diff --git a/SOURCES/0001-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch b/SOURCES/0001-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
new file mode 100644
index 0000000..3d10e8f
--- /dev/null
+++ b/SOURCES/0001-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
@@ -0,0 +1,61 @@
+From bbb40efd9591b8a24de146eb78029731024e9015 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Sat, 8 Jun 2019 17:57:43 -0700
+Subject: [PATCH 01/11] CVE-2019-7572: Fix a buffer overread in
+ IMA_ADPCM_nibble If an IMA ADPCM block contained an initial index out of step
+ table range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used
+ this bogus value and that lead to a buffer overread.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch fixes it by moving clamping the index value at the
+beginning of IMA_ADPCM_nibble() function instead of the end after
+an update.
+
+CVE-2019-7572
+https://bugzilla.libsdl.org/show_bug.cgi?id=4495
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+--HG--
+branch : SDL-1.2
+---
+ src/audio/SDL_wave.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index b4ad6c787..ba1fb5252 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -264,6 +264,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
+ };
+ Sint32 delta, step;
+
++ /* Clamp index value. The inital value can be invalid. */
++ if ( state->index > 88 ) {
++ state->index = 88;
++ } else
++ if ( state->index < 0 ) {
++ state->index = 0;
++ }
++
+ /* Compute difference and new sample value */
+ step = step_table[state->index];
+ delta = step >> 3;
+@@ -275,12 +283,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
+
+ /* Update index value */
+ state->index += index_table[nybble];
+- if ( state->index > 88 ) {
+- state->index = 88;
+- } else
+- if ( state->index < 0 ) {
+- state->index = 0;
+- }
+
+ /* Clamp output sample */
+ if ( state->sample > max_audioval ) {
+--
+2.24.1
+
diff --git a/SOURCES/0001-Don-t-use-C99-features.patch b/SOURCES/0001-Don-t-use-C99-features.patch
new file mode 100644
index 0000000..fba9ab4
--- /dev/null
+++ b/SOURCES/0001-Don-t-use-C99-features.patch
@@ -0,0 +1,29 @@
+From 52f262d8b31ee231a95f5504939a4c7813272848 Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Sat, 15 Feb 2020 11:20:40 +0100
+Subject: [PATCH] Don't use C99 features
+
+---
+ src/video/SDL_pixels.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c
+index 44626b749..17f1a7199 100644
+--- a/src/video/SDL_pixels.c
++++ b/src/video/SDL_pixels.c
+@@ -292,10 +292,11 @@ void SDL_DitherColors(SDL_Color *colors, int bpp)
+ Uint16 SDL_CalculatePitch(SDL_Surface *surface)
+ {
+ unsigned int pitch = 0;
++ Uint8 byte;
+
+ /* Surface should be 4-byte aligned for speed */
+ /* The code tries to prevent from an Uint16 overflow. */;
+- for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) {
++ for (byte = surface->format->BytesPerPixel; byte; byte--) {
+ pitch += (unsigned int)surface->w;
+ if (pitch < surface->w) {
+ SDL_SetError("A scanline is too wide");
+--
+2.24.1
+
diff --git a/SOURCES/0002-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch b/SOURCES/0002-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
new file mode 100644
index 0000000..baacf9f
--- /dev/null
+++ b/SOURCES/0002-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
@@ -0,0 +1,69 @@
+From 756cdc9bbb1898c631799af8f31f4772c1023aab Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Sat, 8 Jun 2019 18:02:09 -0700
+Subject: [PATCH 02/11] CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
+ If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it could
+ read past the end of chunk data. This patch fixes it.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2019-7578
+https://bugzilla.libsdl.org/show_bug.cgi?id=4494
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+--HG--
+branch : SDL-1.2
+---
+ src/audio/SDL_wave.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index ba1fb5252..21ee4dc3c 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -222,11 +222,12 @@ static struct IMA_ADPCM_decoder {
+ struct IMA_ADPCM_decodestate state[2];
+ } IMA_ADPCM_state;
+
+-static int InitIMA_ADPCM(WaveFMT *format)
++static int InitIMA_ADPCM(WaveFMT *format, int length)
+ {
+- Uint8 *rogue_feel;
++ Uint8 *rogue_feel, *rogue_feel_end;
+
+ /* Set the rogue pointer to the IMA_ADPCM specific data */
++ if (length < sizeof(*format)) goto too_short;
+ IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
+ IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
+ IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
+@@ -235,11 +236,16 @@ static int InitIMA_ADPCM(WaveFMT *format)
+ IMA_ADPCM_state.wavefmt.bitspersample =
+ SDL_SwapLE16(format->bitspersample);
+ rogue_feel = (Uint8 *)format+sizeof(*format);
++ rogue_feel_end = (Uint8 *)format + length;
+ if ( sizeof(*format) == 16 ) {
+ rogue_feel += sizeof(Uint16);
+ }
++ if (rogue_feel + 2 > rogue_feel_end) goto too_short;
+ IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ return(0);
++too_short:
++ SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format");
++ return(-1);
+ }
+
+ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
+@@ -471,7 +477,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
+ break;
+ case IMA_ADPCM_CODE:
+ /* Try to understand this */
+- if ( InitIMA_ADPCM(format) < 0 ) {
++ if ( InitIMA_ADPCM(format, lenread) < 0 ) {
+ was_error = 1;
+ goto done;
+ }
+--
+2.24.1
+
diff --git a/SOURCES/0003-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch b/SOURCES/0003-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
new file mode 100644
index 0000000..d954420
--- /dev/null
+++ b/SOURCES/0003-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
@@ -0,0 +1,73 @@
+From 4b3fd03718c9f929e32292e3dfd0c97db7a17bc9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Mon, 10 Jun 2019 08:50:59 -0700
+Subject: [PATCH 03/11] CVE-2019-7574: Fix a buffer overread in
+ IMA_ADPCM_decode If data chunk was shorter than expected based on a WAV
+ format definition, IMA_ADPCM_decode() tried to read past the data chunk
+ buffer. This patch fixes it.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2019-7574
+https://bugzilla.libsdl.org/show_bug.cgi?id=4496
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+--HG--
+branch : SDL-1.2
+---
+ src/audio/SDL_wave.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 21ee4dc3c..66f804421 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -331,7 +331,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
+ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ struct IMA_ADPCM_decodestate *state;
+- Uint8 *freeable, *encoded, *decoded;
++ Uint8 *freeable, *encoded, *encoded_end, *decoded;
+ Sint32 encoded_len, samplesleft;
+ unsigned int c, channels;
+
+@@ -347,6 +347,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ /* Allocate the proper sized output buffer */
+ encoded_len = *audio_len;
+ encoded = *audio_buf;
++ encoded_end = encoded + encoded_len;
+ freeable = *audio_buf;
+ *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) *
+ IMA_ADPCM_state.wSamplesPerBlock*
+@@ -362,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
+ /* Grab the initial information for this block */
+ for ( c=0; c<channels; ++c ) {
++ if (encoded + 4 > encoded_end) goto invalid_size;
+ /* Fill the state information for this block */
+ state[c].sample = ((encoded[1]<<8)|encoded[0]);
+ encoded += 2;
+@@ -384,6 +386,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
+ while ( samplesleft > 0 ) {
+ for ( c=0; c<channels; ++c ) {
++ if (encoded + 4 > encoded_end) goto invalid_size;
+ Fill_IMA_ADPCM_block(decoded, encoded,
+ c, channels, &state[c]);
+ encoded += 4;
+@@ -395,6 +398,10 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ }
+ SDL_free(freeable);
+ return(0);
++invalid_size:
++ SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder");
++ SDL_free(freeable);
++ return(-1);
+ }
+
+ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
+--
+2.24.1
+
diff --git a/SOURCES/0004-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch b/SOURCES/0004-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
new file mode 100644
index 0000000..25bb021
--- /dev/null
+++ b/SOURCES/0004-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
@@ -0,0 +1,76 @@
+From 8c46fe2fcf6ef4a74808f90711b3e9844632e8f7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Mon, 10 Jun 2019 08:54:11 -0700
+Subject: [PATCH 04/11] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
+ If RIFF/WAV data chunk length is shorter then expected for an audio format
+ defined in preceeding RIFF/WAV format headers, a buffer overread can happen.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch fixes it by checking a MS ADPCM data to be decoded are not
+past the initialized buffer.
