diff --git a/SOURCES/0001-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch b/SOURCES/0001-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch new file mode 100644 index 0000000..3d10e8f --- /dev/null +++ b/SOURCES/0001-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch @@ -0,0 +1,61 @@ +From bbb40efd9591b8a24de146eb78029731024e9015 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Sat, 8 Jun 2019 17:57:43 -0700 +Subject: [PATCH 01/11] CVE-2019-7572: Fix a buffer overread in + IMA_ADPCM_nibble If an IMA ADPCM block contained an initial index out of step + table range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used + this bogus value and that lead to a buffer overread. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch fixes it by moving clamping the index value at the +beginning of IMA_ADPCM_nibble() function instead of the end after +an update. + +CVE-2019-7572 +https://bugzilla.libsdl.org/show_bug.cgi?id=4495 + +Signed-off-by: Petr Písař + +--HG-- +branch : SDL-1.2 +--- + src/audio/SDL_wave.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index b4ad6c787..ba1fb5252 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -264,6 +264,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) + }; + Sint32 delta, step; + ++ /* Clamp index value. The inital value can be invalid. */ ++ if ( state->index > 88 ) { ++ state->index = 88; ++ } else ++ if ( state->index < 0 ) { ++ state->index = 0; ++ } ++ + /* Compute difference and new sample value */ + step = step_table[state->index]; + delta = step >> 3; +@@ -275,12 +283,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) + + /* Update index value */ + state->index += index_table[nybble]; +- if ( state->index > 88 ) { +- state->index = 88; +- } else +- if ( state->index < 0 ) { +- state->index = 0; +- } + + /* Clamp output sample */ + if ( state->sample > max_audioval ) { +-- +2.24.1 + diff --git a/SOURCES/0001-Don-t-use-C99-features.patch b/SOURCES/0001-Don-t-use-C99-features.patch new file mode 100644 index 0000000..fba9ab4 --- /dev/null +++ b/SOURCES/0001-Don-t-use-C99-features.patch @@ -0,0 +1,29 @@ +From 52f262d8b31ee231a95f5504939a4c7813272848 Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Sat, 15 Feb 2020 11:20:40 +0100 +Subject: [PATCH] Don't use C99 features + +--- + src/video/SDL_pixels.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c +index 44626b749..17f1a7199 100644 +--- a/src/video/SDL_pixels.c ++++ b/src/video/SDL_pixels.c +@@ -292,10 +292,11 @@ void SDL_DitherColors(SDL_Color *colors, int bpp) + Uint16 SDL_CalculatePitch(SDL_Surface *surface) + { + unsigned int pitch = 0; ++ Uint8 byte; + + /* Surface should be 4-byte aligned for speed */ + /* The code tries to prevent from an Uint16 overflow. */; +- for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) { ++ for (byte = surface->format->BytesPerPixel; byte; byte--) { + pitch += (unsigned int)surface->w; + if (pitch < surface->w) { + SDL_SetError("A scanline is too wide"); +-- +2.24.1 + diff --git a/SOURCES/0002-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch b/SOURCES/0002-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch new file mode 100644 index 0000000..baacf9f --- /dev/null +++ b/SOURCES/0002-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch @@ -0,0 +1,69 @@ +From 756cdc9bbb1898c631799af8f31f4772c1023aab Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Sat, 8 Jun 2019 18:02:09 -0700 +Subject: [PATCH 02/11] CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM + If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it could + read past the end of chunk data. This patch fixes it. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2019-7578 +https://bugzilla.libsdl.org/show_bug.cgi?id=4494 + +Signed-off-by: Petr Písař + +--HG-- +branch : SDL-1.2 +--- + src/audio/SDL_wave.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index ba1fb5252..21ee4dc3c 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -222,11 +222,12 @@ static struct IMA_ADPCM_decoder { + struct IMA_ADPCM_decodestate state[2]; + } IMA_ADPCM_state; + +-static int InitIMA_ADPCM(WaveFMT *format) ++static int InitIMA_ADPCM(WaveFMT *format, int length) + { +- Uint8 *rogue_feel; ++ Uint8 *rogue_feel, *rogue_feel_end; + + /* Set the rogue pointer to the IMA_ADPCM specific data */ ++ if (length < sizeof(*format)) goto too_short; + IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); + IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); + IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); +@@ -235,11 +236,16 @@ static int InitIMA_ADPCM(WaveFMT *format) + IMA_ADPCM_state.wavefmt.bitspersample = + SDL_SwapLE16(format->bitspersample); + rogue_feel = (Uint8 *)format+sizeof(*format); ++ rogue_feel_end = (Uint8 *)format + length; + if ( sizeof(*format) == 16 ) { + rogue_feel += sizeof(Uint16); + } ++ if (rogue_feel + 2 > rogue_feel_end) goto too_short; + IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); + return(0); ++too_short: ++ SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format"); ++ return(-1); + } + + static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) +@@ -471,7 +477,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, + break; + case IMA_ADPCM_CODE: + /* Try to understand this */ +- if ( InitIMA_ADPCM(format) < 0 ) { ++ if ( InitIMA_ADPCM(format, lenread) < 0 ) { + was_error = 1; + goto done; + } +-- +2.24.1 + diff --git a/SOURCES/0003-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch b/SOURCES/0003-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch new file mode 100644 index 0000000..d954420 --- /dev/null +++ b/SOURCES/0003-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch @@ -0,0 +1,73 @@ +From 4b3fd03718c9f929e32292e3dfd0c97db7a17bc9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 10 Jun 2019 08:50:59 -0700 +Subject: [PATCH 03/11] CVE-2019-7574: Fix a buffer overread in + IMA_ADPCM_decode If data chunk was shorter than expected based on a WAV + format definition, IMA_ADPCM_decode() tried to read past the data chunk + buffer. This patch fixes it. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2019-7574 +https://bugzilla.libsdl.org/show_bug.cgi?id=4496 + +Signed-off-by: Petr Písař + +--HG-- +branch : SDL-1.2 +--- + src/audio/SDL_wave.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 21ee4dc3c..66f804421 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -331,7 +331,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded, + static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct IMA_ADPCM_decodestate *state; +- Uint8 *freeable, *encoded, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded; + Sint32 encoded_len, samplesleft; + unsigned int c, channels; + +@@ -347,6 +347,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + /* Allocate the proper sized output buffer */ + encoded_len = *audio_len; + encoded = *audio_buf; ++ encoded_end = encoded + encoded_len; + freeable = *audio_buf; + *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) * + IMA_ADPCM_state.wSamplesPerBlock* +@@ -362,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) { + /* Grab the initial information for this block */ + for ( c=0; c encoded_end) goto invalid_size; + /* Fill the state information for this block */ + state[c].sample = ((encoded[1]<<8)|encoded[0]); + encoded += 2; +@@ -384,6 +386,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels; + while ( samplesleft > 0 ) { + for ( c=0; c encoded_end) goto invalid_size; + Fill_IMA_ADPCM_block(decoded, encoded, + c, channels, &state[c]); + encoded += 4; +@@ -395,6 +398,10 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + } + SDL_free(freeable); + return(0); ++invalid_size: ++ SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); + } + + SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, +-- +2.24.1 + diff --git a/SOURCES/0004-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch b/SOURCES/0004-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch new file mode 100644 index 0000000..25bb021 --- /dev/null +++ b/SOURCES/0004-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch @@ -0,0 +1,76 @@ +From 8c46fe2fcf6ef4a74808f90711b3e9844632e8f7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 10 Jun 2019 08:54:11 -0700 +Subject: [PATCH 04/11] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode + If RIFF/WAV data chunk length is shorter then expected for an audio format + defined in preceeding RIFF/WAV format headers, a buffer overread can happen. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch fixes it by checking a MS ADPCM data to be decoded are not +past the initialized buffer. + +CVE-2019-7577 +Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 + +Signed-off-by: Petr Písař + +--HG-- +branch : SDL-1.2 +--- + src/audio/SDL_wave.