From a19bfad042fd93fa9a556fe63659f5d43eca9a19 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 29 2020 06:56:24 +0000 Subject: import SDL-1.2.15-17.el7 --- diff --git a/SOURCES/0001-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch b/SOURCES/0001-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch new file mode 100644 index 0000000..3d10e8f --- /dev/null +++ b/SOURCES/0001-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch @@ -0,0 +1,61 @@ +From bbb40efd9591b8a24de146eb78029731024e9015 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Sat, 8 Jun 2019 17:57:43 -0700 +Subject: [PATCH 01/11] CVE-2019-7572: Fix a buffer overread in + IMA_ADPCM_nibble If an IMA ADPCM block contained an initial index out of step + table range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used + this bogus value and that lead to a buffer overread. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch fixes it by moving clamping the index value at the +beginning of IMA_ADPCM_nibble() function instead of the end after +an update. + +CVE-2019-7572 +https://bugzilla.libsdl.org/show_bug.cgi?id=4495 + +Signed-off-by: Petr Písař + +--HG-- +branch : SDL-1.2 +--- + src/audio/SDL_wave.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index b4ad6c787..ba1fb5252 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -264,6 +264,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) + }; + Sint32 delta, step; + ++ /* Clamp index value. The inital value can be invalid. */ ++ if ( state->index > 88 ) { ++ state->index = 88; ++ } else ++ if ( state->index < 0 ) { ++ state->index = 0; ++ } ++ + /* Compute difference and new sample value */ + step = step_table[state->index]; + delta = step >> 3; +@@ -275,12 +283,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) + + /* Update index value */ + state->index += index_table[nybble]; +- if ( state->index > 88 ) { +- state->index = 88; +- } else +- if ( state->index < 0 ) { +- state->index = 0; +- } + + /* Clamp output sample */ + if ( state->sample > max_audioval ) { +-- +2.24.1 + diff --git a/SOURCES/0001-Don-t-use-C99-features.patch b/SOURCES/0001-Don-t-use-C99-features.patch new file mode 100644 index 0000000..fba9ab4 --- /dev/null +++ b/SOURCES/0001-Don-t-use-C99-features.patch @@ -0,0 +1,29 @@ +From 52f262d8b31ee231a95f5504939a4c7813272848 Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Sat, 15 Feb 2020 11:20:40 +0100 +Subject: [PATCH] Don't use C99 features + +--- + src/video/SDL_pixels.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c +index 44626b749..17f1a7199 100644 +--- a/src/video/SDL_pixels.c ++++ b/src/video/SDL_pixels.c +@@ -292,10 +292,11 @@ void SDL_DitherColors(SDL_Color *colors, int bpp) + Uint16 SDL_CalculatePitch(SDL_Surface *surface) + { + unsigned int pitch = 0; ++ Uint8 byte; + + /* Surface should be 4-byte aligned for speed */ + /* The code tries to prevent from an Uint16 overflow. */; +- for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) { ++ for (byte = surface->format->BytesPerPixel; byte; byte--) { + pitch += (unsigned int)surface->w; + if (pitch < surface->w) { + SDL_SetError("A scanline is too wide"); +-- +2.24.1 + diff --git a/SOURCES/0002-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch b/SOURCES/0002-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch new file mode 100644 index 0000000..baacf9f --- /dev/null +++ b/SOURCES/0002-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch @@ -0,0 +1,69 @@ +From 756cdc9bbb1898c631799af8f31f4772c1023aab Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Sat, 8 Jun 2019 18:02:09 -0700 +Subject: [PATCH 02/11] CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM + If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it could + read past the end of chunk data. This patch fixes it. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2019-7578 +https://bugzilla.libsdl.org/show_bug.cgi?id=4494 + +Signed-off-by: Petr Písař + +--HG-- +branch : SDL-1.2 +--- + src/audio/SDL_wave.