File _service:tar_scm:backport-CVE-2019-7575-Fix-a-b... of Package SDL

File _service:tar_scm:backport-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_decode.patch of Package SDL

From c68e0003d2f2b4e50bb1c4412af40c32f0b6396e Mon Sep 17 00:00:00 2001
From: Petr P?sa? <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 09:25:05 -0700
Subject: [PATCH] CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode If a
 WAV format defines shorter audio stream and decoded MS ADPCM data chunk is
 longer, decoding continued past the output audio buffer.

This fix is based on a patch from
<https://bugzilla.libsdl.org/show_bug.cgi?id=4492>.

https://bugzilla.libsdl.org/show_bug.cgi?id=4493
CVE-2019-7575

Signed-off-by: Petr P?sa? <ppisar@redhat.com>
---
 src/audio/SDL_wave.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 88ac2cc..5f93651 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -122,7 +122,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
 static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 {
 	struct MS_ADPCM_decodestate *state[2];
-	Uint8 *freeable, *encoded, *encoded_end, *decoded;
+	Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
 	Sint32 encoded_len, samplesleft;
 	Sint8 nybble, stereo;
 	Sint16 *coeff[2];
@@ -142,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 		return(-1);
 	}
 	decoded = *audio_buf;
+	decoded_end = decoded + *audio_len;
 
 	/* Get ready... Go! */
 	stereo = (MS_ADPCM_state.wavefmt.channels == 2);
@@ -149,7 +150,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 	state[1] = &MS_ADPCM_state.state[stereo];
 	while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
 		/* Grab the initial information for this block */
-		if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
+		if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size;
 		state[0]->hPredictor = *encoded++;
 		if ( stereo ) {
 			state[1]->hPredictor = *encoded++;
@@ -179,6 +180,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 		coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
 
 		/* Store the two initial samples we start with */
+		if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size;
 		decoded[0] = state[0]->iSamp2&0xFF;
 		decoded[1] = state[0]->iSamp2>>8;
 		decoded += 2;
@@ -200,7 +202,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 		samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
 					MS_ADPCM_state.wavefmt.channels;
 		while ( samplesleft > 0 ) {
-			if (encoded + 1 > encoded_end) goto too_short;
+			if (encoded + 1 > encoded_end) goto invalid_size;
+			if (decoded + 4 > decoded_end) goto invalid_size;
 
 			nybble = (*encoded)>>4;
 			new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
@@ -223,8 +226,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 	}
 	SDL_free(freeable);
 	return(0);
-too_short:
-	SDL_SetError("Too short chunk for a MS ADPCM decoder");
+invalid_size:
+	SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
 	SDL_free(freeable);
 	return(-1);
 invalid_predictor:
-- 
1.8.3.1