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 66f804421..6c6eb14eb 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, + static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct MS_ADPCM_decodestate *state[2]; +- Uint8 *freeable, *encoded, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded; + Sint32 encoded_len, samplesleft; + Sint8 nybble, stereo; + Sint16 *coeff[2]; +@@ -124,6 +124,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + /* Allocate the proper sized output buffer */ + encoded_len = *audio_len; + encoded = *audio_buf; ++ encoded_end = encoded + encoded_len; + freeable = *audio_buf; + *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) * + MS_ADPCM_state.wSamplesPerBlock* +@@ -141,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + state[1] = &MS_ADPCM_state.state[stereo]; + while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) { + /* Grab the initial information for this block */ ++ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short; + state[0]->hPredictor = *encoded++; + if ( stereo ) { + state[1]->hPredictor = *encoded++; +@@ -188,6 +190,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)* + MS_ADPCM_state.wavefmt.channels; + while ( samplesleft > 0 ) { ++ if (encoded + 1 > encoded_end) goto too_short; ++ + nybble = (*encoded)>>4; + new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]); + decoded[0] = new_sample&0xFF; +@@ -209,6 +213,10 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + } + SDL_free(freeable); + return(0); ++too_short: ++ SDL_SetError("Too short chunk for a MS ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); + } + + struct IMA_ADPCM_decodestate { +-- +2.24.1 + diff --git a/SOURCES/0005-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch b/SOURCES/0005-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch new file mode 100644 index 0000000..04a3729 --- /dev/null +++ b/SOURCES/0005-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch @@ -0,0 +1,58 @@ +From 1b7d3f5e53a4d7a827ce89de22a1524bd27572f9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 10 Jun 2019 08:54:29 -0700 +Subject: [PATCH 05/11] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble + and MS_ADPCM_decode If a chunk of RIFF/WAV file with MS ADPCM encoding + contains an invalid predictor (a valid predictor's value is between 0 and 6 + inclusive), a buffer overread can happen when the predictor is used as an + index into an array of MS ADPCM coefficients. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The overead happens when indexing MS_ADPCM_state.aCoeff[] array in +MS_ADPCM_decode() and later when dereferencing a coef pointer in +MS_ADPCM_nibble(). + +This patch fixes it by checking the MS ADPCM predictor values fit +into the valid range. + +CVE-2019-7577 +Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 + +Signed-off-by: Petr Písař + +--HG-- +branch : SDL-1.2 +--- + src/audio/SDL_wave.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 6c6eb14eb..3eedd20a1 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -147,6 +147,9 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + if ( stereo ) { + state[1]->hPredictor = *encoded++; + } ++ if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) { ++ goto invalid_predictor; ++ } + state[0]->iDelta = ((encoded[1]<<8)|encoded[0]); + encoded += sizeof(Sint16); + if ( stereo ) { +@@ -217,6 +220,10 @@ too_short: + SDL_SetError("Too short chunk for a MS ADPCM decoder"); + SDL_free(freeable); + return(-1); ++invalid_predictor: ++ SDL_SetError("Invalid predictor value for a MS ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); + } + + struct IMA_ADPCM_decodestate { +-- +2.24.1 + diff --git a/SOURCES/0006-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch b/SOURCES/0006-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch new file mode 100644 index 0000000..7922d89 --- /dev/null +++ b/SOURCES/0006-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch @@ -0,0 +1,66 @@ +From 3e53d4b122df0aeb5cbc27622614f9a72d8c2564 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 10 Jun 2019 08:57:11 -0700 +Subject: [PATCH 06/11] CVE-2019-7572: Fix a buffer overwrite in + IMA_ADPCM_decode If data chunk was longer than expected based on a WAV format + definition, IMA_ADPCM_decode() tried to write past the output buffer. This + patch fixes it. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Based on patch from +. + +CVE-2019-7572 +https://bugzilla.libsdl.org/show_bug.cgi?id=4495 + +Signed-off-by: Petr Písař + +--HG-- +branch : SDL-1.2 +--- + src/audio/SDL_wave.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 3eedd20a1..4159eb710 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -346,7 +346,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded, + static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct IMA_ADPCM_decodestate *state; +- Uint8 *freeable, *encoded, *encoded_end, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; + Sint32 encoded_len, samplesleft; + unsigned int c, channels; + +@@ -373,6 +373,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + return(-1); + } + decoded = *audio_buf; ++ decoded_end = decoded + *audio_len; + + /* Get ready... Go! */ + while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) { +@@ -392,6 +393,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + } + + /* Store the initial sample we start with */ ++ if (decoded + 2 > decoded_end) goto