import SDL-1.2.15-38.el8
This commit is contained in:
parent
5b8b7147ba
commit
7365e85059
@ -0,0 +1,61 @@
|
||||
From 4b4cac39ba7988df9d8def32360dd842b707ba74 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Sat, 8 Jun 2019 17:57:43 -0700
|
||||
Subject: [PATCH 01/11] CVE-2019-7572: Fix a buffer overread in
|
||||
IMA_ADPCM_nibble If an IMA ADPCM block contained an initial index out of step
|
||||
table range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used
|
||||
this bogus value and that lead to a buffer overread.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This patch fixes it by moving clamping the index value at the
|
||||
beginning of IMA_ADPCM_nibble() function instead of the end after
|
||||
an update.
|
||||
|
||||
CVE-2019-7572
|
||||
https://bugzilla.libsdl.org/show_bug.cgi?id=4495
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
|
||||
--HG--
|
||||
branch : SDL-1.2
|
||||
---
|
||||
src/audio/SDL_wave.c | 14 ++++++++------
|
||||
1 file changed, 8 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
|
||||
index b4ad6c787..ba1fb5252 100644
|
||||
--- a/src/audio/SDL_wave.c
|
||||
+++ b/src/audio/SDL_wave.c
|
||||
@@ -264,6 +264,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
|
||||
};
|
||||
Sint32 delta, step;
|
||||
|
||||
+ /* Clamp index value. The inital value can be invalid. */
|
||||
+ if ( state->index > 88 ) {
|
||||
+ state->index = 88;
|
||||
+ } else
|
||||
+ if ( state->index < 0 ) {
|
||||
+ state->index = 0;
|
||||
+ }
|
||||
+
|
||||
/* Compute difference and new sample value */
|
||||
step = step_table[state->index];
|
||||
delta = step >> 3;
|
||||
@@ -275,12 +283,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
|
||||
|
||||
/* Update index value */
|
||||
state->index += index_table[nybble];
|
||||
- if ( state->index > 88 ) {
|
||||
- state->index = 88;
|
||||
- } else
|
||||
- if ( state->index < 0 ) {
|
||||
- state->index = 0;
|
||||
- }
|
||||
|
||||
/* Clamp output sample */
|
||||
if ( state->sample > max_audioval ) {
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,69 @@
|
||||
From 210e68f70a5a007b0664239aa557e6b9d1b3e830 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Sat, 8 Jun 2019 18:02:09 -0700
|
||||
Subject: [PATCH 02/11] CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
|
||||
If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it could
|
||||
read past the end of chunk data. This patch fixes it.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
CVE-2019-7578
|
||||
https://bugzilla.libsdl.org/show_bug.cgi?id=4494
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
|
||||
--HG--
|
||||
branch : SDL-1.2
|
||||
---
|
||||
src/audio/SDL_wave.c | 12 +++++++++---
|
||||
1 file changed, 9 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
|
||||
index ba1fb5252..21ee4dc3c 100644
|
||||
--- a/src/audio/SDL_wave.c
|
||||
+++ b/src/audio/SDL_wave.c
|
||||
@@ -222,11 +222,12 @@ static struct IMA_ADPCM_decoder {
|
||||
struct IMA_ADPCM_decodestate state[2];
|
||||
} IMA_ADPCM_state;
|
||||
|
||||
-static int InitIMA_ADPCM(WaveFMT *format)
|
||||
+static int InitIMA_ADPCM(WaveFMT *format, int length)
|
||||
{
|
||||
- Uint8 *rogue_feel;
|
||||
+ Uint8 *rogue_feel, *rogue_feel_end;
|
||||
|
||||
/* Set the rogue pointer to the IMA_ADPCM specific data */
|
||||
+ if (length < sizeof(*format)) goto too_short;
|
||||
IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
|
||||
IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
|
||||
IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
|
||||
@@ -235,11 +236,16 @@ static int InitIMA_ADPCM(WaveFMT *format)
|
||||
IMA_ADPCM_state.wavefmt.bitspersample =
|
||||
SDL_SwapLE16(format->bitspersample);
|
||||
rogue_feel = (Uint8 *)format+sizeof(*format);
|
||||
+ rogue_feel_end = (Uint8 *)format + length;
|
||||
if ( sizeof(*format) == 16 ) {
|
||||
rogue_feel += sizeof(Uint16);
|
||||
}
|
||||