+
+CVE-2019-7577
+Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+--HG--
+branch : SDL-1.2
+---
+ src/audio/SDL_wave.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 66f804421..6c6eb14eb 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
+ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ struct MS_ADPCM_decodestate *state[2];
+- Uint8 *freeable, *encoded, *decoded;
++ Uint8 *freeable, *encoded, *encoded_end, *decoded;
+ Sint32 encoded_len, samplesleft;
+ Sint8 nybble, stereo;
+ Sint16 *coeff[2];
+@@ -124,6 +124,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ /* Allocate the proper sized output buffer */
+ encoded_len = *audio_len;
+ encoded = *audio_buf;
++ encoded_end = encoded + encoded_len;
+ freeable = *audio_buf;
+ *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) *
+ MS_ADPCM_state.wSamplesPerBlock*
+@@ -141,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ state[1] = &MS_ADPCM_state.state[stereo];
+ while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
+ /* Grab the initial information for this block */
++ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
+ state[0]->hPredictor = *encoded++;
+ if ( stereo ) {
+ state[1]->hPredictor = *encoded++;
+@@ -188,6 +190,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
+ MS_ADPCM_state.wavefmt.channels;
+ while ( samplesleft > 0 ) {
++ if (encoded + 1 > encoded_end) goto too_short;
++
+ nybble = (*encoded)>>4;
+ new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
+ decoded[0] = new_sample&0xFF;
+@@ -209,6 +213,10 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ }
+ SDL_free(freeable);
+ return(0);
++too_short:
++ SDL_SetError("Too short chunk for a MS ADPCM decoder");
++ SDL_free(freeable);
++ return(-1);
+ }
+
+ struct IMA_ADPCM_decodestate {
+--
+2.24.1
+
diff --git a/SOURCES/0005-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch b/SOURCES/0005-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
new file mode 100644
index 0000000..04a3729
--- /dev/null
+++ b/SOURCES/0005-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
@@ -0,0 +1,58 @@
+From 1b7d3f5e53a4d7a827ce89de22a1524bd27572f9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Mon, 10 Jun 2019 08:54:29 -0700
+Subject: [PATCH 05/11] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble
+ and MS_ADPCM_decode If a chunk of RIFF/WAV file with MS ADPCM encoding
+ contains an invalid predictor (a valid predictor's value is between 0 and 6
+ inclusive), a buffer overread can happen when the predictor is used as an
+ index into an array of MS ADPCM coefficients.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The overead happens when indexing MS_ADPCM_state.aCoeff[] array in
+MS_ADPCM_decode() and later when dereferencing a coef pointer in
+MS_ADPCM_nibble().
+
+This patch fixes it by checking the MS ADPCM predictor values fit
+into the valid range.
+
+CVE-2019-7577
+Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+--HG--
+branch : SDL-1.2
+---
+ src/audio/SDL_wave.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 6c6eb14eb..3eedd20a1 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -147,6 +147,9 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ if ( stereo ) {
+ state[1]->hPredictor = *encoded++;
+ }
++ if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) {
++ goto invalid_predictor;
++ }
+ state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
+ encoded += sizeof(Sint16);
+ if ( stereo ) {
+@@ -217,6 +220,10 @@ too_short:
+ SDL_SetError("Too short chunk for a MS ADPCM decoder");
+ SDL_free(freeable);
+ return(-1);
++invalid_predictor:
++ SDL_SetError("Invalid predictor value for a MS ADPCM decoder");
++ SDL_free(freeable);
++ return(-1);
+ }
+
+ struct IMA_ADPCM_decodestate {
+--
+2.24.1
+
diff --git a/SOURCES/0006-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch b/SOURCES/0006-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
new file mode 100644
index 0000000..7922d89
--- /dev/null
+++ b/SOURCES/0006-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
@@ -0,0 +1,66 @@
+From 3e53d4b122df0aeb5cbc27622614f9a72d8c2564 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Mon, 10 Jun 2019 08:57:11 -0700
+Subject: [PATCH 06/11] CVE-2019-7572: Fix a buffer overwrite in
+ IMA_ADPCM_decode If data chunk was longer than expected based on a WAV format
+ definition, IMA_ADPCM_decode() tried to write past the output buffer. This
+ patch fixes it.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Based on patch from
+<https://bugzilla.libsdl.org/show_bug.cgi?id=4496>.