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index ba1fb5252..21ee4dc3c 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -222,11 +222,12 @@ static struct IMA_ADPCM_decoder { + struct IMA_ADPCM_decodestate state[2]; + } IMA_ADPCM_state; + +-static int InitIMA_ADPCM(WaveFMT *format) ++static int InitIMA_ADPCM(WaveFMT *format, int length) + { +- Uint8 *rogue_feel; ++ Uint8 *rogue_feel, *rogue_feel_end; + + /* Set the rogue pointer to the IMA_ADPCM specific data */ ++ if (length < sizeof(*format)) goto too_short; + IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); + IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); + IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); +@@ -235,11 +236,16 @@ static int InitIMA_ADPCM(WaveFMT *format) + IMA_ADPCM_state.wavefmt.bitspersample = + SDL_SwapLE16(format->bitspersample); + rogue_feel = (Uint8 *)format+sizeof(*format); ++ rogue_feel_end = (Uint8 *)format + length; + if ( sizeof(*format) == 16 ) { + rogue_feel += sizeof(Uint16); + } ++ if (rogue_feel + 2 > rogue_feel_end) goto too_short; + IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); + return(0); ++too_short: ++ SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format"); ++ return(-1); + } + + static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) +@@ -471,7 +477,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, + break; + case IMA_ADPCM_CODE: + /* Try to understand this */ +- if ( InitIMA_ADPCM(format) < 0 ) { ++ if ( InitIMA_ADPCM(format, lenread) < 0 ) { + was_error = 1; + goto done; + } +-- +2.24.1 + diff --git a/SOURCES/0003-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch b/SOURCES/0003-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch new file mode 100644 index 0000000..d954420 --- /dev/null +++ b/SOURCES/0003-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch @@ -0,0 +1,73 @@ +From 4b3fd03718c9f929e32292e3dfd0c97db7a17bc9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 10 Jun 2019 08:50:59 -0700 +Subject: [PATCH 03/11] CVE-2019-7574: Fix a buffer overread in + IMA_ADPCM_decode If data chunk was shorter than expected based on a WAV + format definition, IMA_ADPCM_decode() tried to read past the data chunk + buffer. This patch fixes it. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2019-7574 +https://bugzilla.libsdl.org/show_bug.cgi?id=4496 + +Signed-off-by: Petr Písař + +--HG-- +branch : SDL-1.2 +--- + src/audio/SDL_wave.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 21ee4dc3c..66f804421 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -331,7 +331,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded, + static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct IMA_ADPCM_decodestate *state; +- Uint8 *freeable, *encoded, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded; + Sint32 encoded_len, samplesleft; + unsigned int c, channels; + +@@ -347,6 +347,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + /* Allocate the proper sized output buffer */ + encoded_len = *audio_len; + encoded = *audio_buf; ++ encoded_end = encoded + encoded_len; + freeable = *audio_buf; + *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) * + IMA_ADPCM_state.wSamplesPerBlock* +@@ -362,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) { + /* Grab the initial information for this block */ + for ( c=0; c encoded_end) goto invalid_size; + /* Fill the state information for this block */ + state[c].sample = ((encoded[1]<<8)|encoded[0]); + encoded += 2; +@@ -384,6 +386,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels; + while ( samplesleft > 0 ) { + for ( c=0; c encoded_end) goto invalid_size; + Fill_IMA_ADPCM_block(decoded, encoded, + c, channels, &state[c]); + encoded += 4; +@@ -395,6 +398,10 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + } + SDL_free(freeable); + return(0); ++invalid_size: ++ SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); + } + + SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, +-- +2.24.1 + diff --git a/SOURCES/0004-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch b/SOURCES/0004-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch new file mode 100644 index 0000000..25bb021 --- /dev/null +++ b/SOURCES/0004-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch @@ -0,0 +1,76 @@ +From 8c46fe2fcf6ef4a74808f90711b3e9844632e8f7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 10 Jun 2019 08:54:11 -0700 +Subject: [PATCH 04/11] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode + If RIFF/WAV data chunk length is shorter then expected for an audio format + defined in preceeding RIFF/WAV format headers, a buffer overread can happen. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch fixes it by checking a MS ADPCM data to be decoded are not +past the initialized buffer. + +CVE-2019-7577 +Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 + +Signed-off-by: Petr Písař + +--HG-- +branch : SDL-1.2 +--- + src/audio/SDL_wave.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 66f804421..6c6eb14eb 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, + static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct MS_ADPCM_decodestate *state[2]; +- Uint8 *freeable, *encoded, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded; + Sint32 encoded_len, samplesleft; + Sint8 nybble, stereo; + Sint16 *coeff[2]; +@@ -124,6 +124,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + /* Allocate the proper sized output buffer */ + encoded_len = *audio_len; + encoded = *audio_buf; ++ encoded_end = encoded + encoded_len; + freeable = *audio_buf; + *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) * + MS_ADPCM_state.wSamplesPerBlock* +@@ -141,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + state[1] = &MS_ADPCM_state.state[stereo]; + while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) { + /* Grab the initial information for this block */ ++ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short; + state[0]->hPredictor = *encoded++; + if ( stereo ) { + state[1]->hPredictor = *encoded++; +@@ -188,6 +190,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)* + MS_ADPCM_state.wavefmt.channels; + while ( samplesleft > 0 ) { ++ if (encoded + 1 > encoded_end) goto too_short; ++ + nybble = (*encoded)>>4; + new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]); + decoded[0] = new_sample&0xFF; +@@ -209,6 +213,10 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + } + SDL_free(freeable); + return(0); ++too_short: ++ SDL_SetError("Too short chunk for a MS ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); + } + + struct IMA_ADPCM_decodestate { +-- +2.24.1 + diff --git a/SOURCES/0005-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch b/SOURCES/0005-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch new file mode 100644 index 0000000..04a3729 --- /dev/null +++ b/SOURCES/0005-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch @@ -0,0 +1,58 @@ +From 1b7d3f5e53a4d7a827ce89de22a1524bd27572f9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 10 Jun 2019 08:54:29 -0700 +Subject: [PATCH 05/11] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble + and MS_ADPCM_decode If a chunk of RIFF/WAV file with MS ADPCM encoding + contains an invalid predictor (a valid predictor's value is between 0 and 6 + inclusive), a buffer overread can happen when the predictor is used as an + index into an array of MS ADPCM coefficients. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The overead happens when indexing MS_ADPCM_state.aCoeff[] array in +MS_ADPCM_decode() and later when dereferencing a coef pointer in +MS_ADPCM_nibble(). + +This patch fixes it by checking the MS ADPCM predictor values fit +into the valid range. + +CVE-2019-7577 +Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 + +Signed-off-by: Petr Písař + +--HG-- +branch : SDL-1.2 +--- + src/audio/SDL_wave.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 6c6eb14eb..3eedd20a1 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -147,6 +147,9 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + if ( stereo ) { + state[1]->hPredictor = *encoded++; + } ++ if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) { ++ goto invalid_predictor; ++ } + state[0]->iDelta = ((encoded[1]<<8)|encoded[0]); + encoded += sizeof(Sint16); + if ( stereo ) { +@@ -217,6 +220,10 @@ too_short: + SDL_SetError("Too short chunk for a MS ADPCM decoder"); + SDL_free(freeable); + return(-1); ++invalid_predictor: ++ SDL_SetError("Invalid predictor value for a MS ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); + } + + struct IMA_ADPCM_decodestate { +-- +2.24.1 + diff --git a/SOURCES/0006-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch b/SOURCES/0006-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch new file mode 100644 index 0000000..7922d89 --- /dev/null +++ b/SOURCES/0006-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch @@ -0,0 +1,66 @@ +From 3e53d4b122df0aeb5cbc27622614f9a72d8c2564 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 10 Jun 2019 08:57:11 -0700 +Subject: [PATCH 06/11] CVE-2019-7572: Fix a buffer overwrite in + IMA_ADPCM_decode If data chunk was longer than expected based on a WAV format + definition, IMA_ADPCM_decode() tried to write past the output buffer. This + patch fixes it. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Based on patch from +. + +CVE-2019-7572 +https://bugzilla.libsdl.org/show_bug.cgi?id=4495 + +Signed-off-by: Petr Písař + +--HG-- +branch : SDL-1.2 +--- + src/audio/SDL_wave.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 3eedd20a1..4159eb710 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -346,7 +346,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded, + static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct IMA_ADPCM_decodestate *state; +- Uint8 *freeable, *encoded, *encoded_end, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; + Sint32 encoded_len, samplesleft; + unsigned int c, channels; + +@@ -373,6 +373,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + return(-1); + } + decoded = *audio_buf; ++ decoded_end = decoded + *audio_len; + + /* Get ready... Go! */ + while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) { +@@ -392,6 +393,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + } + + /* Store the initial sample we start with */ ++ if (decoded + 2 > decoded_end) goto invalid_size; + decoded[0] = (Uint8)(state[c].sample&0xFF); + decoded[1] = (Uint8)(state[c].sample>>8); + decoded += 2; +@@ -402,6 +404,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + while ( samplesleft > 0 ) { + for ( c=0; c encoded_end) goto invalid_size; ++ if (decoded + 4 * 4 * channels > decoded_end) ++ goto invalid_size; + Fill_IMA_ADPCM_block(decoded, encoded, + c, channels, &state[c]); + encoded += 4; +-- +2.24.1 + diff --git a/SOURCES/0007-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch b/SOURCES/0007-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch new file mode 100644 index 0000000..a2cef8c --- /dev/null +++ b/SOURCES/0007-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch @@ -0,0 +1,84 @@ +From 10dfd78b74d0fc4a73f49978fb383afa537cb34d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 10 Jun 2019 09:06:23 -0700 +Subject: [PATCH 07/11] CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in + InitMS_ADPCM If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing + it could read past the end of chunk data. This patch fixes it. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2019-7573 +https://bugzilla.libsdl.org/show_bug.cgi?id=4491 +CVE-2019-7576 +https://bugzilla.libsdl.org/show_bug.cgi?id=4490 + +Signed-off-by: Petr Písař + +--HG-- +branch : SDL-1.2 +--- + src/audio/SDL_wave.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 4159eb710..88ac2cca6 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -44,12 +44,13 @@ static struct MS_ADPCM_decoder { + struct MS_ADPCM_decodestate state[2]; + } MS_ADPCM_state; + +-static int InitMS_ADPCM(WaveFMT *format) ++static int InitMS_ADPCM(WaveFMT *format, int length) + { +- Uint8 *rogue_feel; ++ Uint8 *rogue_feel, *rogue_feel_end; + int i; + + /* Set the rogue pointer to the MS_ADPCM specific data */ ++ if (length < sizeof(*format)) goto too_short; + MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); + MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); + MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); +@@ -58,9 +59,11 @@ static int InitMS_ADPCM(WaveFMT *format) + MS_ADPCM_state.wavefmt.bitspersample = + SDL_SwapLE16(format->bitspersample); + rogue_feel = (Uint8 *)format+sizeof(*format); ++ rogue_feel_end = (Uint8 *)format + length; + if ( sizeof(*format) == 16 ) { + rogue_feel += sizeof(Uint16); + } ++ if (rogue_feel + 4 > rogue_feel_end) goto too_short; + MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); + rogue_feel += sizeof(Uint16); + MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]); +@@ -70,12 +73,16 @@ static int InitMS_ADPCM(WaveFMT *format) + return(-1); + } + for ( i=0; i rogue_feel_end) goto too_short; + MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]); + rogue_feel += sizeof(Uint16); + MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]); + rogue_feel += sizeof(Uint16); + } + return(0); ++too_short: ++ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format"); ++ return(-1); + } + + static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, +@@ -495,7 +502,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, + break; + case MS_ADPCM_CODE: + /* Try to understand this */ +- if ( InitMS_ADPCM(format) < 0 ) { ++ if ( InitMS_ADPCM(format, lenread) < 0 ) { + was_error = 1; + goto done; + } +-- +2.24.1 + diff --git a/SOURCES/0008-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch b/SOURCES/0008-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch new file mode 100644 index 0000000..69ce6d7 --- /dev/null +++ b/SOURCES/0008-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch @@ -0,0 +1,86 @@ +From 5cf68a3fbb846da51e1b867e3fd92ec8d0e7a0dd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 10 Jun 2019 09:25:05 -0700 +Subject: [PATCH 08/11] CVE-2019-7575: Fix a buffer overwrite in + MS_ADPCM_decode If a WAV format defines shorter audio stream and decoded MS + ADPCM data chunk is longer, decoding continued past the output audio buffer. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This fix is based on a patch from +. + +https://bugzilla.libsdl.org/show_bug.cgi?id=4493 +CVE-2019-7575 + +Signed-off-by: Petr Písař + +--HG-- +branch : SDL-1.2 +--- + src/audio/SDL_wave.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 88ac2cca6..5f9365147 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -122,7 +122,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, + static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct MS_ADPCM_decodestate *state[2]; +- Uint8 *freeable, *encoded, *encoded_end, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; + Sint32 encoded_len, samplesleft; + Sint8 nybble, stereo; + Sint16 *coeff[2]; +@@ -142,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + return(-1); + } + decoded = *audio_buf; ++ decoded_end = decoded + *audio_len; + + /* Get ready... Go! */ + stereo = (MS_ADPCM_state.wavefmt.channels == 2); +@@ -149,7 +150,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + state[1] = &MS_ADPCM_state.state[stereo]; + while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) { + /* Grab the initial information for this block */ +- if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short; ++ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size; + state[0]->hPredictor = *encoded++; + if ( stereo ) { + state[1]->hPredictor = *encoded++; +@@ -179,6 +180,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor]; + + /* Store the two initial samples we start with */ ++ if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size; + decoded[0] = state[0]->iSamp2&0xFF; + decoded[1] = state[0]->iSamp2>>8; + decoded += 2; +@@ -200,7 +202,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)* + MS_ADPCM_state.wavefmt.channels; + while ( samplesleft > 0 ) { +- if (encoded + 1 > encoded_end) goto too_short; ++ if (encoded + 1 > encoded_end) goto invalid_size; ++ if (decoded + 4 > decoded_end) goto invalid_size; + + nybble = (*encoded)>>4; + new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]); +@@ -223,8 +226,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + } + SDL_free(freeable); + return(0); +-too_short: +- SDL_SetError("Too short chunk for a MS ADPCM decoder"); ++invalid_size: ++ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder"); + SDL_free(freeable); + return(-1); + invalid_predictor: +-- +2.24.1 + diff --git a/SOURCES/0009-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch b/SOURCES/0009-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch new file mode 100644 index 0000000..2e70f87 --- /dev/null +++ b/SOURCES/0009-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch @@ -0,0 +1,68 @@ +From 1423e12e0bcf5cc43804ac5b31156a4acc316ea9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Tue, 11 Jun 2019 06:28:12 -0700 +Subject: [PATCH 09/11] CVE-2019-7635: Reject BMP images with pixel colors out + the palette If a 1-, 4-, or 8-bit per pixel BMP image declares less used + colors than the palette offers an SDL_Surface with a palette of the indicated + number of used colors is created. If some of the image's pixel refer to a + color number higher then the maximal used colors, a subsequent bliting + operation on the surface will look up a color past a blit map (that is based + on the palette) memory. I.e. passing such SDL_Surface to e.g. an + SDL_DisplayFormat() function will result in a buffer overread in a blit + function. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch fixes it by validing each pixel's color to be less than the +maximal color number in the palette. A validation failure raises an +error from a SDL_LoadBMP_RW() function. + +CVE-2019-7635 +https://bugzilla.libsdl.org/show_bug.cgi?id=4498 + +Signed-off-by: Petr Písař + +--HG-- +branch : SDL-1.2 +--- + src/video/SDL_bmp.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c +index 1b6e0ed06..c1f1a24f5 100644 +--- a/src/video/SDL_bmp.c ++++ b/src/video/SDL_bmp.c +@@ -301,6 +301,12 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) + } + *(bits+i) = (pixel>>shift); + pixel <<= ExpandBMP; ++ if ( bits[i] >= biClrUsed ) { ++ SDL_SetError( ++ "A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } + } } + break; + +@@ -311,6 +317,16 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) + was_error = SDL_TRUE; + goto done; + } ++ if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) { ++ for ( i=0; iw; ++i ) { ++ if ( bits[i] >= biClrUsed ) { ++ SDL_SetError( ++ "A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } ++ } ++ } + #if SDL_BYTEORDER == SDL_BIG_ENDIAN + /* Byte-swap the pixels if needed. Note that the 24bpp + case has already been taken care of above. */ +-- +2.24.1 + diff --git a/SOURCES/0010-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch b/SOURCES/0010-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch new file mode 100644 index 0000000..5abbb4b --- /dev/null +++ b/SOURCES/0010-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch @@ -0,0 +1,56 @@ +From 762c1eb5a1a0e72a8120cfee5699820a73e82152 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Fri, 15 Feb 2019 16:52:27 +0100 +Subject: [PATCH 10/11] CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images + with too high number of colors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a BMP file that defines more colors than can fit into +a palette of color depth defined in the same BMP file is loaded by +SDL_LoadBMP_RW() function, invalid number of colors is set into +resulting SDL surface. + +Then if the SDL surface is passed to SDL_DisplayFormat() function to +convert the surface format into a native video format, a buffer +overread will happen in Map1to1() or Map1toN() function +(CVE-2019-7638). (The choice of the mapping function depends on +a actual video hardware.) + +In addition SDL_GetRGB() called indirectly from SDL_DisplayFormat() +performs the same buffer overread (CVE-2019-7636). + +There is also probably a buffer overwrite when the SDL_LoadBMP_RW() +loads colors from a file. + +This patch fixes it by refusing loading such badly damaged BMP files. + +CVE-2019-7638 +https://bugzilla.libsdl.org/show_bug.cgi?id=4500 +CVE-2019-7636 +https://bugzilla.libsdl.org/show_bug.cgi?id=4499 + +Signed-off-by: Petr Písař +--- + src/video/SDL_bmp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c +index c1f1a24f5..118181b51 100644 +--- a/src/video/SDL_bmp.c ++++ b/src/video/SDL_bmp.c +@@ -238,6 +238,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) + if ( palette ) { + if ( biClrUsed == 0 ) { + biClrUsed = 1 << biBitCount; ++ } else if ( biClrUsed > (1 << biBitCount) ) { ++ SDL_SetError("BMP file has an invalid number of colors"); ++ was_error = SDL_TRUE; ++ goto done; + } + if ( biSize == 12 ) { + for ( i = 0; i < (int)biClrUsed; ++i ) { +-- +2.24.1 + diff --git a/SOURCES/0011-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch b/SOURCES/0011-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch new file mode 100644 index 0000000..2aa2f28 --- /dev/null +++ b/SOURCES/0011-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch @@ -0,0 +1,210 @@ +From 46e7a69c949039f89e35fec143dfa58547ff6d94 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 18 Feb 2019 13:53:16 +0100 +Subject: [PATCH 11/11] CVE-2019-7637: Fix in integer overflow in + SDL_CalculatePitch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a too large width is passed to SDL_SetVideoMode() the width travels +to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by +BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch +variable. During this arithmetics an integer overflow can happen (e.g. +the