packages/SDL
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!15 【Mainline】Fix CVE-2019-7572 CVE-2019-7574 CVE-2019-7575

Browse Source 
From: @yixiangzhike
Reviewed-by: @orange-snn
Signed-off-by: @orange-snn
This commit is contained in:
openeuler-ci-bot 2021-11-05 07:39:34 +00:00 committed by Gitee
commit bb88415299
5 changed files with 270 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
SDL.spec
View File

@ -1,7 +1,7 @@
Name: SDL Name: SDL
Summary: A cross-platform multimedia library Summary: A cross-platform multimedia library
Version: 1.2.15 Version: 1.2.15
Release: 38 Release: 39
License: LGPLv2+ License: LGPLv2+
URL: http://www.libsdl.org/ URL: http://www.libsdl.org/
@ -22,6 +22,10 @@ Patch11: SDL-1.2.15-no-default-backing-store.patch
Patch12: SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch Patch12: SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch
Patch13: SDL-1.2.15-vec_perm-ppc64le.patch Patch13: SDL-1.2.15-vec_perm-ppc64le.patch
Patch14: CVE-2019-13616.patch Patch14: CVE-2019-13616.patch
Patch15: backport-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nibble.patch
Patch16: backport-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_decode.patch
Patch17: backport-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_decode.patch
Patch18: backport-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_decode.patch
BuildRequires: alsa-lib-devel gdb-headless libtool BuildRequires: alsa-lib-devel gdb-headless libtool
@ -103,6 +107,9 @@ rm -f %{buildroot}%{_libdir}/*.la
%{_mandir}/man3/SDL*.3* %{_mandir}/man3/SDL*.3*
%changelog %changelog
* Fri Nov 5 2021 yixiangzhike <yixiangzhike007@163.com> - 1.2.15-39
- DESC: fix CVE-2019-7572 CVE-2019-7574 CVE-2019-7575
* Wed Aug 11 2021 chenyanpanHW <chenyanpan@huawei.com> - 1.2.15-38 * Wed Aug 11 2021 chenyanpanHW <chenyanpan@huawei.com> - 1.2.15-38
- DESC: delete -Sgit from %autosetup, and delete BuildRequires git - DESC: delete -Sgit from %autosetup, and delete BuildRequires git

55
backport-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nibble.patch Normal file
View File

@ -0,0 +1,55 @@
From 1ead4913fc2314a0ce5de06f29a20a8b0b0a5557 Mon Sep 17 00:00:00 2001
From: Petr P?sa? <ppisar@redhat.com>
Date: Sat, 8 Jun 2019 17:57:43 -0700
Subject: [PATCH] CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble If
an IMA ADPCM block contained an initial index out of step table range (loaded
in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used this bogus value and
that lead to a buffer overread.
This patch fixes it by moving clamping the index value at the
beginning of IMA_ADPCM_nibble() function instead of the end after
an update.
CVE-2019-7572
https://bugzilla.libsdl.org/show_bug.cgi?id=4495
Signed-off-by: Petr P?sa? <ppisar@redhat.com>
---
src/audio/SDL_wave.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index b4ad6c7..ba1fb52 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -264,6 +264,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
};
Sint32 delta, step;
+ /* Clamp index value. The inital value can be invalid. */
+ if ( state->index > 88 ) {
+ state->index = 88;
+ } else
+ if ( state->index < 0 ) {
+ state->index = 0;
+ }
+
/* Compute difference and new sample value */
step = step_table[state->index];
delta = step >> 3;
@@ -275,12 +283,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
/* Update index value */
state->index += index_table[nybble];
- if ( state->index > 88 ) {
- state->index = 88;
- } else
- if ( state->index < 0 ) {
- state->index = 0;
- }
/* Clamp output sample */
if ( state->sample > max_audioval ) {
--
1.8.3.1

60
backport-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_decode.patch Normal file
View File

@ -0,0 +1,60 @@
From f22cbe4a3a2cd87392eec69bdcf2b4bd68b4507b Mon Sep 17 00:00:00 2001
From: Petr P?sa? <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 08:57:11 -0700
Subject: [PATCH] CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode If
data chunk was longer than expected based on a WAV format definition,
IMA_ADPCM_decode() tried to write past the output buffer. This patch fixes
it.
Based on patch from
<https://bugzilla.libsdl.org/show_bug.cgi?id=4496>.
CVE-2019-7572
https://bugzilla.libsdl.org/show_bug.cgi?id=4495
Signed-off-by: Petr P?sa? <ppisar@redhat.com>
---
src/audio/SDL_wave.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 3eedd20..4159eb7 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -346,7 +346,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
{
struct IMA_ADPCM_decodestate *state;
- Uint8 *freeable, *encoded, *encoded_end, *decoded;
+ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
Sint32 encoded_len, samplesleft;
unsigned int c, channels;
@@ -373,6 +373,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
return(-1);
}
decoded = *audio_buf;
+ decoded_end = decoded + *audio_len;
/* Get ready... Go! */
while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
@@ -392,6 +393,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
}
/* Store the initial sample we start with */
+ if (decoded + 2 > decoded_end) goto invalid_size;
decoded[0] = (Uint8)(state[c].sample&0xFF);
decoded[1] = (Uint8)(state[c].sample>>8);
decoded += 2;
@@ -402,6 +404,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
while ( samplesleft > 0 ) {
for ( c=0; c<channels; ++c ) {
if (encoded + 4 > encoded_end) goto invalid_size;
+ if (decoded + 4 * 4 * channels > decoded_end)
+ goto invalid_size;
Fill_IMA_ADPCM_block(decoded, encoded,
c, channels, &state[c]);
encoded += 4;
--
1.8.3.1