+ if (rogue_feel + 2 > rogue_feel_end) goto too_short;
|
||||
IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
|
||||
return(0);
|
||||
+too_short:
|
||||
+ SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format");
|
||||
+ return(-1);
|
||||
}
|
||||
|
||||
static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
|
||||
@@ -471,7 +477,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
|
||||
break;
|
||||
case IMA_ADPCM_CODE:
|
||||
/* Try to understand this */
|
||||
- if ( InitIMA_ADPCM(format) < 0 ) {
|
||||
+ if ( InitIMA_ADPCM(format, lenread) < 0 ) {
|
||||
was_error = 1;
|
||||
goto done;
|
||||
}
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,73 @@
|
||||
From db0282cbe00a64cc65ba445ea21928d72dc26d97 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Mon, 10 Jun 2019 08:50:59 -0700
|
||||
Subject: [PATCH 03/11] CVE-2019-7574: Fix a buffer overread in
|
||||
IMA_ADPCM_decode If data chunk was shorter than expected based on a WAV
|
||||
format definition, IMA_ADPCM_decode() tried to read past the data chunk
|
||||
buffer. This patch fixes it.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
CVE-2019-7574
|
||||
https://bugzilla.libsdl.org/show_bug.cgi?id=4496
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
|
||||
--HG--
|
||||
branch : SDL-1.2
|
||||
---
|
||||
src/audio/SDL_wave.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
|
||||
index 21ee4dc3c..66f804421 100644
|
||||
--- a/src/audio/SDL_wave.c
|
||||
+++ b/src/audio/SDL_wave.c
|
||||
@@ -331,7 +331,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
|
||||
static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
||||
{
|
||||
struct IMA_ADPCM_decodestate *state;
|
||||
- Uint8 *freeable, *encoded, *decoded;
|
||||
+ Uint8 *freeable, *encoded, *encoded_end, *decoded;
|
||||
Sint32 encoded_len, samplesleft;
|
||||
unsigned int c, channels;
|
||||
|
||||
@@ -347,6 +347,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
||||
/* Allocate the proper sized output buffer */
|
||||
encoded_len = *audio_len;
|
||||
encoded = *audio_buf;
|
||||
+ encoded_end = encoded + encoded_len;
|
||||
freeable = *audio_buf;
|
||||
*audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) *
|
||||
IMA_ADPCM_state.wSamplesPerBlock*
|
||||
@@ -362,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
||||
while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
|
||||
/* Grab the initial information for this block */
|
||||
for ( c=0; c<channels; ++c ) {
|
||||
+ if (encoded + 4 > encoded_end) goto invalid_size;
|
||||
/* Fill the state information for this block */
|
||||
state[c].sample = ((encoded[1]<<8)|encoded[0]);
|
||||
encoded += 2;
|
||||
@@ -384,6 +386,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
||||
samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
|
||||
while ( samplesleft > 0 ) {
|
||||
for ( c=0; c<channels; ++c ) {
|
||||
+ if (encoded + 4 > encoded_end) goto invalid_size;
|
||||
Fill_IMA_ADPCM_block(decoded, encoded,
|
||||
c, channels, &state[c]);
|
||||
encoded += 4;
|
||||
@@ -395,6 +398,10 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
||||
}
|
||||
SDL_free(freeable);
|
||||
return(0);
|
||||
+invalid_size:
|
||||
+ SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder");
|
||||
+ SDL_free(freeable);
|
||||
+ return(-1);
|
||||
}
|
||||
|
||||
SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,76 @@
|
||||
From d5ec943db7d51fccd7230c9df0c7a2e46d611f50 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Mon, 10 Jun 2019 08:54:11 -0700
|
||||
Subject: [PATCH 04/11] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
|
||||
If RIFF/WAV data chunk length is shorter then expected for an audio format
|
||||
defined in preceeding RIFF/WAV format headers, a buffer overread can happen.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This patch fixes it by checking a MS ADPCM data to be decoded are not
|
||||
past the initialized buffer.
