1731101 – (CVE-2019-13626) CVE-2019-13626 SDL: integer overflow in IMA_ADPCM_decode() in audio/SDL_wave.c leads to heap-based buffer over-read in Fill_IMA_ADPCM_block

Bug 1731101 (CVE-2019-13626) - CVE-2019-13626 SDL: integer overflow in IMA_ADPCM_decode() in audio/SDL_wave.c leads to heap-based buffer over-read in Fill_IMA_ADPCM_block

Summary: CVE-2019-13626 SDL: integer overflow in IMA_ADPCM_decode() in audio/SDL_wave....

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-13626
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1731103 1754613 1754614 1754615 1754616 1755415
Blocks:	1731102
TreeView+	depends on / blocked

Reported:	2019-07-18 09:55 UTC by Dhananjay Arunesh
Modified:	2021-10-27 10:46 UTC (History)
CC List:	7 users (show)
Fixed In Version:	sdl 2.0.10
Doc Type:	If docs needed, set a value
Doc Text:	An out-of-bounds read flaw was discovered in SDL2, in the way that WAVE files are loaded through the SDL_LoadWAV_RW function. An application that uses SDL2 and loads untrusted input files may be vulnerable to this flaw. An attacker can abuse this flaw to crash the application or to leak data from the application's memory.
Clone Of:
Environment:
Last Closed:	2021-10-27 10:46:41 UTC
Embargoed:

Attachments	(Terms of Use)

Description Dhananjay Arunesh 2019-07-18 09:55:52 UTC

SDL (Simple DirectMedia Layer) 2.x through 2.0.9 has a heap-based buffer over-read in Fill_IMA_ADPCM_block, caused by an integer overflow in IMA_ADPCM_decode() in audio/SDL_wave.c.

Reference:
https://bugzilla.libsdl.org/show_bug.cgi?id=4522

Comment 1 Dhananjay Arunesh 2019-07-18 09:57:25 UTC

Created SDL tracking bugs for this issue:

Affects: fedora-all [bug 1731103]

Comment 2 Petr Pisar 2019-07-18 10:41:39 UTC

(In reply to Dhananjay Arunesh from comment #1)
> Created SDL tracking bugs for this issue:
> 
> Affects: fedora-all [bug 1731103]

Didn't you mistaken SDL with SDL2? SDL is not vulnerable because does not support 24-bit WAVE format.

Comment 3 Riccardo Schirone 2019-09-23 16:49:01 UTC

Upstream fix:
https://hg.libsdl.org/SDL/rev/b06fa7da012b

Comment 4 Riccardo Schirone 2019-09-23 17:47:30 UTC

Created SDL2 tracking bugs for this issue:

Affects: epel-all [bug 1754615]
Affects: fedora-all [bug 1754613]


Created mingw-SDL2 tracking bugs for this issue:

Affects: epel-all [bug 1754616]
Affects: fedora-all [bug 1754614]

Comment 5 Tom "spot" Callaway 2019-09-25 12:40:45 UTC

Fedora and EPEL have had SDL2-2.0.10 as an update for _two months_ now. Might it be possible to check to see if CVEs are fixed before opening piles of bugs?

Comment 6 Riccardo Schirone 2019-09-25 12:48:12 UTC

An application linked against SDL2 that uses SDL_LoadWAV_RW function on untrusted files could be vulnerable to this flaw. The bug allow an attacker to crash the application or, based on the application, extract data from application's memory. The out-of-bound read happens in function Fill_IMA_ADPCM_block(), called by SDL_LoadWAV_RW(), due to the `encoded` pointer being increased too much.

Comment 9 Riccardo Schirone 2019-09-25 13:43:56 UTC

In reply to comment #5:
> Fedora and EPEL have had SDL2-2.0.10 as an update for _two months_ now.
> Might it be possible to check to see if CVEs are fixed before opening piles
> of bugs?

Fedora 29 still has SDL2-2.0.9 and it is supported, so the Fedora trackers are correctly filed. For the EPEL ones, please close them. We'll try to pay more attention to the versions next times.

Note You need to log in before you can comment on or make changes to this bug.