We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 4508

Summary: Heap buffer overflow in Fill_IMA_ADPCM_block
Product: SDL Reporter: Geeknik Labs <geeknik>
Component: audioAssignee: Simon Hug <chli.hug>
Status: RESOLVED FIXED QA Contact: Sam Lantinga <slouken>
Severity: critical    
Priority: P2    
Version: 2.0.9   
Hardware: x86_64   
OS: Linux   
Attachments: POC

Description Geeknik Labs 2019-02-16 08:42:51 UTC 
Created attachment 3629 [details]
POC

The attached WAV file triggers a heap buffer overflow in SDL 2.0.9 using the fuzzing harness from https://www.ixiacom.com/company/blog/how-use-fuzzing-security-research.

==3138==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000038 at pc 0x7ff6fd656a16 bp 0x7ffc25bada90 sp 0x7ffc25bada88
READ of size 1 at 0x602000000038 thread T0
    #0 0x7ff6fd656a15 in Fill_IMA_ADPCM_block /root/SDL2-2.0.9/src/audio/SDL_wave.c:319:19
    #1 0x7ff6fd656a15 in IMA_ADPCM_decode /root/SDL2-2.0.9/src/audio/SDL_wave.c:393
    #2 0x7ff6fd656a15 in SDL_LoadWAV_RW_REAL /root/SDL2-2.0.9/src/audio/SDL_wave.c:635
    #3 0x4f7c7d in main /root/tmp/harness_sdl.c:28:8
    #4 0x7ff6fc3e22e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #5 0x41da49 in _start (/root/tmp/harness_sdl+0x41da49)

0x602000000038 is located 0 bytes to the right of 8-byte region [0x602000000030,0x602000000038)
allocated by thread T0 here:
    #0 0x4c8de3 in malloc /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x7ff6fd741580 in SDL_malloc_REAL /root/SDL2-2.0.9/src/stdlib/SDL_malloc.c:5328:11
    #2 0x7ff6fd653f0c in ReadChunk /root/SDL2-2.0.9/src/audio/SDL_wave.c:682:29
    #3 0x7ff6fd653f0c in SDL_LoadWAV_RW_REAL /root/SDL2-2.0.9/src/audio/SDL_wave.c:616
    #4 0x4f7c7d in main /root/tmp/harness_sdl.c:28:8

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/SDL2-2.0.9/src/audio/SDL_wave.c:319:19 in Fill_IMA_ADPCM_block
Comment 1 Sam Lantinga 2019-06-10 16:00:11 UTC 
Simon, can you verify that your changes fix this issue?
Comment 2 Simon Hug 2019-06-10 21:02:41 UTC 
The WAVE file (attachment 3629 [details]) specifies 24 bits per sample for IMA ADPCM.

With the current tip, SDL_LoadWAV_RW rejects this file with "Invalid IMA ADPCM bits per sample of 24" as it only supports 4-bit IMA ADPCM.
Comment 3 Sam Lantinga 2019-06-11 13:26:40 UTC 
Great, thanks!