invalid_size; + decoded[0] = (Uint8)(state[c].sample&0xFF); + decoded[1] = (Uint8)(state[c].sample>>8); + decoded += 2; +@@ -402,6 +404,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + while ( samplesleft > 0 ) { + for ( c=0; c encoded_end) goto invalid_size; ++ if (decoded + 4 * 4 * channels > decoded_end) ++ goto invalid_size; + Fill_IMA_ADPCM_block(decoded, encoded, + c, channels, &state[c]); + encoded += 4; +-- +2.24.1 + diff --git a/SOURCES/0007-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch b/SOURCES/0007-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch new file mode 100644 index 0000000..a2cef8c --- /dev/null +++ b/SOURCES/0007-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch @@ -0,0 +1,84 @@ +From 10dfd78b74d0fc4a73f49978fb383afa537cb34d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 10 Jun 2019 09:06:23 -0700 +Subject: [PATCH 07/11] CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in + InitMS_ADPCM If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing + it could read past the end of chunk data. This patch fixes it. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2019-7573 +https://bugzilla.libsdl.org/show_bug.cgi?id=4491 +CVE-2019-7576 +https://bugzilla.libsdl.org/show_bug.cgi?id=4490 + +Signed-off-by: Petr Písař + +--HG-- +branch : SDL-1.2 +--- + src/audio/SDL_wave.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 4159eb710..88ac2cca6 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -44,12 +44,13 @@ static struct MS_ADPCM_decoder { + struct MS_ADPCM_decodestate state[2]; + } MS_ADPCM_state; + +-static int InitMS_ADPCM(WaveFMT *format) ++static int InitMS_ADPCM(WaveFMT *format, int length) + { +- Uint8 *rogue_feel; ++ Uint8 *rogue_feel, *rogue_feel_end; + int i; + + /* Set the rogue pointer to the MS_ADPCM specific data */ ++ if (length < sizeof(*format)) goto too_short; + MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); + MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); + MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); +@@ -58,9 +59,11 @@ static int InitMS_ADPCM(WaveFMT *format) + MS_ADPCM_state.wavefmt.bitspersample = + SDL_SwapLE16(format->bitspersample); + rogue_feel = (Uint8 *)format+sizeof(*format); ++ rogue_feel_end = (Uint8 *)format + length; + if ( sizeof(*format) == 16 ) { + rogue_feel += sizeof(Uint16); + } ++ if (rogue_feel + 4 > rogue_feel_end) goto too_short; + MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); + rogue_feel += sizeof(Uint16); + MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]); +@@ -70,12 +73,16 @@ static int InitMS_ADPCM(WaveFMT *format) + return(-1); + } + for ( i=0; i rogue_feel_end) goto too_short; + MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]); + rogue_feel += sizeof(Uint16); + MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]); + rogue_feel += sizeof(Uint16); + } + return(0); ++too_short: ++ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format"); ++ return(-1); + } + + static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, +@@ -495,7 +502,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, + break; + case MS_ADPCM_CODE: + /* Try to understand this */ +- if ( InitMS_ADPCM(format) < 0 ) { ++ if ( InitMS_ADPCM(format, lenread) < 0 ) { + was_error = 1; + goto done; + } +-- +2.24.1 + diff --git a/SOURCES/0008-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch b/SOURCES/0008-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch new file mode 100644 index 0000000..69ce6d7 --- /dev/null +++ b/SOURCES/0008-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch @@ -0,0 +1,86 @@ +From 5cf68a3fbb846da51e1b867e3fd92ec8d0e7a0dd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 10 Jun 2019 09:25:05 -0700 +Subject: [PATCH 08/11] CVE-2019-7575: Fix a buffer overwrite in + MS_ADPCM_decode If a WAV format defines shorter audio stream and decoded MS + ADPCM data chunk is longer, decoding continued past the output audio buffer. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This fix is based on a patch from +. + +https://bugzilla.libsdl.org/show_bug.cgi?id=4493 +CVE-2019-7575 + +Signed-off-by: Petr Písař + +--HG-- +branch : SDL-1.2 +--- + src/audio/SDL_wave.