|
||||
|
||||
CVE-2019-7577
|
||||
Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
|
||||
--HG--
|
||||
branch : SDL-1.2
|
||||
---
|
||||
src/audio/SDL_wave.c | 10 +++++++++-
|
||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
|
||||
index 66f804421..6c6eb14eb 100644
|
||||
--- a/src/audio/SDL_wave.c
|
||||
+++ b/src/audio/SDL_wave.c
|
||||
@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
|
||||
static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
||||
{
|
||||
struct MS_ADPCM_decodestate *state[2];
|
||||
- Uint8 *freeable, *encoded, *decoded;
|
||||
+ Uint8 *freeable, *encoded, *encoded_end, *decoded;
|
||||
Sint32 encoded_len, samplesleft;
|
||||
Sint8 nybble, stereo;
|
||||
Sint16 *coeff[2];
|
||||
@@ -124,6 +124,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
||||
/* Allocate the proper sized output buffer */
|
||||
encoded_len = *audio_len;
|
||||
encoded = *audio_buf;
|
||||
+ encoded_end = encoded + encoded_len;
|
||||
freeable = *audio_buf;
|
||||
*audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) *
|
||||
MS_ADPCM_state.wSamplesPerBlock*
|
||||
@@ -141,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
||||
state[1] = &MS_ADPCM_state.state[stereo];
|
||||
while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
|
||||
/* Grab the initial information for this block */
|
||||
+ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
|
||||
state[0]->hPredictor = *encoded++;
|
||||
if ( stereo ) {
|
||||
state[1]->hPredictor = *encoded++;
|
||||
@@ -188,6 +190,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
||||
samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
|
||||
MS_ADPCM_state.wavefmt.channels;
|
||||
while ( samplesleft > 0 ) {
|
||||
+ if (encoded + 1 > encoded_end) goto too_short;
|
||||
+
|
||||
nybble = (*encoded)>>4;
|
||||
new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
|
||||
decoded[0] = new_sample&0xFF;
|
||||
@@ -209,6 +213,10 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
||||
}
|
||||
SDL_free(freeable);
|
||||
return(0);
|
||||
+too_short:
|
||||
+ SDL_SetError("Too short chunk for a MS ADPCM decoder");
|
||||
+ SDL_free(freeable);
|
||||
+ return(-1);
|
||||
}
|
||||
|
||||
struct IMA_ADPCM_decodestate {
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,58 @@
|
||||
From 06d20617d0d5bb89a6caf5f2201c93baf03c43c2 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Mon, 10 Jun 2019 08:54:29 -0700
|
||||
Subject: [PATCH 05/11] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble
|
||||
and MS_ADPCM_decode If a chunk of RIFF/WAV file with MS ADPCM encoding
|
||||
contains an invalid predictor (a valid predictor's value is between 0 and 6
|
||||
inclusive), a buffer overread can happen when the predictor is used as an
|
||||
index into an array of MS ADPCM coefficients.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The overead happens when indexing MS_ADPCM_state.aCoeff[] array in
|
||||
MS_ADPCM_decode() and later when dereferencing a coef pointer in
|
||||
MS_ADPCM_nibble().
|
||||
|
||||
This patch fixes it by checking the MS ADPCM predictor values fit
|
||||
into the valid range.