+
+CVE-2019-7572
+https://bugzilla.libsdl.org/show_bug.cgi?id=4495
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+--HG--
+branch : SDL-1.2
+---
+ src/audio/SDL_wave.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 3eedd20a1..4159eb710 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -346,7 +346,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
+ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ struct IMA_ADPCM_decodestate *state;
+- Uint8 *freeable, *encoded, *encoded_end, *decoded;
++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+ Sint32 encoded_len, samplesleft;
+ unsigned int c, channels;
+
+@@ -373,6 +373,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ return(-1);
+ }
+ decoded = *audio_buf;
++ decoded_end = decoded + *audio_len;
+
+ /* Get ready... Go! */
+ while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
+@@ -392,6 +393,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ }
+
+ /* Store the initial sample we start with */
++ if (decoded + 2 > decoded_end) goto invalid_size;
+ decoded[0] = (Uint8)(state[c].sample&0xFF);
+ decoded[1] = (Uint8)(state[c].sample>>8);
+ decoded += 2;
+@@ -402,6 +404,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ while ( samplesleft > 0 ) {
+ for ( c=0; c<channels; ++c ) {
+ if (encoded + 4 > encoded_end) goto invalid_size;
++ if (decoded + 4 * 4 * channels > decoded_end)
++ goto invalid_size;
+ Fill_IMA_ADPCM_block(decoded, encoded,
+ c, channels, &state[c]);
+ encoded += 4;
+--
+2.24.1
+
diff --git a/SOURCES/0007-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch b/SOURCES/0007-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
new file mode 100644
index 0000000..a2cef8c
--- /dev/null
+++ b/SOURCES/0007-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
@@ -0,0 +1,84 @@
+From 10dfd78b74d0fc4a73f49978fb383afa537cb34d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Mon, 10 Jun 2019 09:06:23 -0700
+Subject: [PATCH 07/11] CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in
+ InitMS_ADPCM If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing
+ it could read past the end of chunk data. This patch fixes it.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2019-7573
+https://bugzilla.libsdl.org/show_bug.cgi?id=4491
+CVE-2019-7576
+https://bugzilla.libsdl.org/show_bug.cgi?id=4490
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+--HG--
+branch : SDL-1.2
+---
+ src/audio/SDL_wave.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 4159eb710..88ac2cca6 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -44,12 +44,13 @@ static struct MS_ADPCM_decoder {
+ struct MS_ADPCM_decodestate state[2];
+ } MS_ADPCM_state;
+
+-static int InitMS_ADPCM(WaveFMT *format)
++static int InitMS_ADPCM(WaveFMT *format, int length)
+ {
+- Uint8 *rogue_feel;
++ Uint8 *rogue_feel, *rogue_feel_end;
+ int i;
+
+ /* Set the rogue pointer to the MS_ADPCM specific data */
++ if (length < sizeof(*format)) goto too_short;
+ MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
+ MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
+ MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
+@@ -58,9 +59,11 @@ static int InitMS_ADPCM(WaveFMT *format)
+ MS_ADPCM_state.wavefmt.bitspersample =
+ SDL_SwapLE16(format->bitspersample);
+ rogue_feel = (Uint8 *)format+sizeof(*format);
++ rogue_feel_end = (Uint8 *)format + length;
+ if ( sizeof(*format) == 16 ) {
+ rogue_feel += sizeof(Uint16);
+ }
++ if (rogue_feel + 4 > rogue_feel_end) goto too_short;
+ MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ rogue_feel += sizeof(Uint16);
+ MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]);
+@@ -70,12 +73,16 @@ static int InitMS_ADPCM(WaveFMT *format)
+ return(-1);
+ }
+ for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) {
++ if (rogue_feel + 4 > rogue_feel_end) goto too_short;
+ MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ rogue_feel += sizeof(Uint16);
+ MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ rogue_feel += sizeof(Uint16);
+ }
+ return(0);
++too_short:
++ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format");
++ return(-1);
+ }
+
+ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
+@@ -495,7 +502,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
+ break;
+ case MS_ADPCM_CODE:
+ /* Try to understand this */
+- if ( InitMS_ADPCM(format) < 0 ) {
++ if ( InitMS_ADPCM(format, lenread) < 0 ) {
+ was_error = 1;
+ goto done;
+ }
+--
+2.24.1
+
diff --git a/SOURCES/0008-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch b/SOURCES/0008-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
new file mode 100644
index 0000000..69ce6d7
--- /dev/null
+++ b/SOURCES/0008-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
@@ -0,0 +1,86 @@
+From 5cf68a3fbb846da51e1b867e3fd92ec8d0e7a0dd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Mon, 10 Jun 2019 09:25:05 -0700
+Subject: [PATCH 08/11] CVE-2019-7575: Fix a buffer overwrite in
+ MS_ADPCM_decode If a WAV format defines shorter audio stream and decoded MS
+ ADPCM data chunk is longer, decoding continued past the output audio buffer.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This fix is based on a patch from
+<https://bugzilla.libsdl.org/show_bug.cgi?id=4492>.