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 88ac2cca6..5f9365147 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -122,7 +122,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, + static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct MS_ADPCM_decodestate *state[2]; +- Uint8 *freeable, *encoded, *encoded_end, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; + Sint32 encoded_len, samplesleft; + Sint8 nybble, stereo; + Sint16 *coeff[2]; +@@ -142,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + return(-1); + } + decoded = *audio_buf; ++ decoded_end = decoded + *audio_len; + + /* Get ready... Go! */ + stereo = (MS_ADPCM_state.wavefmt.channels == 2); +@@ -149,7 +150,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + state[1] = &MS_ADPCM_state.state[stereo]; + while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) { + /* Grab the initial information for this block */ +- if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short; ++ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size; + state[0]->hPredictor = *encoded++; + if ( stereo ) { + state[1]->hPredictor = *encoded++; +@@ -179,6 +180,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor]; + + /* Store the two initial samples we start with */ ++ if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size; + decoded[0] = state[0]->iSamp2&0xFF; + decoded[1] = state[0]->iSamp2>>8; + decoded += 2; +@@ -200,7 +202,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)* + MS_ADPCM_state.wavefmt.channels; + while ( samplesleft > 0 ) { +- if (encoded + 1 > encoded_end) goto too_short; ++ if (encoded + 1 > encoded_end) goto invalid_size; ++ if (decoded + 4 > decoded_end) goto invalid_size; + + nybble = (*encoded)>>4; + new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]); +@@ -223,8 +226,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + } + SDL_free(freeable); + return(0); +-too_short: +- SDL_SetError("Too short chunk for a MS ADPCM decoder"); ++invalid_size: ++ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder"); + SDL_free(freeable); + return(-1); + invalid_predictor: +-- +2.24.1 + diff --git a/SOURCES/0009-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch b/SOURCES/0009-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch new file mode 100644 index 0000000..2e70f87 --- /dev/null +++ b/SOURCES/0009-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch @@ -0,0 +1,68 @@ +From 1423e12e0bcf5cc43804ac5b31156a4acc316ea9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Tue, 11 Jun 2019 06:28:12 -0700 +Subject: [PATCH 09/11] CVE-2019-7635: Reject BMP images with pixel colors out + the palette If a 1-, 4-, or 8-bit per pixel BMP image declares less used + colors than the palette offers an SDL_Surface with a palette of the indicated + number of used colors is created. If some of the image's pixel refer to a + color number higher then the maximal used colors, a subsequent bliting + operation on the surface will look up a color past a blit map (that is based + on the palette) memory. I.e. passing such SDL_Surface to e.g. an + SDL_DisplayFormat() function will result in a buffer overread in a blit + function. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch fixes it by validing each pixel's color to be less than the +maximal color number in the palette. A validation failure raises an +error from a SDL_LoadBMP_RW() function. + +CVE-2019-7635 +https://bugzilla.libsdl.org/show_bug.cgi?id=4498 + +Signed-off-by: Petr Písař + +--HG-- +branch : SDL-1.2 +--- + src/video/SDL_bmp.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c +index 1b6e0ed06..c1f1a24f5 100644 +--- a/src/video/SDL_bmp.c ++++ b/src/video/SDL_bmp.c +@@ -301,6 +301,12 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) + } + *(bits+i) = (pixel>>shift); + pixel <<= ExpandBMP; ++ if ( bits[i] >= biClrUsed ) { ++ SDL_SetError( ++ "A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } + } } + break; + +@@ -311,6 +317,16 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) + was_error = SDL_TRUE; + goto done; + } ++ if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) { ++ for ( i=0; iw; ++i ) { ++ if ( bits[i] >= biClrUsed ) { ++ SDL_SetError( ++ "A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } ++ } ++ } + #if SDL_BYTEORDER == SDL_BIG_ENDIAN + /* Byte-swap the pixels if needed. Note that the 24bpp + case has already been taken care of above. */ +-- +2.24.1 + diff --git a/SOURCES/0010-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch b/SOURCES/0010-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch new file mode 100644 index 0000000..5abbb4b --- /dev/null +++ b/SOURCES/0010-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch @@ -0,0 +1,56 @@ +From 762c1eb5a1a0e72a8120cfee5699820a73e82152 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Fri, 15 Feb 2019 16:52:27 +0100 +Subject: [PATCH 10/11] CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images + with too high number of colors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a BMP file that defines more colors than can fit into +a palette of color depth defined in the same BMP file is loaded by +SDL_LoadBMP_RW() function, invalid number of colors is set into +resulting SDL surface. + +Then if the SDL surface is passed to