From cd6c754451bb3724e9ce81d3e6d0f3535a403c4a Mon Sep 17 00:00:00 2001 From: yixiangzhike Date: Fri, 5 Nov 2021 11:07:38 +0800 Subject: [PATCH] Fix CVE-2019-7572 CVE-2019-7574 CVE-2019-7575 --- SDL.spec | 9 ++- ...-buffer-overread-in-IMA_ADPCM_nibble.patch | 55 +++++++++++++ ...buffer-overwrite-in-IMA_ADPCM_decode.patch | 60 ++++++++++++++ ...-buffer-overread-in-IMA_ADPCM_decode.patch | 67 ++++++++++++++++ ...-buffer-overwrite-in-MS_ADPCM_decode.patch | 80 +++++++++++++++++++ 5 files changed, 270 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nibble.patch create mode 100644 backport-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_decode.patch create mode 100644 backport-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_decode.patch create mode 100644 backport-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_decode.patch diff --git a/SDL.spec b/SDL.spec index f642170..6d5fc84 100644 --- a/SDL.spec +++ b/SDL.spec @@ -1,7 +1,7 @@ Name: SDL Summary: A cross-platform multimedia library Version: 1.2.15 -Release: 38 +Release: 39 License: LGPLv2+ URL: http://www.libsdl.org/ @@ -22,6 +22,10 @@ Patch11: SDL-1.2.15-no-default-backing-store.patch Patch12: SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch Patch13: SDL-1.2.15-vec_perm-ppc64le.patch Patch14: CVE-2019-13616.patch +Patch15: backport-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nibble.patch +Patch16: backport-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_decode.patch +Patch17: backport-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_decode.patch +Patch18: backport-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_decode.patch BuildRequires: alsa-lib-devel gdb-headless libtool @@ -103,6 +107,9 @@ rm -f %{buildroot}%{_libdir}/*.la %{_mandir}/man3/SDL*.3* %changelog +* Fri Nov 5 2021 yixiangzhike - 1.2.15-39 +- DESC: fix CVE-2019-7572 CVE-2019-7574 CVE-2019-7575 + * Wed Aug 11 2021 chenyanpanHW - 1.2.15-38 - DESC: delete -Sgit from %autosetup, and delete BuildRequires git diff --git a/backport-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nibble.patch b/backport-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nibble.patch new file mode 100644 index 0000000..298e5c1 --- /dev/null +++ b/backport-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nibble.patch @@ -0,0 +1,55 @@ +From 1ead4913fc2314a0ce5de06f29a20a8b0b0a5557 Mon Sep 17 00:00:00 2001 +From: Petr P?sa? +Date: Sat, 8 Jun 2019 17:57:43 -0700 +Subject: [PATCH] CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble If + an IMA ADPCM block contained an initial index out of step table range (loaded + in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used this bogus value and + that lead to a buffer overread. + +This patch fixes it by moving clamping the index value at the +beginning of IMA_ADPCM_nibble() function instead of the end after +an update. + +CVE-2019-7572 +https://bugzilla.libsdl.org/show_bug.cgi?id=4495 + +Signed-off-by: Petr P?sa? +--- + src/audio/SDL_wave.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index b4ad6c7..ba1fb52 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -264,6 +264,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) + }; + Sint32 delta, step; + ++ /* Clamp index value. The inital value can be invalid. */ ++ if ( state->index > 88 ) { ++ state->index = 88; ++ } else ++ if ( state->index < 0 ) { ++ state->index = 0; ++ } ++ + /* Compute difference and new sample value */ + step = step_table[state->index]; + delta = step >> 3; +@@ -275,12 +283,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) + + /* Update index value */ + state->index += index_table[nybble]; +- if ( state->index > 88 ) { +- state->index = 88; +- } else +- if ( state->index < 0 ) { +- state->index = 0; +- } + + /* Clamp output sample */ + if ( state->sample > max_audioval ) { +-- +1.8.3.1 + diff --git a/backport-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_decode.patch b/backport-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_decode.patch new file mode 100644 index 0000000..8b22e2c --- /dev/null +++ b/backport-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_decode.patch @@ -0,0 +1,60 @@ +From f22cbe4a3a2cd87392eec69bdcf2b4bd68b4507b Mon Sep 17 00:00:00 2001 +From: Petr P?sa? +Date: Mon, 10 Jun 2019 08:57:11 -0700 +Subject: [PATCH] CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode If + data chunk was longer than expected based on a WAV format definition, + IMA_ADPCM_decode() tried to write past the output buffer. This patch fixes + it. + +Based on patch from +. + +CVE-2019-7572 +https://bugzilla.libsdl.org/show_bug.cgi?id=4495 + +Signed-off-by: Petr P?sa? +--- + src/audio/SDL_wave.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 3eedd20..4159eb7 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -346,7 +346,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded, + static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct IMA_ADPCM_decodestate *state; +- Uint8 *freeable, *encoded, *encoded_end, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; + Sint32 encoded_len, samplesleft; + unsigned int c, channels; + +@@ -373,6 +373,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + return(-1); + } + decoded = *audio_buf; ++ decoded_end = decoded + *audio_len; + + /* Get ready... Go! */ + while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) { +@@ -392,6 +393,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + } + + /* Store the initial sample we start with */ ++ if (decoded + 2 > decoded_end) goto invalid_size; + decoded[0] = (Uint8)(state[c].sample&0xFF); + decoded[1] = (Uint8)(state[c].sample>>8); + decoded += 2; +@@ -402,6 +404,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + while ( samplesleft > 0 ) { + for ( c=0; c encoded_end) goto invalid_size; ++ if (decoded + 4 * 4 * channels > decoded_end) ++ goto invalid_size; + Fill_IMA_ADPCM_block(decoded, encoded, + c, channels, &state[c]); + encoded += 4; +-- +1.8.3.1 + diff --git a/backport-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_decode.patch b/backport-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_decode.patch new file mode 100644 index 0000000..0d96afc --- /dev/null +++ b/backport-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_decode.patch @@ -0,0 +1,67 @@ +From 76871a1c52dc74b8ba2357b9d68c34d765ea9db3 Mon Sep 17 00:00:00 2001 +From: Petr P?sa? +Date: Mon, 10 Jun 2019 08:50:59 -0700 +Subject: [PATCH] CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode If + data chunk was shorter than expected based on a WAV format definition, + IMA_ADPCM_decode() tried to read past the data chunk buffer. This patch fixes + it. + +CVE-2019-7574 +https://bugzilla.libsdl.org/show_bug.cgi?id=4496 + +Signed-off-by: Petr P?sa? +--- + src/audio/SDL_wave.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 21ee4dc..66f8044 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -331,7 +331,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded, + static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct IMA_ADPCM_decodestate *state; +- Uint8 *freeable, *encoded, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded; + Sint32 encoded_len, samplesleft; + unsigned int c, channels; + +@@ -347,6 +347,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + /* Allocate the proper sized output buffer */ + encoded_len = *audio_len; + encoded = *audio_buf; ++ encoded_end = encoded + encoded_len; + freeable = *audio_buf; + *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) * + IMA_ADPCM_state.wSamplesPerBlock* +@@ -362,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) { + /* Grab the initial information for this block */ + for ( c=0; c encoded_end) goto invalid_size; + /* Fill the state information for this block */ + state[c].sample = ((encoded[1]<<8)|encoded[0]); + encoded += 2; +@@ -384,6 +386,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels; + while ( samplesleft > 0 ) { + for ( c=0; c encoded_end) goto invalid_size; + Fill_IMA_ADPCM_block(decoded, encoded, + c, channels, &state[c]); + encoded += 4; +@@ -395,6 +398,10 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + } + SDL_free(freeable); + return(0); ++invalid_size: ++ SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); + } + + SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, +-- +1.8.3.1 + diff --git a/backport-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_decode.patch b/backport-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_decode.patch new file mode 100644 index 0000000..8bc37ad --- /dev/null +++ b/backport-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_decode.patch @@ -0,0 +1,80 @@ +From c68e0003d2f2b4e50bb1c4412af40c32f0b6396e Mon Sep 17 00:00:00 2001 +From: Petr P?sa? +Date: Mon, 10 Jun 2019 09:25:05 -0700 +Subject: [PATCH] CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode If a + WAV format defines shorter audio stream and decoded MS ADPCM data chunk is + longer, decoding continued past the output audio buffer. + +This fix is based on a patch from +. + +https://bugzilla.libsdl.org/show_bug.cgi?id=4493 +CVE-2019-7575 + +Signed-off-by: Petr P?sa? +--- + src/audio/SDL_wave.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 88ac2cc..5f93651 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -122,7 +122,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, + static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct MS_ADPCM_decodestate *state[2]; +- Uint8 *freeable, *encoded, *encoded_end, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; + Sint32 encoded_len, samplesleft; + Sint8 nybble, stereo; + Sint16 *coeff[2]; +@@ -142,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + return(-1); + } + decoded = *audio_buf; ++ decoded_end = decoded + *audio_len; + + /* Get ready... Go! */ + stereo = (MS_ADPCM_state.wavefmt.channels == 2); +@@ -149,7 +150,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + state[1] = &MS_ADPCM_state.state[stereo]; + while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) { + /* Grab the initial information for this block */ +- if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short; ++ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size; + state[0]->hPredictor = *encoded++; + if ( stereo ) { + state[1]->hPredictor = *encoded++; +@@ -179,6 +180,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor]; + + /* Store the two initial samples we start with */ ++ if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size; + decoded[0] = state[0]->iSamp2&0xFF; + decoded[1] = state[0]->iSamp2>>8; + decoded += 2; +@@ -200,7 +202,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)* + MS_ADPCM_state.wavefmt.channels; + while ( samplesleft > 0 ) { +- if (encoded + 1 > encoded_end) goto too_short; ++ if (encoded + 1 > encoded_end) goto invalid_size; ++ if (decoded + 4 > decoded_end) goto invalid_size; + + nybble = (*encoded)>>4; + new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]); +@@ -223,8 +226,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + } + SDL_free(freeable); + return(0); +-too_short: +- SDL_SetError("Too short chunk for a MS ADPCM decoder"); ++invalid_size: ++ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder"); + SDL_free(freeable); + return(-1); + invalid_predictor: +-- +1.8.3.1 +