File _service:tar_scm:backport-CVE-2019-7572-Fix-a-b... of Package SDL

File _service:tar_scm:backport-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nibble.patch of Package SDL

From 1ead4913fc2314a0ce5de06f29a20a8b0b0a5557 Mon Sep 17 00:00:00 2001
From: Petr P?sa? <ppisar@redhat.com>
Date: Sat, 8 Jun 2019 17:57:43 -0700
Subject: [PATCH] CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble If
 an IMA ADPCM block contained an initial index out of step table range (loaded
 in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used this bogus value and
 that lead to a buffer overread.

This patch fixes it by moving clamping the index value at the
beginning of IMA_ADPCM_nibble() function instead of the end after
an update.

CVE-2019-7572
https://bugzilla.libsdl.org/show_bug.cgi?id=4495

Signed-off-by: Petr P?sa? <ppisar@redhat.com>
---
 src/audio/SDL_wave.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index b4ad6c7..ba1fb52 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -264,6 +264,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
 	};
 	Sint32 delta, step;
 
+	/* Clamp index value. The inital value can be invalid. */
+	if ( state->index > 88 ) {
+		state->index = 88;
+	} else
+	if ( state->index < 0 ) {
+		state->index = 0;
+	}
+
 	/* Compute difference and new sample value */
 	step = step_table[state->index];
 	delta = step >> 3;
@@ -275,12 +283,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
 
 	/* Update index value */
 	state->index += index_table[nybble];
-	if ( state->index > 88 ) {
-		state->index = 88;
-	} else
-	if ( state->index < 0 ) {
-		state->index = 0;
-	}
 
 	/* Clamp output sample */
 	if ( state->sample > max_audioval ) {
-- 
1.8.3.1