+
+https://bugzilla.libsdl.org/show_bug.cgi?id=4493
+CVE-2019-7575
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+--HG--
+branch : SDL-1.2
+---
+ src/audio/SDL_wave.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 88ac2cca6..5f9365147 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -122,7 +122,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
+ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ struct MS_ADPCM_decodestate *state[2];
+- Uint8 *freeable, *encoded, *encoded_end, *decoded;
++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+ Sint32 encoded_len, samplesleft;
+ Sint8 nybble, stereo;
+ Sint16 *coeff[2];
+@@ -142,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ return(-1);
+ }
+ decoded = *audio_buf;
++ decoded_end = decoded + *audio_len;
+
+ /* Get ready... Go! */
+ stereo = (MS_ADPCM_state.wavefmt.channels == 2);
+@@ -149,7 +150,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ state[1] = &MS_ADPCM_state.state[stereo];
+ while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
+ /* Grab the initial information for this block */
+- if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
++ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size;
+ state[0]->hPredictor = *encoded++;
+ if ( stereo ) {
+ state[1]->hPredictor = *encoded++;
+@@ -179,6 +180,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
+
+ /* Store the two initial samples we start with */
++ if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size;
+ decoded[0] = state[0]->iSamp2&0xFF;
+ decoded[1] = state[0]->iSamp2>>8;
+ decoded += 2;
+@@ -200,7 +202,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
+ MS_ADPCM_state.wavefmt.channels;
+ while ( samplesleft > 0 ) {
+- if (encoded + 1 > encoded_end) goto too_short;
++ if (encoded + 1 > encoded_end) goto invalid_size;
++ if (decoded + 4 > decoded_end) goto invalid_size;
+
+ nybble = (*encoded)>>4;
+ new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
+@@ -223,8 +226,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ }
+ SDL_free(freeable);
+ return(0);
+-too_short:
+- SDL_SetError("Too short chunk for a MS ADPCM decoder");
++invalid_size:
++ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
+ SDL_free(freeable);
+ return(-1);
+ invalid_predictor:
+--
+2.24.1
+
diff --git a/SOURCES/0009-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch b/SOURCES/0009-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
new file mode 100644
index 0000000..2e70f87
--- /dev/null
+++ b/SOURCES/0009-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
@@ -0,0 +1,68 @@
+From 1423e12e0bcf5cc43804ac5b31156a4acc316ea9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Tue, 11 Jun 2019 06:28:12 -0700
+Subject: [PATCH 09/11] CVE-2019-7635: Reject BMP images with pixel colors out
+ the palette If a 1-, 4-, or 8-bit per pixel BMP image declares less used
+ colors than the palette offers an SDL_Surface with a palette of the indicated
+ number of used colors is created. If some of the image's pixel refer to a
+ color number higher then the maximal used colors, a subsequent bliting
+ operation on the surface will look up a color past a blit map (that is based
+ on the palette) memory. I.e. passing such SDL_Surface to e.g. an
+ SDL_DisplayFormat() function will result in a buffer overread in a blit
+ function.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch fixes it by validing each pixel's color to be less than the
+maximal color number in the palette. A validation failure raises an
+error from a SDL_LoadBMP_RW() function.
+
+CVE-2019-7635
+https://bugzilla.libsdl.org/show_bug.cgi?id=4498
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+--HG--
+branch : SDL-1.2
+---
+ src/video/SDL_bmp.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
+index 1b6e0ed06..c1f1a24f5 100644
+--- a/src/video/SDL_bmp.c
++++ b/src/video/SDL_bmp.c
+@@ -301,6 +301,12 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
+ }
+ *(bits+i) = (pixel>>shift);
+ pixel <<= ExpandBMP;
++ if ( bits[i] >= biClrUsed ) {
++ SDL_SetError(
++ "A BMP image contains a pixel with a color out of the palette");
++ was_error = SDL_TRUE;
++ goto done;
++ }
+ } }
+ break;
+
+@@ -311,6 +317,16 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
+ was_error = SDL_TRUE;
+ goto done;
+ }
++ if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) {
++ for ( i=0; i<surface->w; ++i ) {
++ if ( bits[i] >= biClrUsed ) {
++ SDL_SetError(
++ "A BMP image contains a pixel with a color out of the palette");
++ was_error = SDL_TRUE;
++ goto done;
++ }
++ }
++ }
+ #if SDL_BYTEORDER == SDL_BIG_ENDIAN
+ /* Byte-swap the pixels if needed. Note that the 24bpp
+ case has already been taken care of above. */
+--
+2.24.1
+
diff --git a/SOURCES/0010-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch b/SOURCES/0010-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
new file mode 100644
index 0000000..5abbb4b
--- /dev/null
+++ b/SOURCES/0010-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
@@ -0,0 +1,56 @@
+From 762c1eb5a1a0e72a8120cfee5699820a73e82152 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 15 Feb 2019 16:52:27 +0100
+Subject: [PATCH 10/11] CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images
+ with too high number of colors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a BMP file that defines more colors than can fit into
+a palette of color depth defined in the same BMP file is loaded by
+SDL_LoadBMP_RW() function, invalid number of colors is set into
+resulting SDL surface.