value is clamped as 65532). As a result SDL_Surface with a pitch +smaller than width * BytesPerPixel is created, too small pixel buffer +is allocated and when the SDL_Surface is processed in SDL_FillRect() +a buffer overflow occurs. + +This can be reproduced with "./graywin -width 21312312313123213213213" +command. + +This patch fixes is by using a very careful arithmetics in +SDL_CalculatePitch(). If an overflow is detected, an error is reported +back as a special 0 value. We assume that 0-width surfaces do not +occur in the wild. Since SDL_CalculatePitch() is a private function, +we can change the semantics. + +CVE-2019-7637 +https://bugzilla.libsdl.org/show_bug.cgi?id=4497 + +Signed-off-by: Petr Písař +--- + src/video/SDL_pixels.c | 41 +++++++++++++++++++++++++++------ + src/video/gapi/SDL_gapivideo.c | 3 +++ + src/video/nanox/SDL_nxvideo.c | 4 ++++ + src/video/ps2gs/SDL_gsvideo.c | 3 +++ + src/video/ps3/SDL_ps3video.c | 3 +++ + src/video/windib/SDL_dibvideo.c | 3 +++ + src/video/windx5/SDL_dx5video.c | 3 +++ + src/video/x11/SDL_x11video.c | 4 ++++ + 8 files changed, 57 insertions(+), 7 deletions(-) + +diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c +index 1a7fd518f..44626b749 100644 +--- a/src/video/SDL_pixels.c ++++ b/src/video/SDL_pixels.c +@@ -286,26 +286,53 @@ void SDL_DitherColors(SDL_Color *colors, int bpp) + } + } + /* +- * Calculate the pad-aligned scanline width of a surface ++ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of ++ * an error. + */ + Uint16 SDL_CalculatePitch(SDL_Surface *surface) + { +- Uint16 pitch; ++ unsigned int pitch = 0; + + /* Surface should be 4-byte aligned for speed */ +- pitch = surface->w*surface->format->BytesPerPixel; ++ /* The code tries to prevent from an Uint16 overflow. */; ++ for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) { ++ pitch += (unsigned int)surface->w; ++ if (pitch < surface->w) { ++ SDL_SetError("A scanline is too wide"); ++ return(0); ++ } ++ } + switch (surface->format->BitsPerPixel) { + case 1: +- pitch = (pitch+7)/8; ++ if (pitch % 8) { ++ pitch = pitch / 8 + 1; ++ } else { ++ pitch = pitch / 8; ++ } + break; + case 4: +- pitch = (pitch+1)/2; ++ if (pitch % 2) { ++ pitch = pitch / 2 + 1; ++ } else { ++ pitch = pitch / 2; ++ } + break; + default: + break; + } +- pitch = (pitch + 3) & ~3; /* 4-byte aligning */ +- return(pitch); ++ /* 4-byte aligning */ ++ if (pitch & 3) { ++ if (pitch + 3 < pitch) { ++ SDL_SetError("A scanline is too wide"); ++ return(0); ++ } ++ pitch = (pitch + 3) & ~3; ++ } ++ if (pitch > 0xFFFF) { ++ SDL_SetError("A scanline is too wide"); ++ return(0); ++ } ++ return((Uint16)pitch); + } + /* + * Match an RGB value to a particular palette index +diff --git a/src/video/gapi/SDL_gapivideo.c b/src/video/gapi/SDL_gapivideo.c +index 86deadc75..8a0648536 100644 +--- a/src/video/gapi/SDL_gapivideo.c ++++ b/src/video/gapi/SDL_gapivideo.c +@@ -733,6 +733,9 @@ SDL_Surface *GAPI_SetVideoMode(_THIS, SDL_Surface *current, + video->w = gapi->w = width; + video->h = gapi->h = height; + video->pitch = SDL_CalculatePitch(video); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Small fix for WinCE/Win32 - when activating window + SDL_VideoSurface is equal to zero, so activating code +diff --git a/src/video/nanox/SDL_nxvideo.c b/src/video/nanox/SDL_nxvideo.c +index b188e0958..cbdd09a08 100644 +--- a/src/video/nanox/SDL_nxvideo.c ++++ b/src/video/nanox/SDL_nxvideo.c +@@ -378,6 +378,10 @@ SDL_Surface * NX_SetVideoMode (_THIS, SDL_Surface * current, + current -> w = width ; + current -> h = height ; + current -> pitch = SDL_CalculatePitch (current) ; ++ if (!current->pitch) { ++ current = NULL; ++ goto done; ++ } + NX_ResizeImage (this, current, flags) ; + } + +diff --git a/src/video/ps2gs/SDL_gsvideo.c b/src/video/ps2gs/SDL_gsvideo.c +index e172c60dc..329086680 100644 +--- a/src/video/ps2gs/SDL_gsvideo.c ++++ b/src/video/ps2gs/SDL_gsvideo.c +@@ -479,6 +479,9 @@ static SDL_Surface *GS_SetVideoMode(_THIS, SDL_Surface *current, + current->w = width; + current->h = height; + current->pitch = SDL_CalculatePitch(current); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Memory map the DMA area for block memory transfer */ + if ( ! mapped_mem ) { +diff --git a/src/video/ps3/SDL_ps3video.c b/src/video/ps3/SDL_ps3video.c +index d5519e051..17848e33a 100644 +--- a/src/video/ps3/SDL_ps3video.c ++++ b/src/video/ps3/SDL_ps3video.c +@@ -339,6 +339,9 @@ static SDL_Surface *PS3_SetVideoMode(_THIS, SDL_Surface * current, int width, in + current->w = width; + current->h = height; + current->pitch = SDL_CalculatePitch(current); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Alloc aligned mem for current->pixels */ + s_pixels = memalign(16, current->h * current->pitch); +diff --git a/src/video/windib/SDL_dibvideo.c b/src/video/windib/SDL_dibvideo.c +index 6187bfcf7..86ebb12a3 100644 +--- a/src/video/windib/SDL_dibvideo.c ++++ b/src/video/windib/SDL_dibvideo.c +@@ -675,6 +675,9 @@ SDL_Surface *DIB_SetVideoMode(_THIS, SDL_Surface *current, + video->w = width; + video->h = height; + video->pitch = SDL_CalculatePitch(video); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Small fix for WinCE/Win32 - when activating window + SDL_VideoSurface is equal to zero, so activating code +diff --git a/src/video/windx5/SDL_dx5video.c b/src/video/windx5/SDL_dx5video.c +index f80ca97b0..39fc4fc37 100644 +--- a/src/video/windx5/SDL_dx5video.c ++++ b/src/video/windx5/SDL_dx5video.c +@@ -1127,6 +1127,9 @@ SDL_Surface *DX5_SetVideoMode(_THIS, SDL_Surface *current, + video->w = width; + video->h = height; + video->pitch = SDL_CalculatePitch(video); ++ if (!current->pitch) { ++ return(NULL); ++ } + + #ifndef NO_CHANGEDISPLAYSETTINGS + /* Set fullscreen mode if appropriate. +diff --git a/src/video/x11/SDL_x11video.c b/src/video/x11/SDL_x11video.c +index 79e60f971..45d1f79be 100644 +--- a/src/video/x11/SDL_x11video.c ++++ b/src/video/x11/SDL_x11video.c +@@ -1220,6 +1220,10 @@ SDL_Surface *X11_SetVideoMode(_THIS, SDL_Surface *current, + current->w = width; + current->h = height; + current->pitch = SDL_CalculatePitch(current); ++ if (!current->pitch) { ++ current = NULL; ++ goto done; ++ } + if (X11_ResizeImage(this, current, flags) < 0) { + current = NULL; + goto done; +-- +2.24.1 + diff --git a/SPECS/SDL.spec b/SPECS/SDL.spec index be2c711..179acf0 100644 --- a/SPECS/SDL.spec +++ b/SPECS/SDL.spec @@ -1,6 +1,6 @@ Name: SDL Version: 1.2.15 -Release: 16%{?dist} +Release: 17%{?dist} Summary: A cross-platform multimedia library Group: System Environment/Libraries URL: http://www.libsdl.org/ @@ -28,6 +28,19 @@ Patch5: SDL-1.2.15-no-default-backing-store.patch # upstream bug #4538, in upstream after 1.2.15 Patch6: SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch +Patch7: 0001-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch +Patch8: 0002-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch +Patch9: 0003-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch +Patch10: 0004-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch +Patch11: 0005-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch +Patch12: 0006-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch +Patch13: 0007-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch +Patch14: 0008-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch +Patch15: 0009-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch +Patch16: 0010-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch +Patch17: 0011-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch +Patch18: 0001-Don-t-use-C99-features.patch + BuildRequires: alsa-lib-devel BuildRequires: audiofile-devel BuildRequires: mesa-libGL-devel @@ -87,6 +100,18 @@ applications. %patch4 -p1 -b .sdl_config_man %patch5 -p1 -b .backing_store %patch6 -p1 -b .0006 +%patch7 -p1 -b .0007 +%patch8 -p1 -b .0008 +%patch9 -p1 -b .0009 +%patch10 -p1 -b .0010 +%patch11 -p1 -b .0011 +%patch12 -p1 -b .0012 +%patch13 -p1 -b .0013 +%patch14 -p1 -b .0014 +%patch15 -p1 -b .0015 +%patch16 -p1 -b .0016 +%patch17 -p1 -b .0017 +%patch18 -p1 -b .0018 for F in CREDITS; do iconv -f iso8859-1 -t utf-8 < "$F" > "${F}.utf" @@ -148,6 +173,13 @@ rm -f %{buildroot}%{_libdir}/*.la %{_libdir}/lib*.a %changelog +* Fri Feb 14 2020 Wim Taymans - 1.2.15-17 +- Fix Some CVEs: CVE-2019-7572, CVE-2019-7573, CVE-2019-7574, + CVE-2019-7575, CVE-2019-7576, CVE-2019-7577, CVE-2019-7578, + CVE-2019-7635, CVE-2019-7636, CVE-2019-7637, CVE-2019-7638 +- Resolves: rhbz#1716201, rhbz#1716202, rhbz#1716206, +- Resolves: rhbz#1716207, rhbz#1716208 + * Mon Dec 16 2019 Tomas Pelka - 1.2.15-16 - Need to bump version to avoid conflict with 7.7.z build - Resolves: rhbz#1756277