From 1c7d6584a7811b7785ae5c1e378f14b5ba0971cf Mon Sep 17 00:00:00 2001 From: takeshi_hoshina Date: Mon, 2 Nov 2020 11:07:33 +0900 Subject: basesystem-jj recipes --- .../libsdl/libsdl-1.2.15/CVE-2019-7576.patch | 80 ---------------------- 1 file changed, 80 deletions(-) delete mode 100644 external/poky/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7576.patch (limited to 'external/poky/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7576.patch') diff --git a/external/poky/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7576.patch b/external/poky/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7576.patch deleted file mode 100644 index d9a50521..00000000 --- a/external/poky/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7576.patch +++ /dev/null @@ -1,80 +0,0 @@ -# HG changeset patch -# User Petr Písař -# Date 1560182783 25200 -# Mon Jun 10 09:06:23 2019 -0700 -# Branch SDL-1.2 -# Node ID fcbecae427951bac1684baaba2ade68221315140 -# Parent a8afedbcaea0e84921dc770195c4699bda3ccdc5 -CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in InitMS_ADPCM -If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it -could read past the end of chunk data. This patch fixes it. - -CVE-2019-7573 -https://bugzilla.libsdl.org/show_bug.cgi?id=4491 -CVE-2019-7576 -https://bugzilla.libsdl.org/show_bug.cgi?id=4490 - -Signed-off-by: Petr Písař - -CVE: CVE-2019-7573 -CVE: CVE-2019-7576 -Upstream-Status: Backport -Signed-off-by: Anuj Mittal - -diff -r a8afedbcaea0 -r fcbecae42795 src/audio/SDL_wave.c ---- a/src/audio/SDL_wave.c Mon Jun 10 08:57:11 2019 -0700 -+++ b/src/audio/SDL_wave.c Mon Jun 10 09:06:23 2019 -0700 -@@ -44,12 +44,13 @@ - struct MS_ADPCM_decodestate state[2]; - } MS_ADPCM_state; - --static int InitMS_ADPCM(WaveFMT *format) -+static int InitMS_ADPCM(WaveFMT *format, int length) - { -- Uint8 *rogue_feel; -+ Uint8 *rogue_feel, *rogue_feel_end; - int i; - - /* Set the rogue pointer to the MS_ADPCM specific data */ -+ if (length < sizeof(*format)) goto too_short; - MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); - MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); - MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); -@@ -58,9 +59,11 @@ - MS_ADPCM_state.wavefmt.bitspersample = - SDL_SwapLE16(format->bitspersample); - rogue_feel = (Uint8 *)format+sizeof(*format); -+ rogue_feel_end = (Uint8 *)format + length; - if ( sizeof(*format) == 16 ) { - rogue_feel += sizeof(Uint16); - } -+ if (rogue_feel + 4 > rogue_feel_end) goto too_short; - MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); - rogue_feel += sizeof(Uint16); - MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]); -@@ -70,12 +73,16 @@ - return(-1); - } - for ( i=0; i rogue_feel_end) goto too_short; - MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]); - rogue_feel += sizeof(Uint16); - MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]); - rogue_feel += sizeof(Uint16); - } - return(0); -+too_short: -+ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format"); -+ return(-1); - } - - static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, -@@ -495,7 +502,7 @@ - break; - case MS_ADPCM_CODE: - /* Try to understand this */ -- if ( InitMS_ADPCM(format) < 0 ) { -+ if ( InitMS_ADPCM(format, lenread) < 0 ) { - was_error = 1; - goto done; - } -- cgit 1.2.3-korg