SDL_DisplayFormat() function to +convert the surface format into a native video format, a buffer +overread will happen in Map1to1() or Map1toN() function +(CVE-2019-7638). (The choice of the mapping function depends on +a actual video hardware.) + +In addition SDL_GetRGB() called indirectly from SDL_DisplayFormat() +performs the same buffer overread (CVE-2019-7636). + +There is also probably a buffer overwrite when the SDL_LoadBMP_RW() +loads colors from a file. + +This patch fixes it by refusing loading such badly damaged BMP files. + +CVE-2019-7638 +https://bugzilla.libsdl.org/show_bug.cgi?id=4500 +CVE-2019-7636 +https://bugzilla.libsdl.org/show_bug.cgi?id=4499 + +Signed-off-by: Petr Písař +--- + src/video/SDL_bmp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c +index c1f1a24f5..118181b51 100644 +--- a/src/video/SDL_bmp.c ++++ b/src/video/SDL_bmp.c +@@ -238,6 +238,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) + if ( palette ) { + if ( biClrUsed == 0 ) { + biClrUsed = 1 << biBitCount; ++ } else if ( biClrUsed > (1 << biBitCount) ) { ++ SDL_SetError("BMP file has an invalid number of colors"); ++ was_error = SDL_TRUE; ++ goto done; + } + if ( biSize == 12 ) { + for ( i = 0; i < (int)biClrUsed; ++i ) { +-- +2.24.1 + diff --git a/SOURCES/0011-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch b/SOURCES/0011-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch new file mode 100644 index 0000000..2aa2f28 --- /dev/null +++ b/SOURCES/0011-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch @@ -0,0 +1,210 @@ +From 46e7a69c949039f89e35fec143dfa58547ff6d94 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 18 Feb 2019 13:53:16 +0100 +Subject: [PATCH 11/11] CVE-2019-7637: Fix in integer overflow in + SDL_CalculatePitch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a too large width is passed to SDL_SetVideoMode() the width travels +to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by +BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch +variable. During this arithmetics an integer overflow can happen (e.g. +the value is clamped as 65532). As a result SDL_Surface with a pitch +smaller than width * BytesPerPixel is created, too small pixel buffer +is allocated and when the SDL_Surface is processed in SDL_FillRect() +a buffer overflow occurs. + +This can be reproduced with "./graywin -width 21312312313123213213213" +command. + +This patch fixes is by using a very careful arithmetics in +SDL_CalculatePitch(). If an overflow is detected, an error is reported +back as a special 0 value. We assume that 0-width surfaces do not +occur in the wild. Since SDL_CalculatePitch() is a private function, +we can change the semantics. + +CVE-2019-7637 +https://bugzilla.libsdl.org/show_bug.cgi?id=4497 + +Signed-off-by: Petr Písař +--- + src/video/SDL_pixels.c | 41 +++++++++++++++++++++++++++------ + src/video/gapi/SDL_gapivideo.c | 3 +++ + src/video/nanox/SDL_nxvideo.c | 4 ++++ + src/video/ps2gs/SDL_gsvideo.c | 3 +++ + src/video/ps3/SDL_ps3video.c | 3 +++ + src/video/windib/SDL_dibvideo.c | 3 +++ + src/video/windx5/SDL_dx5video.c | 3 +++ + src/video/x11/SDL_x11video.c | 4 ++++ + 8 files changed, 57 insertions(+), 7 deletions(-) + +diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c +index 1a7fd518f..44626b749 100644 +--- a/src/video/SDL_pixels.c ++++ b/src/video/SDL_pixels.c +@@ -286,26 +286,53 @@ void SDL_DitherColors(SDL_Color *colors, int bpp) + } + } + /* +- * Calculate the pad-aligned scanline width of a surface ++ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of ++ * an error. + */ + Uint16 SDL_CalculatePitch(SDL_Surface *surface) + { +- Uint16 pitch; ++ unsigned int pitch = 0; + + /* Surface should be 4-byte aligned for speed */ +- pitch = surface->w*surface->format->BytesPerPixel; ++ /* The code tries to prevent from an Uint16 overflow. */; ++ for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) { ++ pitch += (unsigned int)surface->w; ++ if (pitch < surface->w) { ++ SDL_SetError("A scanline is too wide"); ++ return(0); ++ } ++ } + switch (surface->format->BitsPerPixel) { + case 1: +- pitch = (pitch+7)/8; ++ if (pitch % 8) { ++ pitch = pitch / 8 + 1; ++ } else { ++ pitch = pitch / 8; ++ } + break; + case 4: +- pitch = (pitch+1)/2; ++ if (pitch % 2) { ++ pitch = pitch / 2 + 1; ++ } else { ++ pitch = pitch / 2; ++ } + break; + default: + break; + } +- pitch = (pitch + 3) & ~3; /* 4-byte aligning */ +- return(pitch); ++ /* 4-byte aligning */ ++ if (pitch & 3) { ++ if (pitch + 3 < pitch) { ++ SDL_SetError("A scanline is too wide"); ++ return(0); ++ } ++ pitch = (pitch + 3) & ~3; ++ } ++ if (pitch > 0xFFFF) { ++ SDL_SetError("A scanline is too wide"); ++ return(0); ++ } ++ return((Uint16)pitch); + } + /* + * Match an RGB value to