|
||||
|
||||
CVE-2019-7577
|
||||
Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
|
||||
--HG--
|
||||
branch : SDL-1.2
|
||||
---
|
||||
src/audio/SDL_wave.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
|
||||
index 6c6eb14eb..3eedd20a1 100644
|
||||
--- a/src/audio/SDL_wave.c
|
||||
+++ b/src/audio/SDL_wave.c
|
||||
@@ -147,6 +147,9 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
||||
if ( stereo ) {
|
||||
state[1]->hPredictor = *encoded++;
|
||||
}
|
||||
+ if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) {
|
||||
+ goto invalid_predictor;
|
||||
+ }
|
||||
state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
|
||||
encoded += sizeof(Sint16);
|
||||
if ( stereo ) {
|
||||
@@ -217,6 +220,10 @@ too_short:
|
||||
SDL_SetError("Too short chunk for a MS ADPCM decoder");
|
||||
SDL_free(freeable);
|
||||
return(-1);
|
||||
+invalid_predictor:
|
||||
+ SDL_SetError("Invalid predictor value for a MS ADPCM decoder");
|
||||
+ SDL_free(freeable);
|
||||
+ return(-1);
|
||||
}
|
||||
|
||||
struct IMA_ADPCM_decodestate {
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,66 @@
|
||||
From b637e14f849130449544c8899aed716a2f049b75 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Mon, 10 Jun 2019 08:57:11 -0700
|
||||
Subject: [PATCH 06/11] CVE-2019-7572: Fix a buffer overwrite in
|
||||
IMA_ADPCM_decode If data chunk was longer than expected based on a WAV format
|
||||
definition, IMA_ADPCM_decode() tried to write past the output buffer. This
|
||||
patch fixes it.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Based on patch from
|
||||
<https://bugzilla.libsdl.org/show_bug.cgi?id=4496>.
|
||||
|
||||
CVE-2019-7572
|
||||
https://bugzilla.libsdl.org/show_bug.cgi?id=4495
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
|
||||
--HG--
|
||||
branch : SDL-1.2
|
||||
---
|
||||
src/audio/SDL_wave.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
|
||||
index 3eedd20a1..4159eb710 100644
|
||||
--- a/src/audio/SDL_wave.c
|
||||
+++ b/src/audio/SDL_wave.c
|
||||
@@ -346,7 +346,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
|
||||
static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
||||
{
|
||||
struct IMA_ADPCM_decodestate *state;
|
||||
- Uint8 *freeable, *encoded, *encoded_end, *decoded;
|
||||
+ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
|
||||
Sint32 encoded_len, samplesleft;
|
||||
unsigned int c, channels;
|
||||
|
||||
@@ -373,6 +373,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
||||
return(-1);
|
||||
}
|
||||
decoded = *audio_buf;
|
||||
+ decoded_end = decoded + *audio_len;
|
||||
|
||||
/* Get ready... Go! */
|
||||
while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
|
||||
@@ -392,6 +393,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
||||
}
|
||||
|
||||
/* Store the initial sample we start with */
|
||||
+ if (decoded + 2 > decoded_end) goto invalid_size;
|
||||
decoded[0] = (Uint8)(state[c].sample&0xFF);
|
||||
decoded[1] = (Uint8)(state[c].sample>>8);
|
||||
decoded += 2;
|
||||
@@ -402,6 +404,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
||||
while ( samplesleft > 0 ) {
|
||||
for ( c=0; c<channels; ++c ) {
|
||||
if (encoded + 4 > encoded_end) goto invalid_size;
|
||||
+ if (decoded + 4 * 4 * channels > decoded_end)
|
||||
+ goto invalid_size;
|
||||
Fill_IMA_ADPCM_block(decoded, encoded,
|
||||
c, channels, &state[c]);
|
||||
encoded += 4;
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,84 @@
|
||||
From 45ef356d8c01a3941286b35b90eb319959f20f2c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Mon, 10 Jun 2019 09:06:23 -0700
