Your submission was sent successfully! Close

CVE-2019-13626

Published: 17 July 2019

SDL (Simple DirectMedia Layer) 2.x through 2.0.9 has a heap-based buffer over-read in Fill_IMA_ADPCM_block, caused by an integer overflow in IMA_ADPCM_decode() in audio/SDL_wave.c.

Notes

AuthorNote
avital
The patch in SDL 2.0 is enormous and should be applied with care. The
upstream patch to backport is spread across three upstream commits:
https://hg.libsdl.org/SDL/rev/b06fa7da012b
https://hg.libsdl.org/SDL/rev/a39d8cdf50f4
https://hg.libsdl.org/SDL/rev/572f29f98da0
Priority

Medium

CVSS 3 base score: 6.5

Status

Package Release Status
libsdl1.2
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
disco Not vulnerable
(code not present)
eoan Not vulnerable
(code not present)
focal Not vulnerable
(code not present)
groovy Not vulnerable
(code not present)
hirsute Not vulnerable
(code not present)
impish Not vulnerable
(code not present)
jammy Not vulnerable
(code not present)
kinetic Not vulnerable
(code not present)
precise Not vulnerable
(code not present)
trusty Not vulnerable
(code not present)
upstream Not vulnerable
(code not present)
xenial Not vulnerable
(code not present)
libsdl2
Launchpad, Ubuntu, Debian
bionic Needed

disco Ignored
(reached end-of-life)
eoan Not vulnerable
(2.0.10+dfsg1-1ubuntu1)
focal Not vulnerable
(2.0.10+dfsg1-1ubuntu1)
groovy Not vulnerable
(2.0.10+dfsg1-1ubuntu1)
hirsute Not vulnerable
(2.0.10+dfsg1-1ubuntu1)
impish Not vulnerable
(2.0.10+dfsg1-1ubuntu1)
jammy Not vulnerable
(2.0.10+dfsg1-1ubuntu1)
kinetic Not vulnerable
(2.0.10+dfsg1-1ubuntu1)
precise Does not exist

trusty Needed

upstream
Released (2.0.10)
xenial Ignored
(end of standard support, was needed)