From 1c7d6584a7811b7785ae5c1e378f14b5ba0971cf Mon Sep 17 00:00:00 2001 From: takeshi_hoshina Date: Mon, 2 Nov 2020 11:07:33 +0900 Subject: basesystem-jj recipes --- .../libsdl/libsdl-1.2.15/CVE-2019-7572.patch | 114 +++++++++++++++++++++ 1 file changed, 114 insertions(+) create mode 100644 external/meta-openembedded/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7572.patch (limited to 'external/meta-openembedded/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7572.patch') diff --git a/external/meta-openembedded/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7572.patch b/external/meta-openembedded/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7572.patch new file mode 100644 index 00000000..c41c2de0 --- /dev/null +++ b/external/meta-openembedded/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7572.patch @@ -0,0 +1,114 @@ +# HG changeset patch +# User Petr Písař +# Date 1560182231 25200 +# Mon Jun 10 08:57:11 2019 -0700 +# Branch SDL-1.2 +# Node ID a8afedbcaea0e84921dc770195c4699bda3ccdc5 +# Parent faf9abbcfb5fe0d0ca23c4bf0394aa226ceccf02 +CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode +If data chunk was longer than expected based on a WAV format +definition, IMA_ADPCM_decode() tried to write past the output +buffer. This patch fixes it. + +Based on patch from +. + +CVE-2019-7572 +https://bugzilla.libsdl.org/show_bug.cgi?id=4495 + +Signed-off-by: Petr Písař + +# HG changeset patch +# User Petr Písař +# Date 1560041863 25200 +# Sat Jun 08 17:57:43 2019 -0700 +# Branch SDL-1.2 +# Node ID e52413f5258600878f9a10d2f92605a729aa8976 +# Parent 4e73be7b47877ae11d2279bd916910d469d18f8e +CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble +If an IMA ADPCM block contained an initial index out of step table +range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used +this bogus value and that lead to a buffer overread. + +This patch fixes it by moving clamping the index value at the +beginning of IMA_ADPCM_nibble() function instead of the end after +an update. + +CVE-2019-7572 +https://bugzilla.libsdl.org/show_bug.cgi?id=4495 + +Signed-off-by: Petr Písař + +CVE: CVE-2019-7572 +Upstream-Status: Backport +Signed-off-by: Anuj Mittal + +diff -r faf9abbcfb5f -r a8afedbcaea0 src/audio/SDL_wave.c +--- a/src/audio/SDL_wave.c Mon Jun 10 08:54:29 2019 -0700 ++++ b/src/audio/SDL_wave.c Mon Jun 10 08:57:11 2019 -0700 +@@ -346,7 +346,7 @@ + static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct IMA_ADPCM_decodestate *state; +- Uint8 *freeable, *encoded, *encoded_end, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; + Sint32 encoded_len, samplesleft; + unsigned int c, channels; + +@@ -373,6 +373,7 @@ + return(-1); + } + decoded = *audio_buf; ++ decoded_end = decoded + *audio_len; + + /* Get ready... Go! */ + while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) { +@@ -392,6 +393,7 @@ + } + + /* Store the initial sample we start with */ ++ if (decoded + 2 > decoded_end) goto invalid_size; + decoded[0] = (Uint8)(state[c].sample&0xFF); + decoded[1] = (Uint8)(state[c].sample>>8); + decoded += 2; +@@ -402,6 +404,8 @@ + while ( samplesleft > 0 ) { + for ( c=0; c encoded_end) goto invalid_size; ++ if (decoded + 4 * 4 * channels > decoded_end) ++ goto invalid_size; + Fill_IMA_ADPCM_block(decoded, encoded, + c, channels, &state[c]); + encoded += 4; + +diff -r 4e73be7b4787 -r e52413f52586 src/audio/SDL_wave.c +--- a/src/audio/SDL_wave.c Sat Jun 01 18:27:46 2019 +0100 ++++ b/src/audio/SDL_wave.c Sat Jun 08 17:57:43 2019 -0700 +@@ -264,6 +264,14 @@ + }; + Sint32 delta, step; + ++ /* Clamp index value. The inital value can be invalid. */ ++ if ( state->index > 88 ) { ++ state->index = 88; ++ } else ++ if ( state->index < 0 ) { ++ state->index = 0; ++ } ++ + /* Compute difference and new sample value */ + step = step_table[state->index]; + delta = step >> 3; +@@ -275,12 +283,6 @@ + + /* Update index value */ + state->index += index_table[nybble]; +- if ( state->index > 88 ) { +- state->index = 88; +- } else +- if ( state->index < 0 ) { +- state->index = 0; +- } + + /* Clamp output sample */ + if ( state->sample > max_audioval ) { -- cgit 1.2.3-korg