+
+Then if the SDL surface is passed to SDL_DisplayFormat() function to
+convert the surface format into a native video format, a buffer
+overread will happen in Map1to1() or Map1toN() function
+(CVE-2019-7638). (The choice of the mapping function depends on
+a actual video hardware.)
+
+In addition SDL_GetRGB() called indirectly from SDL_DisplayFormat()
+performs the same buffer overread (CVE-2019-7636).
+
+There is also probably a buffer overwrite when the SDL_LoadBMP_RW()
+loads colors from a file.
+
+This patch fixes it by refusing loading such badly damaged BMP files.
+
+CVE-2019-7638
+https://bugzilla.libsdl.org/show_bug.cgi?id=4500
+CVE-2019-7636
+https://bugzilla.libsdl.org/show_bug.cgi?id=4499
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/video/SDL_bmp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
+index c1f1a24f5..118181b51 100644
+--- a/src/video/SDL_bmp.c
++++ b/src/video/SDL_bmp.c
+@@ -238,6 +238,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
+ if ( palette ) {
+ if ( biClrUsed == 0 ) {
+ biClrUsed = 1 << biBitCount;
++ } else if ( biClrUsed > (1 << biBitCount) ) {
++ SDL_SetError("BMP file has an invalid number of colors");
++ was_error = SDL_TRUE;
++ goto done;
+ }
+ if ( biSize == 12 ) {
+ for ( i = 0; i < (int)biClrUsed; ++i ) {
+--
+2.24.1
+
diff --git a/SOURCES/0011-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch b/SOURCES/0011-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
new file mode 100644
index 0000000..2aa2f28
--- /dev/null
+++ b/SOURCES/0011-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
@@ -0,0 +1,210 @@
+From 46e7a69c949039f89e35fec143dfa58547ff6d94 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Mon, 18 Feb 2019 13:53:16 +0100
+Subject: [PATCH 11/11] CVE-2019-7637: Fix in integer overflow in
+ SDL_CalculatePitch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a too large width is passed to SDL_SetVideoMode() the width travels
+to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by
+BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch
+variable. During this arithmetics an integer overflow can happen (e.g.
+the value is clamped as 65532). As a result SDL_Surface with a pitch
+smaller than width * BytesPerPixel is created, too small pixel buffer
+is allocated and when the SDL_Surface is processed in SDL_FillRect()
+a buffer overflow occurs.
+
+This can be reproduced with "./graywin -width 21312312313123213213213"
+command.
+
+This patch fixes is by using a very careful arithmetics in
+SDL_CalculatePitch(). If an overflow is detected, an error is reported
+back as a special 0 value. We assume that 0-width surfaces do not
+occur in the wild. Since SDL_CalculatePitch() is a private function,
+we can change the semantics.
+
+CVE-2019-7637
+https://bugzilla.libsdl.org/show_bug.cgi?id=4497
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/video/SDL_pixels.c | 41 +++++++++++++++++++++++++++------
+ src/video/gapi/SDL_gapivideo.c | 3 +++
+ src/video/nanox/SDL_nxvideo.c | 4 ++++
+ src/video/ps2gs/SDL_gsvideo.c | 3 +++
+ src/video/ps3/SDL_ps3video.c | 3 +++
+ src/video/windib/SDL_dibvideo.c | 3 +++
+ src/video/windx5/SDL_dx5video.c | 3 +++
+ src/video/x11/SDL_x11video.c | 4 ++++
+ 8 files changed, 57 insertions(+), 7 deletions(-)
+
+diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c
+index 1a7fd518f..44626b749 100644
+--- a/src/video/SDL_pixels.c
++++ b/src/video/SDL_pixels.c
+@@ -286,26 +286,53 @@ void SDL_DitherColors(SDL_Color *colors, int bpp)
+ }
+ }
+ /*
+- * Calculate the pad-aligned scanline width of a surface
++ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of
++ * an error.
