SDL (Simple DirectMedia Layer) 2.x through 2.0.9 has a heap-based buffer over-read in Fill_IMA_ADPCM_block, caused by an integer overflow in IMA_ADPCM_decode() in audio/SDL_wave.c.
Gentoo Security Padawan
The CVE links to https://bugzilla.libsdl.org/show_bug.cgi?id=4522 but the main issue is at https://bugzilla.libsdl.org/show_bug.cgi?id=3894. The patches are quite heavy and there's talk of a 2.0.10 release so I'll sit tight for the moment.
Author: Lars Wendler <email@example.com>
Date: Fri Jul 26 13:34:10 2019
media-libs/libsdl2: Bump to version 2.0.10
Package-Manager: Portage-2.3.69, Repoman-2.3.16
Signed-off-by: Lars Wendler <firstname.lastname@example.org>
@arches, please stabilize.
This issue was resolved and addressed in
GLSA 201909-07 at https://security.gentoo.org/glsa/201909-07
by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining architectures.