|
||||
Subject: [PATCH 07/11] CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in
|
||||
InitMS_ADPCM If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing
|
||||
it could read past the end of chunk data. This patch fixes it.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
CVE-2019-7573
|
||||
https://bugzilla.libsdl.org/show_bug.cgi?id=4491
|
||||
CVE-2019-7576
|
||||
https://bugzilla.libsdl.org/show_bug.cgi?id=4490
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
|
||||
--HG--
|
||||
branch : SDL-1.2
|
||||
---
|
||||
src/audio/SDL_wave.c | 13 ++++++++++---
|
||||
1 file changed, 10 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
|
||||
index 4159eb710..88ac2cca6 100644
|
||||
--- a/src/audio/SDL_wave.c
|
||||
+++ b/src/audio/SDL_wave.c
|
||||
@@ -44,12 +44,13 @@ static struct MS_ADPCM_decoder {
|
||||
struct MS_ADPCM_decodestate state[2];
|
||||
} MS_ADPCM_state;
|
||||
|
||||
-static int InitMS_ADPCM(WaveFMT *format)
|
||||
+static int InitMS_ADPCM(WaveFMT *format, int length)
|
||||
{
|
||||
- Uint8 *rogue_feel;
|
||||
+ Uint8 *rogue_feel, *rogue_feel_end;
|
||||
int i;
|
||||
|
||||
/* Set the rogue pointer to the MS_ADPCM specific data */
|
||||
+ if (length < sizeof(*format)) goto too_short;
|
||||
MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
|
||||
MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
|
||||
MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
|
||||
@@ -58,9 +59,11 @@ static int InitMS_ADPCM(WaveFMT *format)
|
||||
MS_ADPCM_state.wavefmt.bitspersample =
|
||||
SDL_SwapLE16(format->bitspersample);
|
||||
rogue_feel = (Uint8 *)format+sizeof(*format);
|
||||
+ rogue_feel_end = (Uint8 *)format + length;
|
||||
if ( sizeof(*format) == 16 ) {
|
||||
rogue_feel += sizeof(Uint16);
|
||||
}
|
||||
+ if (rogue_feel + 4 > rogue_feel_end) goto too_short;
|
||||
MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
|
||||
rogue_feel += sizeof(Uint16);
|
||||
MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]);
|
||||
@@ -70,12 +73,16 @@ static int InitMS_ADPCM(WaveFMT *format)
|
||||
return(-1);
|
||||
}
|
||||
for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) {
|
||||
+ if (rogue_feel + 4 > rogue_feel_end) goto too_short;
|
||||
MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]);
|
||||
rogue_feel += sizeof(Uint16);
|
||||
MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]);
|
||||
rogue_feel += sizeof(Uint16);
|
||||
}
|
||||
return(0);
|
||||
+too_short:
|
||||
+ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format");
|
||||
+ return(-1);
|
||||
}
|
||||
|
||||
static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
|
||||
@@ -495,7 +502,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
|
||||
break;
|
||||
case MS_ADPCM_CODE:
|
||||
/* Try to understand this */
|
||||
- if ( InitMS_ADPCM(format) < 0 ) {
|
||||
+ if ( InitMS_ADPCM(format, lenread) < 0 ) {
|
||||
was_error = 1;
|
||||
goto done;
|
||||
}
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,86 @@
|
||||
From 730c8b917e7deecc3cdf9ac9eb20e2b7e6450356 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Mon, 10 Jun 2019 09:25:05 -0700
|
||||
Subject: [PATCH 08/11] CVE-2019-7575: Fix a buffer overwrite in
|
||||
MS_ADPCM_decode If a WAV format defines shorter audio stream and decoded MS
|
||||
ADPCM data chunk is longer, decoding continued past the output audio buffer.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This fix is based on a patch from
|
||||
<https://bugzilla.libsdl.org/show_bug.cgi?id=4492>.
