w = width;
video->h = height;
video->pitch = SDL_CalculatePitch(video);
+ if (!current->pitch) {
+ return(NULL);
+ }
#ifndef NO_CHANGEDISPLAYSETTINGS
/* Set fullscreen mode if appropriate.
diff --git a/src/video/x11/SDL_x11video.c b/src/video/x11/SDL_x11video.c
index 79e60f971..45d1f79be 100644
--- a/src/video/x11/SDL_x11video.c
+++ b/src/video/x11/SDL_x11video.c
@@ -1220,6 +1220,10 @@ SDL_Surface *X11_SetVideoMode(_THIS, SDL_Surface *current,
current->w = width;
current->h = height;
current->pitch = SDL_CalculatePitch(current);
+ if (!current->pitch) {
+ current = NULL;
+ goto done;
+ }
if (X11_ResizeImage(this, current, flags) < 0) {
current = NULL;
goto done;
--
2.21.0

View File

@ -10,7 +10,7 @@
Name: SDL
Version: 1.2.15
Release: 37%{?dist}
Release: 38%{?dist}
Summary: A cross-platform multimedia library
URL: http://www.libsdl.org/
# The license of the file src/video/fbcon/riva_mmio.h is bad, but the contents
@ -49,6 +49,18 @@ Patch9: 0001-fix-small-errors-detected-by-coverity.patch
# upstream bug #4538, in upstream after 1.2.15
Patch10: SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch
Patch11: 0001-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
Patch12: 0002-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
Patch13: 0003-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
Patch14: 0004-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
Patch15: 0005-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
Patch16: 0006-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
Patch17: 0007-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
Patch18: 0008-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
Patch19: 0009-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
Patch20: 0010-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
Patch21: 0011-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
BuildRequires: alsa-lib-devel
%if %{with arts}
BuildRequires: arts-devel
@ -125,6 +137,17 @@ applications.
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
for F in CREDITS; do
iconv -f iso8859-1 -t utf-8 < "$F" > "${F}.utf"
@ -202,6 +225,12 @@ rm -f %{buildroot}%{_libdir}/*.la
%{_libdir}/lib*.a
%changelog
* Mon Mar 23 2020 Wim Taymans <wtaymans@redhat.com> - 1.2.15-38
- fix CVEs
- Resolves: rhbz#1716209, rhbz#1716210, rhbz#1716211, rhbz#1716212,
rhbz#1716213, rhbz#1716214, rhbz#1716215, rhbz#1716216,
rhbz#1716217, rhbz#1716218, rhbz#1716219
* Thu Nov 21 2019 Wim Taymans <wtaymans@redhat.com> - 1.2.15-37
- Rebuild
- Resolves: rhbz#1756279