+ */
+ Uint16 SDL_CalculatePitch(SDL_Surface *surface)
+ {
+- Uint16 pitch;
++ unsigned int pitch = 0;
+
+ /* Surface should be 4-byte aligned for speed */
+- pitch = surface->w*surface->format->BytesPerPixel;
++ /* The code tries to prevent from an Uint16 overflow. */;
++ for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) {
++ pitch += (unsigned int)surface->w;
++ if (pitch < surface->w) {
++ SDL_SetError("A scanline is too wide");
++ return(0);
++ }
++ }
+ switch (surface->format->BitsPerPixel) {
+ case 1:
+- pitch = (pitch+7)/8;
++ if (pitch % 8) {
++ pitch = pitch / 8 + 1;
++ } else {
++ pitch = pitch / 8;
++ }
+ break;
+ case 4:
+- pitch = (pitch+1)/2;
++ if (pitch % 2) {
++ pitch = pitch / 2 + 1;
++ } else {
++ pitch = pitch / 2;
++ }
+ break;
+ default:
+ break;
+ }
+- pitch = (pitch + 3) & ~3; /* 4-byte aligning */
+- return(pitch);
++ /* 4-byte aligning */
++ if (pitch & 3) {
++ if (pitch + 3 < pitch) {
++ SDL_SetError("A scanline is too wide");
++ return(0);
++ }
++ pitch = (pitch + 3) & ~3;
++ }
++ if (pitch > 0xFFFF) {
++ SDL_SetError("A scanline is too wide");
++ return(0);
++ }
++ return((Uint16)pitch);
+ }
+ /*
+ * Match an RGB value to a particular palette index
+diff --git a/src/video/gapi/SDL_gapivideo.c b/src/video/gapi/SDL_gapivideo.c
+index 86deadc75..8a0648536 100644
+--- a/src/video/gapi/SDL_gapivideo.c
++++ b/src/video/gapi/SDL_gapivideo.c
+@@ -733,6 +733,9 @@ SDL_Surface *GAPI_SetVideoMode(_THIS, SDL_Surface *current,
+ video->w = gapi->w = width;
+ video->h = gapi->h = height;
+ video->pitch = SDL_CalculatePitch(video);
++ if (!current->pitch) {
++ return(NULL);
++ }
+
+ /* Small fix for WinCE/Win32 - when activating window
+ SDL_VideoSurface is equal to zero, so activating code
+diff --git a/src/video/nanox/SDL_nxvideo.c b/src/video/nanox/SDL_nxvideo.c
+index b188e0958..cbdd09a08 100644
+--- a/src/video/nanox/SDL_nxvideo.c
++++ b/src/video/nanox/SDL_nxvideo.c
+@@ -378,6 +378,10 @@ SDL_Surface * NX_SetVideoMode (_THIS, SDL_Surface * current,
+ current -> w = width ;
+ current -> h = height ;
+ current -> pitch = SDL_CalculatePitch (current) ;
++ if (!current->pitch) {
++ current = NULL;
++ goto done;
++ }
+ NX_ResizeImage (this, current, flags) ;
+ }
+
+diff --git a/src/video/ps2gs/SDL_gsvideo.c b/src/video/ps2gs/SDL_gsvideo.c
+index e172c60dc..329086680 100644
+--- a/src/video/ps2gs/SDL_gsvideo.c
++++ b/src/video/ps2gs/SDL_gsvideo.c
+@@ -479,6 +479,9 @@ static SDL_Surface *GS_SetVideoMode(_THIS, SDL_Surface *current,
+ current->w = width;
+ current->h = height;
+ current->pitch = SDL_CalculatePitch(current);
++ if (!current->pitch) {
++ return(NULL);
++ }
+
+ /* Memory map the DMA area for block memory transfer */
+ if ( ! mapped_mem ) {
+diff --git a/src/video/ps3/SDL_ps3video.c b/src/video/ps3/SDL_ps3video.c
+index d5519e051..17848e33a 100644
+--- a/src/video/ps3/SDL_ps3video.c
++++ b/src/video/ps3/SDL_ps3video.c
+@@ -339,6 +339,9 @@ static SDL_Surface *PS3_SetVideoMode(_THIS, SDL_Surface * current, int width, in
+ current->w = width;
+ current->h = height;
+ current->pitch = SDL_CalculatePitch(current);
++ if (!current->pitch) {
++ return(NULL);
++ }
+
+ /* Alloc aligned mem for current->pixels */
+ s_pixels = memalign(16, current->h * current->pitch);
+diff --git a/src/video/windib/SDL_dibvideo.c b/src/video/windib/SDL_dibvideo.c
+index 6187bfcf7..86ebb12a3 100644
+--- a/src/video/windib/SDL_dibvideo.c
++++ b/src/video/windib/SDL_dibvideo.c
+@@ -675,6 +675,9 @@ SDL_Surface *DIB_SetVideoMode(_THIS, SDL_Surface *current,
+ video->w = width;
+ video->h = height;
+ video->pitch = SDL_CalculatePitch(video);
++ if (!current->pitch) {
++ return(NULL);
++ }
+
+ /* Small fix for WinCE/Win32 - when activating window
+ SDL_VideoSurface is equal to zero, so activating code
+diff --git a/src/video/windx5/SDL_dx5video.c b/src/video/windx5/SDL_dx5video.c
+index f80ca97b0..39fc4fc37 100644
+--- a/src/video/windx5/SDL_dx5video.c
++++ b/src/video/windx5/SDL_dx5video.c
+@@ -1127,6 +1127,9 @@ SDL_Surface *DX5_SetVideoMode(_THIS, SDL_Surface *current,
+ video->w = width;
+ video->h = height;
+ video->pitch = SDL_CalculatePitch(video);
++ if (!current->pitch) {
++ return(NULL);
++ }
+
+ #ifndef NO_CHANGEDISPLAYSETTINGS
+ /* Set fullscreen mode if appropriate.