|
||||
|
||||
https://bugzilla.libsdl.org/show_bug.cgi?id=4493
|
||||
CVE-2019-7575
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
|
||||
--HG--
|
||||
branch : SDL-1.2
|
||||
---
|
||||
src/audio/SDL_wave.c | 13 ++++++++-----
|
||||
1 file changed, 8 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
|
||||
index 88ac2cca6..5f9365147 100644
|
||||
--- a/src/audio/SDL_wave.c
|
||||
+++ b/src/audio/SDL_wave.c
|
||||
@@ -122,7 +122,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
|
||||
static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
||||
{
|
||||
struct MS_ADPCM_decodestate *state[2];
|
||||
- Uint8 *freeable, *encoded, *encoded_end, *decoded;
|
||||
+ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
|
||||
Sint32 encoded_len, samplesleft;
|
||||
Sint8 nybble, stereo;
|
||||
Sint16 *coeff[2];
|
||||
@@ -142,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
||||
return(-1);
|
||||
}
|
||||
decoded = *audio_buf;
|
||||
+ decoded_end = decoded + *audio_len;
|
||||
|
||||
/* Get ready... Go! */
|
||||
stereo = (MS_ADPCM_state.wavefmt.channels == 2);
|
||||
@@ -149,7 +150,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
||||
state[1] = &MS_ADPCM_state.state[stereo];
|
||||
while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
|
||||
/* Grab the initial information for this block */
|
||||
- if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
|
||||
+ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size;
|
||||
state[0]->hPredictor = *encoded++;
|
||||
if ( stereo ) {
|
||||
state[1]->hPredictor = *encoded++;
|
||||
@@ -179,6 +180,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
||||
coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
|
||||
|
||||
/* Store the two initial samples we start with */
|
||||
+ if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size;
|
||||
decoded[0] = state[0]->iSamp2&0xFF;
|
||||
decoded[1] = state[0]->iSamp2>>8;
|
||||
decoded += 2;
|
||||
@@ -200,7 +202,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
||||
samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
|
||||
MS_ADPCM_state.wavefmt.channels;
|
||||
while ( samplesleft > 0 ) {
|
||||
- if (encoded + 1 > encoded_end) goto too_short;
|
||||
+ if (encoded + 1 > encoded_end) goto invalid_size;
|
||||
+ if (decoded + 4 > decoded_end) goto invalid_size;
|
||||
|
||||
nybble = (*encoded)>>4;
|
||||
new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
|
||||
@@ -223,8 +226,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
|
||||
}
|
||||
SDL_free(freeable);
|
||||
return(0);
|
||||
-too_short:
|
||||
- SDL_SetError("Too short chunk for a MS ADPCM decoder");
|
||||
+invalid_size:
|
||||
+ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
|
||||
SDL_free(freeable);
|
||||
return(-1);
|
||||
invalid_predictor:
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,68 @@
|
||||
From 974b6b063b652317f1a2df12834c829415529bc5 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Tue, 11 Jun 2019 06:28:12 -0700
|
||||
Subject: [PATCH 09/11] CVE-2019-7635: Reject BMP images with pixel colors out
|
||||
the palette If a 1-, 4-, or 8-bit per pixel BMP image declares less used
|
||||
colors than the palette offers an SDL_Surface with a palette of the indicated
|
||||
number of used colors is created. If some of the image's pixel refer to a
|
||||
color number higher then the maximal used colors, a subsequent bliting
|
||||
operation on the surface will look up a color past a blit map (that is based
|
||||
on the palette) memory. I.e. passing such SDL_Surface to e.g. an
|
||||
SDL_DisplayFormat() function will result in a buffer overread in a blit
|
||||
function.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This patch fixes it by validing each pixel's color to be less than the
|
||||
maximal color number in the palette. A validation failure raises an
|
||||
error from a SDL_LoadBMP_RW() function.
