Bug 1731101 (CVE-2019-13626)

Summary: CVE-2019-13626 SDL: integer overflow in IMA_ADPCM_decode() in audio/SDL_wave.c leads to heap-based buffer over-read in Fill_IMA_ADPCM_block
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dingyichen, erik-fedora, igor.raits, klember, maci, ppisar, wtaymans
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sdl 2.0.10 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read flaw was discovered in SDL2, in the way that WAVE files are loaded through the SDL_LoadWAV_RW function. An application that uses SDL2 and loads untrusted input files may be vulnerable to this flaw. An attacker can abuse this flaw to crash the application or to leak data from the application's memory.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 10:46:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1754615, 1731103, 1754613, 1754614, 1754616, 1755415    
Bug Blocks: 1731102    

Description Dhananjay Arunesh 2019-07-18 09:55:52 UTC
SDL (Simple DirectMedia Layer) 2.x through 2.0.9 has a heap-based buffer over-read in Fill_IMA_ADPCM_block, caused by an integer overflow in IMA_ADPCM_decode() in audio/SDL_wave.c.

Reference:
https://bugzilla.libsdl.org/show_bug.cgi?id=4522

Comment 1 Dhananjay Arunesh 2019-07-18 09:57:25 UTC
Created SDL tracking bugs for this issue:

Affects: fedora-all [bug 1731103]

Comment 2 Petr Pisar 2019-07-18 10:41:39 UTC
(In reply to Dhananjay Arunesh from comment #1)
> Created SDL tracking bugs for this issue:
> 
> Affects: fedora-all [bug 1731103]

Didn't you mistaken SDL with SDL2? SDL is not vulnerable because does not support 24-bit WAVE format.

Comment 3 Riccardo Schirone 2019-09-23 16:49:01 UTC
Upstream fix:
https://hg.libsdl.org/SDL/rev/b06fa7da012b

Comment 4 Riccardo Schirone 2019-09-23 17:47:30 UTC
Created SDL2 tracking bugs for this issue:

Affects: epel-all [bug 1754615]
Affects: fedora-all [bug 1754613]


Created mingw-SDL2 tracking bugs for this issue:

Affects: epel-all [bug 1754616]
Affects: fedora-all [bug 1754614]

Comment 5 Tom "spot" Callaway 2019-09-25 12:40:45 UTC
Fedora and EPEL have had SDL2-2.0.10 as an update for _two months_ now. Might it be possible to check to see if CVEs are fixed before opening piles of bugs?

Comment 6 Riccardo Schirone 2019-09-25 12:48:12 UTC
An application linked against SDL2 that uses SDL_LoadWAV_RW function on untrusted files could be vulnerable to this flaw. The bug allow an attacker to crash the application or, based on the application, extract data from application's memory. The out-of-bound read happens in function Fill_IMA_ADPCM_block(), called by SDL_LoadWAV_RW(), due to the `encoded` pointer being increased too much.

Comment 9 Riccardo Schirone 2019-09-25 13:43:56 UTC
In reply to comment #5:
> Fedora and EPEL have had SDL2-2.0.10 as an update for _two months_ now.
> Might it be possible to check to see if CVEs are fixed before opening piles
> of bugs?

Fedora 29 still has SDL2-2.0.9 and it is supported, so the Fedora trackers are correctly filed. For the EPEL ones, please close them. We'll try to pay more attention to the versions next times.