!15 【Mainline】Fix CVE-2019-7572 CVE-2019-7574 CVE-2019-7575

From: @yixiangzhike Reviewed-by: @orange-snn Signed-off-by: @orange-snn
2021-11-05 07:39:34 +00:00 · 2021-11-05 07:39:34 +00:00 · bb88415299
commit bb88415299
parent e8eb95c588 cd6c754451
5 changed files with 270 additions and 1 deletions
--- a/SDL.spec
+++ b/SDL.spec
@ -1,7 +1,7 @@
 Name:       SDL
 Summary:    A cross-platform multimedia library
 Version:    1.2.15
-Release:    38
+Release:    39
 License:    LGPLv2+
 URL:        http://www.libsdl.org/

@ -22,6 +22,10 @@ Patch11:    SDL-1.2.15-no-default-backing-store.patch
 Patch12:    SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch
 Patch13:    SDL-1.2.15-vec_perm-ppc64le.patch
 Patch14:    CVE-2019-13616.patch
+Patch15:    backport-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nibble.patch
+Patch16:    backport-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_decode.patch
+Patch17:    backport-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_decode.patch
+Patch18:    backport-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_decode.patch

 BuildRequires:  alsa-lib-devel gdb-headless libtool

@ -103,6 +107,9 @@ rm -f %{buildroot}%{_libdir}/*.la
 %{_mandir}/man3/SDL*.3*

 %changelog
+* Fri Nov 5 2021 yixiangzhike <yixiangzhike007@163.com> - 1.2.15-39
+- DESC: fix CVE-2019-7572 CVE-2019-7574 CVE-2019-7575
+
 * Wed Aug 11 2021 chenyanpanHW <chenyanpan@huawei.com> - 1.2.15-38
 - DESC: delete -Sgit from %autosetup, and delete BuildRequires git