a particular palette index +diff --git a/src/video/gapi/SDL_gapivideo.c b/src/video/gapi/SDL_gapivideo.c +index 86deadc75..8a0648536 100644 +--- a/src/video/gapi/SDL_gapivideo.c ++++ b/src/video/gapi/SDL_gapivideo.c +@@ -733,6 +733,9 @@ SDL_Surface *GAPI_SetVideoMode(_THIS, SDL_Surface *current, + video->w = gapi->w = width; + video->h = gapi->h = height; + video->pitch = SDL_CalculatePitch(video); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Small fix for WinCE/Win32 - when activating window + SDL_VideoSurface is equal to zero, so activating code +diff --git a/src/video/nanox/SDL_nxvideo.c b/src/video/nanox/SDL_nxvideo.c +index b188e0958..cbdd09a08 100644 +--- a/src/video/nanox/SDL_nxvideo.c ++++ b/src/video/nanox/SDL_nxvideo.c +@@ -378,6 +378,10 @@ SDL_Surface * NX_SetVideoMode (_THIS, SDL_Surface * current, + current -> w = width ; + current -> h = height ; + current -> pitch = SDL_CalculatePitch (current) ; ++ if (!current->pitch) { ++ current = NULL; ++ goto done; ++ } + NX_ResizeImage (this, current, flags) ; + } + +diff --git a/src/video/ps2gs/SDL_gsvideo.c b/src/video/ps2gs/SDL_gsvideo.c +index e172c60dc..329086680 100644 +--- a/src/video/ps2gs/SDL_gsvideo.c ++++ b/src/video/ps2gs/SDL_gsvideo.c +@@ -479,6 +479,9 @@ static SDL_Surface *GS_SetVideoMode(_THIS, SDL_Surface *current, + current->w = width; + current->h = height; + current->pitch = SDL_CalculatePitch(current); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Memory map the DMA area for block memory transfer */ + if ( ! mapped_mem ) { +diff --git a/src/video/ps3/SDL_ps3video.c b/src/video/ps3/SDL_ps3video.c +index d5519e051..17848e33a 100644 +--- a/src/video/ps3/SDL_ps3video.c ++++ b/src/video/ps3/SDL_ps3video.c +@@ -339,6 +339,9 @@ static SDL_Surface *PS3_SetVideoMode(_THIS, SDL_Surface * current, int width, in + current->w = width; + current->h = height; + current->pitch = SDL_CalculatePitch(current); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Alloc aligned mem for current->pixels */ + s_pixels = memalign(16, current->h * current->pitch); +diff --git a/src/video/windib/SDL_dibvideo.c b/src/video/windib/SDL_dibvideo.c +index 6187bfcf7..86ebb12a3 100644 +--- a/src/video/windib/SDL_dibvideo.c ++++ b/src/video/windib/SDL_dibvideo.c +@@ -675,6 +675,9 @@ SDL_Surface *DIB_SetVideoMode(_THIS, SDL_Surface *current, + video->w = width; + video->h = height; + video->pitch = SDL_CalculatePitch(video); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Small fix for WinCE/Win32 - when activating window + SDL_VideoSurface is equal to zero, so activating code +diff --git a/src/video/windx5/SDL_dx5video.c b/src/video/windx5/SDL_dx5video.c +index f80ca97b0..39fc4fc37 100644 +--- a/src/video/windx5/SDL_dx5video.c ++++ b/src/video/windx5/SDL_dx5video.c +@@ -1127,6 +1127,9 @@ SDL_Surface *DX5_SetVideoMode(_THIS, SDL_Surface *current, + video->w = width; + video->h = height; + video->pitch = SDL_CalculatePitch(video); ++ if (!current->pitch) { ++ return(NULL); ++ } + + #ifndef NO_CHANGEDISPLAYSETTINGS + /* Set fullscreen mode if appropriate. +diff --git a/src/video/x11/SDL_x11video.c b/src/video/x11/SDL_x11video.c +index 79e60f971..45d1f79be 100644 +--- a/src/video/x11/SDL_x11video.c ++++ b/src/video/x11/SDL_x11video.c +@@ -1220,6 +1220,10 @@ SDL_Surface *X11_SetVideoMode(_THIS, SDL_Surface *current, + current->w = width; + current->h = height; + current->pitch = SDL_CalculatePitch(current); ++ if (!current->pitch) { ++ current = NULL; ++ goto done; ++ } + if (X11_ResizeImage(this, current, flags) < 0) { + current = NULL; + goto done; +-- +2.24.1 + diff --git a/SOURCES/SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch b/SOURCES/SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch new file mode 100644 index 0000000..13fa786 --- /dev/null +++ b/SOURCES/SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch @@ -0,0 +1,23 @@ +changeset: 12960:ad1bbfbca760 +branch: SDL-1.2 +parent: 12914:87d60cae0273 +user: Ozkan Sezer +date: Tue Jul 30 21:30:24 2019 +0300 +summary: Fixed bug 4538 - validate image size when loading BMP files + +diff -r 87d60cae0273 -r ad1bbfbca760 src/video/SDL_bmp.c +--- a/src/video/SDL_bmp.c Tue Jun 18 23:31:40 2019 +0100 ++++ b/src/video/SDL_bmp.c Tue Jul 30 21:30:24 2019 +0300 +@@ -143,6 +143,11 @@ + (void) biYPelsPerMeter; + (void) biClrImportant; + ++ if (biWidth <= 0 || biHeight == 0) { ++ SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight); ++ was_error = SDL_TRUE; ++ goto done; ++ } + if (biHeight < 0) { + topDown = SDL_TRUE; + biHeight = -biHeight; + diff --git a/SPECS/SDL.spec b/SPECS/SDL.spec index aa8952b..179acf0 100644 --- a/SPECS/SDL.spec +++ b/SPECS/SDL.spec @@ -1,11 +1,11 @@ Name: SDL Version: 1.2.15 -Release: 14%{?dist} +Release: 