|
||||
|
||||
CVE-2019-7635
|
||||
https://bugzilla.libsdl.org/show_bug.cgi?id=4498
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
|
||||
--HG--
|
||||
branch : SDL-1.2
|
||||
---
|
||||
src/video/SDL_bmp.c | 16 ++++++++++++++++
|
||||
1 file changed, 16 insertions(+)
|
||||
|
||||
diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
|
||||
index d56cfd83a..8acae3bcb 100644
|
||||
--- a/src/video/SDL_bmp.c
|
||||
+++ b/src/video/SDL_bmp.c
|
||||
@@ -296,6 +296,12 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
|
||||
}
|
||||
*(bits+i) = (pixel>>shift);
|
||||
pixel <<= ExpandBMP;
|
||||
+ if ( bits[i] >= biClrUsed ) {
|
||||
+ SDL_SetError(
|
||||
+ "A BMP image contains a pixel with a color out of the palette");
|
||||
+ was_error = SDL_TRUE;
|
||||
+ goto done;
|
||||
+ }
|
||||
} }
|
||||
break;
|
||||
|
||||
@@ -306,6 +312,16 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
|
||||
was_error = SDL_TRUE;
|
||||
goto done;
|
||||
}
|
||||
+ if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) {
|
||||
+ for ( i=0; i<surface->w; ++i ) {
|
||||
+ if ( bits[i] >= biClrUsed ) {
|
||||
+ SDL_SetError(
|
||||
+ "A BMP image contains a pixel with a color out of the palette");
|
||||
+ was_error = SDL_TRUE;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
#if SDL_BYTEORDER == SDL_BIG_ENDIAN
|
||||
/* Byte-swap the pixels if needed. Note that the 24bpp
|
||||
case has already been taken care of above. */
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,56 @@
|
||||
From 73161afdf77e2cf90f47c9be0bc970dadedb5d7c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Fri, 15 Feb 2019 16:52:27 +0100
|
||||
Subject: [PATCH 10/11] CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images
|
||||
with too high number of colors
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If a BMP file that defines more colors than can fit into
|
||||
a palette of color depth defined in the same BMP file is loaded by
|
||||
SDL_LoadBMP_RW() function, invalid number of colors is set into
|
||||
resulting SDL surface.
|
||||
|
||||
Then if the SDL surface is passed to SDL_DisplayFormat() function to
|
||||
convert the surface format into a native video format, a buffer
|
||||
overread will happen in Map1to1() or Map1toN() function
|
||||
(CVE-2019-7638). (The choice of the mapping function depends on
|
||||
a actual video hardware.)
|
||||
|
||||
In addition SDL_GetRGB() called indirectly from SDL_DisplayFormat()
|
||||
performs the same buffer overread (CVE-2019-7636).
|
||||
|
||||
There is also probably a buffer overwrite when the SDL_LoadBMP_RW()
|
||||
loads colors from a file.
|
||||
|
||||
This patch fixes it by refusing loading such badly damaged BMP files.
|
||||
|
||||
CVE-2019-7638
|
||||
https://bugzilla.libsdl.org/show_bug.cgi?id=4500
|
||||
CVE-2019-7636
|
||||
https://bugzilla.libsdl.org/show_bug.cgi?id=4499
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
src/video/SDL_bmp.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
|
||||
index 8acae3bcb..8eadc5f66 100644
|
||||
--- a/src/video/SDL_bmp.c
|
||||
+++ b/src/video/SDL_bmp.c
|
||||
@@ -233,6 +233,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
|
||||
if ( palette ) {
|
||||
if ( biClrUsed == 0 ) {
|
||||
biClrUsed = 1 << biBitCount;
|
||||
+ } else if ( biClrUsed > (1 << biBitCount) ) {
|
||||
+ SDL_SetError("BMP file has an invalid number of colors");
|
||||
+ was_error = SDL_TRUE;
|
||||
+ goto done;
|
||||
}
|
||||
if ( biSize == 12 ) {
|
||||
for ( i = 0; i < (int)biClrUsed; ++i ) {
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,210 @@
|
||||
From 7cafd3e820489f17f86d0d897ad9719ef54599f1 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Mon, 18 Feb 2019 13:53:16 +0100
|
||||
Subject: [PATCH 11/11] CVE-2019-7637: Fix in integer overflow in
|
||||
SDL_CalculatePitch
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If a too large width is passed to SDL_SetVideoMode() the width travels
|
||||
to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by
|
||||
BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch
|
||||
variable. During this arithmetics an integer overflow can happen (e.g.