--- a/backport-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nibble.patch
+++ b/backport-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nibble.patch
@ -0,0 +1,55 @@
+From 1ead4913fc2314a0ce5de06f29a20a8b0b0a5557 Mon Sep 17 00:00:00 2001
+From: Petr P?sa? <ppisar@redhat.com>
+Date: Sat, 8 Jun 2019 17:57:43 -0700
+Subject: [PATCH] CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble If
+ an IMA ADPCM block contained an initial index out of step table range (loaded
+ in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used this bogus value and
+ that lead to a buffer overread.
+
+This patch fixes it by moving clamping the index value at the
+beginning of IMA_ADPCM_nibble() function instead of the end after
+an update.
+
+CVE-2019-7572
+https://bugzilla.libsdl.org/show_bug.cgi?id=4495
+
+Signed-off-by: Petr P?sa? <ppisar@redhat.com>
+---
+ src/audio/SDL_wave.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index b4ad6c7..ba1fb52 100644
+--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
+@@ -264,6 +264,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
+ 	};
+ 	Sint32 delta, step;
+ 
+	/* Clamp index value. The inital value can be invalid. */
+	if ( state->index > 88 ) {
+		state->index = 88;
+	} else
+	if ( state->index < 0 ) {
+		state->index = 0;
+	}
+
+ 	/* Compute difference and new sample value */
+ 	step = step_table[state->index];
+ 	delta = step >> 3;
+@@ -275,12 +283,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
+ 
+ 	/* Update index value */
+ 	state->index += index_table[nybble];
+-	if ( state->index > 88 ) {
+-		state->index = 88;
+-	} else
+-	if ( state->index < 0 ) {
+-		state->index = 0;
+-	}
+ 
+ 	/* Clamp output sample */
+ 	if ( state->sample > max_audioval ) {
+-- 
+1.8.3.1
+
--- a/backport-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_decode.patch
+++ b/backport-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_decode.patch
@ -0,0 +1,60 @@
+From f22cbe4a3a2cd87392eec69bdcf2b4bd68b4507b Mon Sep 17 00:00:00 2001
+From: Petr P?sa? <ppisar@redhat.com>
+Date: Mon, 10 Jun 2019 08:57:11 -0700
+Subject: [PATCH] CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode If
+ data chunk was longer than expected based on a WAV format definition,
+ IMA_ADPCM_decode() tried to write past the output buffer. This patch fixes
+ it.
+
+Based on patch from
+<https://bugzilla.libsdl.org/show_bug.cgi?id=4496>.
+
+CVE-2019-7572
+https://bugzilla.libsdl.org/show_bug.cgi?id=4495
+
+Signed-off-by: Petr P?sa? <ppisar@redhat.com>
+---
+ src/audio/SDL_wave.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 3eedd20..4159eb7 100644
+--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
+@@ -346,7 +346,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
+ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ 	struct IMA_ADPCM_decodestate *state;
+-	Uint8 *freeable, *encoded, *encoded_end, *decoded;
+	Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+ 	Sint32 encoded_len, samplesleft;
+ 	unsigned int c, channels;
+ 
+@@ -373,6 +373,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 		return(-1);
+ 	}
+ 	decoded = *audio_buf;
+	decoded_end = decoded + *audio_len;
+ 
+ 	/* Get ready... Go! */
+ 	while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
+@@ -392,6 +393,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 			}
+ 
+ 			/* Store the initial sample we start with */
+			if (decoded + 2 > decoded_end) goto invalid_size;
+ 			decoded[0] = (Uint8)(state[c].sample&0xFF);
+ 			decoded[1] = (Uint8)(state[c].sample>>8);
+ 			decoded += 2;
+@@ -402,6 +404,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 		while ( samplesleft > 0 ) {
+ 			for ( c=0; c<channels; ++c ) {
+ 				if (encoded + 4 > encoded_end) goto invalid_size;
+				if (decoded + 4 * 4 * channels > decoded_end)
+					goto invalid_size;
+ 				Fill_IMA_ADPCM_block(decoded, encoded,
+ 						c, channels, &state[c]);
+ 				encoded += 4;
+-- 
+1.8.3.1
+
--- a/backport-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_decode.patch
+++ b/backport-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_decode.patch
@ -0,0 +1,67 @@
+From 76871a1c52dc74b8ba2357b9d68c34d765ea9db3 Mon Sep 17 00:00:00 2001
+From: Petr P?sa? <ppisar@redhat.com>
+Date: Mon, 10 Jun 2019 08:50:59 -0700
+Subject: [PATCH] CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode If
+ data chunk was shorter than expected based on a WAV format definition,
+ IMA_ADPCM_decode() tried to read past the data chunk buffer. This patch fixes
+ it.
+
+CVE-2019-7574
+https://bugzilla.libsdl.org/show_bug.cgi?id=4496
+
+Signed-off-by: Petr P?sa? <ppisar@redhat.com>
+---
+ src/audio/SDL_wave.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 21ee4dc..66f8044 100644
+--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
+@@ -331,7 +331,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
+ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ 	struct IMA_ADPCM_decodestate *state;
+-	Uint8 *freeable, *encoded, *decoded;
+	Uint8 *freeable, *encoded, *encoded_end, *decoded;
+ 	Sint32 encoded_len, samplesleft;
+ 	unsigned int c, channels;
+ 
+@@ -347,6 +347,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 	/* Allocate the proper sized output buffer */
+ 	encoded_len = *audio_len;
+ 	encoded = *audio_buf;
+	encoded_end = encoded + encoded_len;
+ 	freeable = *audio_buf;
+ 	*audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) * 
+ 				IMA_ADPCM_state.wSamplesPerBlock*
+@@ -362,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 	while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
+ 		/* Grab the initial information for this block */
+ 		for ( c=0; c<channels; ++c ) {
+			if (encoded + 4 > encoded_end) goto invalid_size;
+ 			/* Fill the state information for this block */
+ 			state[c].sample = ((encoded[1]<<8)|encoded[0]);
+ 			encoded += 2;
+@@ -384,6 +386,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 		samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
+ 		while ( samplesleft > 0 ) {
+ 			for ( c=0; c<channels; ++c ) {
+				if (encoded + 4 > encoded_end) goto invalid_size;
+ 				Fill_IMA_ADPCM_block(decoded, encoded,
+ 						c, channels, &state[c]);
+ 				encoded += 4;
+@@ -395,6 +398,10 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 	}
+ 	SDL_free(freeable);
+ 	return(0);
+invalid_size:
+	SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder");
+	SDL_free(freeable);
+	return(-1);
+ }
+ 
+ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
+-- 
+1.8.3.1
+
--- a/backport-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_decode.patch
+++ b/backport-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_decode.patch
@ -0,0 +1,80 @@
+From c68e0003d2f2b4e50bb1c4412af40c32f0b6396e Mon Sep 17 00:00:00 2001
+From: Petr P?sa? <ppisar@redhat.com>
+Date: Mon, 10 Jun 2019 09:25:05 -0700
+Subject: [PATCH] CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode If a
+ WAV format defines shorter audio stream and decoded MS ADPCM data chunk is
+ longer, decoding continued past the output audio buffer.
+
+This fix is based on a patch from
+<https://bugzilla.libsdl.org/show_bug.cgi?id=4492>.
+
+https://bugzilla.libsdl.org/show_bug.cgi?id=4493
+CVE-2019-7575
+
+Signed-off-by: Petr P?sa? <ppisar@redhat.com>
+---
+ src/audio/SDL_wave.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 88ac2cc..5f93651 100644
+--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
+@@ -122,7 +122,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
+ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ 	struct MS_ADPCM_decodestate *state[2];
+-	Uint8 *freeable, *encoded, *encoded_end, *decoded;
+	Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+ 	Sint32 encoded_len, samplesleft;
+ 	Sint8 nybble, stereo;
+ 	Sint16 *coeff[2];
+@@ -142,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 		return(-1);
+ 	}
+ 	decoded = *audio_buf;
+	decoded_end = decoded + *audio_len;
+ 
+ 	/* Get ready... Go! */
+ 	stereo = (MS_ADPCM_state.wavefmt.channels == 2);
+@@ -149,7 +150,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 	state[1] = &MS_ADPCM_state.state[stereo];
+ 	while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
+ 		/* Grab the initial information for this block */
+-		if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
+		if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size;
+ 		state[0]->hPredictor = *encoded++;
+ 		if ( stereo ) {
+ 			state[1]->hPredictor = *encoded++;
+@@ -179,6 +180,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 		coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
+ 
+ 		/* Store the two initial samples we start with */
+		if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size;
+ 		decoded[0] = state[0]->iSamp2&0xFF;
+ 		decoded[1] = state[0]->iSamp2>>8;
+ 		decoded += 2;
+@@ -200,7 +202,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 		samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
+ 					MS_ADPCM_state.wavefmt.channels;
+ 		while ( samplesleft > 0 ) {
+-			if (encoded + 1 > encoded_end) goto too_short;
+			if (encoded + 1 > encoded_end) goto invalid_size;
+			if (decoded + 4 > decoded_end) goto invalid_size;
+ 
+ 			nybble = (*encoded)>>4;
+ 			new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
+@@ -223,8 +226,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 	}
+ 	SDL_free(freeable);
+ 	return(0);
+-too_short:
+-	SDL_SetError("Too short chunk for a MS ADPCM decoder");
+invalid_size:
+	SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
+ 	SDL_free(freeable);
+ 	return(-1);
+ invalid_predictor:
+-- 
+1.8.3.1
+