67
backport-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_decode.patch Normal file
View File

@ -0,0 +1,67 @@
From 76871a1c52dc74b8ba2357b9d68c34d765ea9db3 Mon Sep 17 00:00:00 2001
From: Petr P?sa? <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 08:50:59 -0700
Subject: [PATCH] CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode If
data chunk was shorter than expected based on a WAV format definition,
IMA_ADPCM_decode() tried to read past the data chunk buffer. This patch fixes
it.
CVE-2019-7574
https://bugzilla.libsdl.org/show_bug.cgi?id=4496
Signed-off-by: Petr P?sa? <ppisar@redhat.com>
---
src/audio/SDL_wave.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 21ee4dc..66f8044 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -331,7 +331,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
{
struct IMA_ADPCM_decodestate *state;
- Uint8 *freeable, *encoded, *decoded;
+ Uint8 *freeable, *encoded, *encoded_end, *decoded;
Sint32 encoded_len, samplesleft;
unsigned int c, channels;
@@ -347,6 +347,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
/* Allocate the proper sized output buffer */
encoded_len = *audio_len;
encoded = *audio_buf;
+ encoded_end = encoded + encoded_len;
freeable = *audio_buf;
*audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) *
IMA_ADPCM_state.wSamplesPerBlock*
@@ -362,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
/* Grab the initial information for this block */
for ( c=0; c<channels; ++c ) {
+ if (encoded + 4 > encoded_end) goto invalid_size;
/* Fill the state information for this block */
state[c].sample = ((encoded[1]<<8)|encoded[0]);
encoded += 2;
@@ -384,6 +386,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
while ( samplesleft > 0 ) {
for ( c=0; c<channels; ++c ) {
+ if (encoded + 4 > encoded_end) goto invalid_size;
Fill_IMA_ADPCM_block(decoded, encoded,
c, channels, &state[c]);
encoded += 4;
@@ -395,6 +398,10 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
}
SDL_free(freeable);
return(0);
+invalid_size:
+ SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder");
+ SDL_free(freeable);
+ return(-1);
}
SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
--
1.8.3.1

80
backport-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_decode.patch Normal file
View File

@ -0,0 +1,80 @@
From c68e0003d2f2b4e50bb1c4412af40c32f0b6396e Mon Sep 17 00:00:00 2001
From: Petr P?sa? <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 09:25:05 -0700
Subject: [PATCH] CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode If a
WAV format defines shorter audio stream and decoded MS ADPCM data chunk is
longer, decoding continued past the output audio buffer.
This fix is based on a patch from
<https://bugzilla.libsdl.org/show_bug.cgi?id=4492>.
https://bugzilla.libsdl.org/show_bug.cgi?id=4493
CVE-2019-7575
Signed-off-by: Petr P?sa? <ppisar@redhat.com>
---
src/audio/SDL_wave.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 88ac2cc..5f93651 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -122,7 +122,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
{
struct MS_ADPCM_decodestate *state[2];
- Uint8 *freeable, *encoded, *encoded_end, *decoded;
+ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
Sint32 encoded_len, samplesleft;
Sint8 nybble, stereo;
Sint16 *coeff[2];
@@ -142,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
return(-1);
}
decoded = *audio_buf;
+ decoded_end = decoded + *audio_len;
/* Get ready... Go! */
stereo = (MS_ADPCM_state.wavefmt.channels == 2);
@@ -149,7 +150,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
state[1] = &MS_ADPCM_state.state[stereo];
while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
/* Grab the initial information for this block */
- if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
+ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size;
state[0]->hPredictor = *encoded++;
if ( stereo ) {
state[1]->hPredictor = *encoded++;
@@ -179,6 +180,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
/* Store the two initial samples we start with */
+ if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size;
decoded[0] = state[0]->iSamp2&0xFF;
decoded[1] = state[0]->iSamp2>>8;
decoded += 2;
@@ -200,7 +202,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
MS_ADPCM_state.wavefmt.channels;
while ( samplesleft > 0 ) {
- if (encoded + 1 > encoded_end) goto too_short;
+ if (encoded + 1 > encoded_end) goto invalid_size;
+ if (decoded + 4 > decoded_end) goto invalid_size;
nybble = (*encoded)>>4;
new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
@@ -223,8 +226,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
}
SDL_free(freeable);
return(0);
-too_short:
- SDL_SetError("Too short chunk for a MS ADPCM decoder");
+invalid_size:
+ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
SDL_free(freeable);
return(-1);
invalid_predictor:
--
1.8.3.1