+diff --git a/src/video/x11/SDL_x11video.c b/src/video/x11/SDL_x11video.c
+index 79e60f971..45d1f79be 100644
+--- a/src/video/x11/SDL_x11video.c
++++ b/src/video/x11/SDL_x11video.c
+@@ -1220,6 +1220,10 @@ SDL_Surface *X11_SetVideoMode(_THIS, SDL_Surface *current,
+ current->w = width;
+ current->h = height;
+ current->pitch = SDL_CalculatePitch(current);
++ if (!current->pitch) {
++ current = NULL;
++ goto done;
++ }
+ if (X11_ResizeImage(this, current, flags) < 0) {
+ current = NULL;
+ goto done;
+--
+2.24.1
+
diff --git a/SPECS/SDL.spec b/SPECS/SDL.spec
index be2c711..179acf0 100644
--- a/SPECS/SDL.spec
+++ b/SPECS/SDL.spec
@@ -1,6 +1,6 @@
Name: SDL
Version: 1.2.15
-Release: 16%{?dist}
+Release: 17%{?dist}
Summary: A cross-platform multimedia library
Group: System Environment/Libraries
URL: http://www.libsdl.org/
@@ -28,6 +28,19 @@ Patch5: SDL-1.2.15-no-default-backing-store.patch
# upstream bug #4538, in upstream after 1.2.15
Patch6: SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch
+Patch7: 0001-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
+Patch8: 0002-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
+Patch9: 0003-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
+Patch10: 0004-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
+Patch11: 0005-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
+Patch12: 0006-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
+Patch13: 0007-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
+Patch14: 0008-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
+Patch15: 0009-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
+Patch16: 0010-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
+Patch17: 0011-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
+Patch18: 0001-Don-t-use-C99-features.patch
+
BuildRequires: alsa-lib-devel
BuildRequires: audiofile-devel
BuildRequires: mesa-libGL-devel
@@ -87,6 +100,18 @@ applications.
%patch4 -p1 -b .sdl_config_man
%patch5 -p1 -b .backing_store
%patch6 -p1 -b .0006
+%patch7 -p1 -b .0007
+%patch8 -p1 -b .0008
+%patch9 -p1 -b .0009
+%patch10 -p1 -b .0010
+%patch11 -p1 -b .0011
+%patch12 -p1 -b .0012
+%patch13 -p1 -b .0013
+%patch14 -p1 -b .0014
+%patch15 -p1 -b .0015
+%patch16 -p1 -b .0016
+%patch17 -p1 -b .0017
+%patch18 -p1 -b .0018
for F in CREDITS; do
iconv -f iso8859-1 -t utf-8 < "$F" > "${F}.utf"
@@ -148,6 +173,13 @@ rm -f %{buildroot}%{_libdir}/*.la
%{_libdir}/lib*.a
%changelog
+* Fri Feb 14 2020 Wim Taymans <wtaymans@redhat.com> - 1.2.15-17
+- Fix Some CVEs: CVE-2019-7572, CVE-2019-7573, CVE-2019-7574,
+ CVE-2019-7575, CVE-2019-7576, CVE-2019-7577, CVE-2019-7578,
+ CVE-2019-7635, CVE-2019-7636, CVE-2019-7637, CVE-2019-7638
+- Resolves: rhbz#1716201, rhbz#1716202, rhbz#1716206,
+- Resolves: rhbz#1716207, rhbz#1716208
+
* Mon Dec 16 2019 Tomas Pelka <tpelka@redhat.com> - 1.2.15-16
- Need to bump version to avoid conflict with 7.7.z build
- Resolves: rhbz#1756277