Hi.
I've ported the CVE patches from Debian LTS for libsdl1.2 in unstable.
>From 3aa83f5059f9e8203177350101ab43415b901f93 Mon Sep 17 00:00:00 2001
From: Kari Pahula
Date: Wed, 24 Apr 2019 16:51:03 +0300
Subject: [PATCH] Port patches from Debian LTS release for CVE bugs.
Fixes for CVE-2019-7572, CVE-2019-7573, CVE-2019-7574,
CVE-2019-7575, CVE-2019-7576, CVE-2019-7577, CVE-2019-7578,
CVE-2019-7635, CVE-2019-7636, CVE-2019-7637, CVE-2019-7638.
---
debian/patches/CVE-2019-7572_CVE-2019-7574.patch | 105
debian/patches/CVE-2019-7573.patch | 66
debian/patches/CVE-2019-7575_7577.patch | 78 +
debian/patches/CVE-2019-7577-1_2.patch | 32
debian/patches/CVE-2019-7578.patch | 53 ++
debian/patches/CVE-2019-7635_636_638.patch | 81 +
debian/patches/CVE-2019-7637.patch | 207 +++
debian/patches/series| 8 +
8 files changed, 630 insertions(+)
create mode 100644 debian/patches/CVE-2019-7572_CVE-2019-7574.patch
create mode 100644 debian/patches/CVE-2019-7573.patch
create mode 100644 debian/patches/CVE-2019-7575_7577.patch
create mode 100644 debian/patches/CVE-2019-7577-1_2.patch
create mode 100644 debian/patches/CVE-2019-7578.patch
create mode 100644 debian/patches/CVE-2019-7635_636_638.patch
create mode 100644 debian/patches/CVE-2019-7637.patch
diff --git a/debian/patches/CVE-2019-7572_CVE-2019-7574.patch b/debian/patches/CVE-2019-7572_CVE-2019-7574.patch
new file mode 100644
index 000..c1ecdb9
--- /dev/null
+++ b/debian/patches/CVE-2019-7572_CVE-2019-7574.patch
@@ -0,0 +1,105 @@
+Description: CVE-2019-7572, CVE-2019-7574
+ CVE-2019-7572: a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c.
+ CVE-2019-7574: a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c.
+
+---
+Author: Abhijith PA
+Origin: https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3610
+https://bugzilla.libsdl.org/attachment.cgi?id=3612
+https://bugzilla.libsdl.org/attachment.cgi?id=3618
+Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4496
+ https://bugzilla.libsdl.org/show_bug.cgi?id=4495
+Last-Update: <2018-03-05>
+
+Index: libsdl1.2-1.2.15/src/audio/SDL_wave.c
+===
+--- libsdl1.2-1.2.15.orig/src/audio/SDL_wave.c
libsdl1.2-1.2.15/src/audio/SDL_wave.c
+@@ -264,6 +264,14 @@ static Sint32 IMA_ADPCM_nibble(struct IM
+ };
+ Sint32 delta, step;
+
++ /* Clamp index value. The inital value can be invalid. */
++ if ( state->index > 88 ) {
++ state->index = 88;
++ } else
++ if ( state->index < 0 ) {
++ state->index = 0;
++ }
++
+ /* Compute difference and new sample value */
+ step = step_table[state->index];
+ delta = step >> 3;
+@@ -275,12 +283,6 @@ static Sint32 IMA_ADPCM_nibble(struct IM
+
+ /* Update index value */
+ state->index += index_table[nybble];
+- if ( state->index > 88 ) {
+- state->index = 88;
+- } else
+- if ( state->index < 0 ) {
+- state->index = 0;
+- }
+
+ /* Clamp output sample */
+ if ( state->sample > max_audioval ) {
+@@ -323,7 +325,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *
+ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ struct IMA_ADPCM_decodestate *state;
+- Uint8 *freeable, *encoded, *decoded;
++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+ Sint32 encoded_len, samplesleft;
+ unsigned int c, channels;
+
+@@ -339,6 +341,7 @@ static int IMA_ADPCM_decode(Uint8 **audi
+ /* Allocate the proper sized output buffer */
+ encoded_len = *audio_len;
+ encoded = *audio_buf;
++ encoded_end = encoded + encoded_len;
+ freeable = *audio_buf;
+ *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) *
+ IMA_ADPCM_state.wSamplesPerBlock*
+@@ -349,11 +352,13 @@ static int IMA_ADPCM_decode(Uint8 **audi
+ return(-1);
+ }
+ decoded = *audio_buf;
++ decoded_end = decoded + *audio_len;
+
+ /* Get ready... Go! */
+ while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
+ /* Grab the initial information for this block */
+ for ( c=0; c encoded_end) goto invalid_size;
+ /* Fill the state information for this block */
+ state[c].sample = ((encoded[1]<<8)|encoded[0]);
+ encoded += 2;
+@@ -367,6 +372,7 @@ static int IMA_ADPCM_decode(Uint8 **audi
+ }
+
+ /* Store the initial sample we start with */
++ if (decoded + 2 > decoded_end) goto invalid_size;
+ decoded[0] = (Uint8)(state[c].sample&0xFF);
+ decoded[1] = (Uint8)(state[c].sample>>8);
+ decoded += 2;
+@@ -376,6 +382,9 @@ static int IMA_ADPCM_decode(Uint8 **audi
+ samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
+ while ( samplesleft > 0 ) {
+ for ( c=0; c encoded_end) goto invalid_size;
++if (decoded + 4 * 4 * channels > decoded_end)
++ goto invalid_size;
+ Fill_IMA_ADPCM_block(decoded, encoded,
+ c,