17%{?dist} Summary: A cross-platform multimedia library Group: System Environment/Libraries URL: http://www.libsdl.org/ # The license of the file src/video/fbcon/riva_mmio.h is bad, but the contents -# of the file has been relicensed to MIT in 2008 by Nvidia for the +# of the file has been relicensed to MIT in 2008 by Nvidia for the # xf86_video-nv driver, therefore it can be considered ok. License: LGPLv2+ # Source: http://www.libsdl.org/release/%%{name}-%%{version}.tar.gz @@ -25,6 +25,21 @@ Patch4: SDL-1.2.15-add_sdl_config_man.patch # Do not use backing store by default, sdl2383, rh1073057, rh1245417 # rejected by upstream Patch5: SDL-1.2.15-no-default-backing-store.patch +# upstream bug #4538, in upstream after 1.2.15 +Patch6: SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch + +Patch7: 0001-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch +Patch8: 0002-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch +Patch9: 0003-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch +Patch10: 0004-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch +Patch11: 0005-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch +Patch12: 0006-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch +Patch13: 0007-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch +Patch14: 0008-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch +Patch15: 0009-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch +Patch16: 0010-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch +Patch17: 0011-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch +Patch18: 0001-Don-t-use-C99-features.patch BuildRequires: alsa-lib-devel BuildRequires: audiofile-devel @@ -84,7 +99,21 @@ applications. %patch3 -p1 -b .XData32 %patch4 -p1 -b .sdl_config_man %patch5 -p1 -b .backing_store -for F in CREDITS; do +%patch6 -p1 -b .0006 +%patch7 -p1 -b .0007 +%patch8 -p1 -b .0008 +%patch9 -p1 -b .0009 +%patch10 -p1 -b .0010 +%patch11 -p1 -b .0011 +%patch12 -p1 -b .0012 +%patch13 -p1 -b .0013 +%patch14 -p1 -b .0014 +%patch15 -p1 -b .0015 +%patch16 -p1 -b .0016 +%patch17 -p1 -b .0017 +%patch18 -p1 -b .0018 + +for F in CREDITS; do iconv -f iso8859-1 -t utf-8 < "$F" > "${F}.utf" touch --reference "$F" "${F}.utf" mv "${F}.utf" "$F" @@ -144,6 +173,21 @@ rm -f %{buildroot}%{_libdir}/*.la %{_libdir}/lib*.a %changelog +* Fri Feb 14 2020 Wim Taymans - 1.2.15-17 +- Fix Some CVEs: CVE-2019-7572, CVE-2019-7573, CVE-2019-7574, + CVE-2019-7575, CVE-2019-7576, CVE-2019-7577, CVE-2019-7578, + CVE-2019-7635, CVE-2019-7636, CVE-2019-7637, CVE-2019-7638 +- Resolves: rhbz#1716201, rhbz#1716202, rhbz#1716206, +- Resolves: rhbz#1716207, rhbz#1716208 + +* Mon Dec 16 2019 Tomas Pelka - 1.2.15-16 +- Need to bump version to avoid conflict with 7.7.z build +- Resolves: rhbz#1756277 + +* Fri Aug 30 2019 Petr Pisar - 1.2.15-15 +- Fix CVE-2019-13616 (a heap buffer over-read in BlitNtoN) (bug #1747237) +- Resolves: rhbz#1756277 + * Wed Jul 29 2015 Petr Pisar - 1.2.15-14 - Do not harness backing store by default. Export SDL_VIDEO_X11_BACKINGSTORE environment variable to enable it. @@ -264,7 +308,7 @@ rm -f %{buildroot}%{_libdir}/*.la - Rewrite pulseaudio support to stop the crackle crackle with the new glitch free pulseaudio, this also gives us much better latency, as good as with directly using alsa (rh 474745, sdl 698) -- Workaround an obscure bug in the inline-asm revcpy function (by disabling it) +- Workaround an obscure bug in the inline-asm revcpy function (by disabling it) This fixes Ri-li crashing on i386 (rh 484121, rh 484362, sdl 699) * Tue Sep 2 2008 Thomas Woerner 1.2.13-6 @@ -349,7 +393,7 @@ rm -f %{buildroot}%{_libdir}/*.la - added build requires for automake and autoconf * Tue Jul 25 2006 Thomas Woerner 1.2.10-6 -- dropped libXt build requires, because libSDL does not need libXt at all - +- dropped libXt build requires, because libSDL does not need libXt at all - this was an autofoo bug (fixed already) - fixed multilib devel conflicts (#192749) - added buidrequires for imake: AC_PATH_X needs imake currently @@ -571,7 +615,7 @@ rm -f %{buildroot}%{_libdir}/*.la - Rebuild to eliminate libXv/libXxf86dga deps. * Fri Jun 29 2001 Preston Brown -- output same libraries for sdl-config whether --libs or --static-libs +- output same libraries for sdl-config whether --libs or --static-libs selected. Fixes compilation of most SDL programs. - properly packaged new HTML documentation @@ -638,7 +682,7 @@ rm -f %{buildroot}%{_libdir}/*.la * Wed Jan 19 2000 Sam Lantinga - Re-integrated spec file into SDL distribution -- 'name' and 'version' come from configure +- 'name' and 'version' come from configure - Some of the documentation is devel specific - Removed SMP support from %%build - it doesn't work with libtool anyway