diff --git a/SOURCES/SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch b/SOURCES/SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch new file mode 100644 index 0000000..13fa786 --- /dev/null +++ b/SOURCES/SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch @@ -0,0 +1,23 @@ +changeset: 12960:ad1bbfbca760 +branch: SDL-1.2 +parent: 12914:87d60cae0273 +user: Ozkan Sezer +date: Tue Jul 30 21:30:24 2019 +0300 +summary: Fixed bug 4538 - validate image size when loading BMP files + +diff -r 87d60cae0273 -r ad1bbfbca760 src/video/SDL_bmp.c +--- a/src/video/SDL_bmp.c Tue Jun 18 23:31:40 2019 +0100 ++++ b/src/video/SDL_bmp.c Tue Jul 30 21:30:24 2019 +0300 +@@ -143,6 +143,11 @@ + (void) biYPelsPerMeter; + (void) biClrImportant; + ++ if (biWidth <= 0 || biHeight == 0) { ++ SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight); ++ was_error = SDL_TRUE; ++ goto done; ++ } + if (biHeight < 0) { + topDown = SDL_TRUE; + biHeight = -biHeight; + diff --git a/SPECS/SDL.spec b/SPECS/SDL.spec index aa8952b..86407d7 100644 --- a/SPECS/SDL.spec +++ b/SPECS/SDL.spec @@ -1,6 +1,6 @@ Name: SDL Version: 1.2.15 -Release: 14%{?dist} +Release: 15%{?dist} Summary: A cross-platform multimedia library Group: System Environment/Libraries URL: http://www.libsdl.org/ @@ -25,6 +25,8 @@ Patch4: SDL-1.2.15-add_sdl_config_man.patch # Do not use backing store by default, sdl2383, rh1073057, rh1245417 # rejected by upstream Patch5: SDL-1.2.15-no-default-backing-store.patch +# upstream bug #4538, in upstream after 1.2.15 +Patch6: SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch BuildRequires: alsa-lib-devel BuildRequires: audiofile-devel @@ -84,6 +86,8 @@ applications. %patch3 -p1 -b .XData32 %patch4 -p1 -b .sdl_config_man %patch5 -p1 -b .backing_store +%patch6 -p1 -b .0006 + for F in CREDITS; do iconv -f iso8859-1 -t utf-8 < "$F" > "${F}.utf" touch --reference "$F" "${F}.utf" @@ -144,6 +148,10 @@ rm -f %{buildroot}%{_libdir}/*.la %{_libdir}/lib*.a %changelog +* Wed Nov 27 2019 Tomas Pelka - 1.2.15-15 +- Fix CVE-2019-13616 (a heap buffer over-read in BlitNtoN) (bug #1747237) +- Resolves: rhbz#1756276 + * Wed Jul 29 2015 Petr Pisar - 1.2.15-14 - Do not harness backing store by default. Export SDL_VIDEO_X11_BACKINGSTORE environment variable to enable it.