|
||||
the value is clamped as 65532). As a result SDL_Surface with a pitch
|
||||
smaller than width * BytesPerPixel is created, too small pixel buffer
|
||||
is allocated and when the SDL_Surface is processed in SDL_FillRect()
|
||||
a buffer overflow occurs.
|
||||
|
||||
This can be reproduced with "./graywin -width 21312312313123213213213"
|
||||
command.
|
||||
|
||||
This patch fixes is by using a very careful arithmetics in
|
||||
SDL_CalculatePitch(). If an overflow is detected, an error is reported
|
||||
back as a special 0 value. We assume that 0-width surfaces do not
|
||||
occur in the wild. Since SDL_CalculatePitch() is a private function,
|
||||
we can change the semantics.
|
||||
|
||||
CVE-2019-7637
|
||||
https://bugzilla.libsdl.org/show_bug.cgi?id=4497
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
src/video/SDL_pixels.c | 41 +++++++++++++++++++++++++++------
|
||||
src/video/gapi/SDL_gapivideo.c | 3 +++
|
||||
src/video/nanox/SDL_nxvideo.c | 4 ++++
|
||||
src/video/ps2gs/SDL_gsvideo.c | 3 +++
|
||||
src/video/ps3/SDL_ps3video.c | 3 +++
|
||||
src/video/windib/SDL_dibvideo.c | 3 +++
|
||||
src/video/windx5/SDL_dx5video.c | 3 +++
|
||||
src/video/x11/SDL_x11video.c | 4 ++++
|
||||
8 files changed, 57 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c
|
||||
index 1a7fd518f..44626b749 100644
|
||||
--- a/src/video/SDL_pixels.c
|
||||
+++ b/src/video/SDL_pixels.c
|
||||
@@ -286,26 +286,53 @@ void SDL_DitherColors(SDL_Color *colors, int bpp)
|
||||
}
|
||||
}
|
||||
/*
|
||||
- * Calculate the pad-aligned scanline width of a surface
|
||||
+ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of
|
||||
+ * an error.
|
||||
*/
|
||||
Uint16 SDL_CalculatePitch(SDL_Surface *surface)
|
||||
{
|
||||
- Uint16 pitch;
|
||||
+ unsigned int pitch = 0;
|
||||
|
||||
/* Surface should be 4-byte aligned for speed */
|
||||
- pitch = surface->w*surface->format->BytesPerPixel;
|
||||
+ /* The code tries to prevent from an Uint16 overflow. */;
|
||||
+ for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) {
|
||||
+ pitch += (unsigned int)surface->w;
|
||||
+ if (pitch < surface->w) {
|
||||
+ SDL_SetError("A scanline is too wide");
|
||||
+ return(0);
|
||||
+ }
|
||||
+ }
|
||||
switch (surface->format->BitsPerPixel) {
|
||||
case 1:
|
||||
- pitch = (pitch+7)/8;
|
||||
+ if (pitch % 8) {
|
||||
+ pitch = pitch / 8 + 1;
|
||||
+ } else {
|
||||
+ pitch = pitch / 8;
|
||||
+ }
|
||||
break;
|
||||
case 4:
|
||||
- pitch = (pitch+1)/2;
|
||||
+ if (pitch % 2) {
|
||||
+ pitch = pitch / 2 + 1;
|
||||
+ } else {
|
||||
+ pitch = pitch / 2;
|
||||
+ }
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
- pitch = (pitch + 3) & ~3; /* 4-byte aligning */
|
||||
- return(pitch);
|
||||
+ /* 4-byte aligning */
|
||||
+ if (pitch & 3) {
|
||||
+ if (pitch + 3 < pitch) {
|
||||
+ SDL_SetError("A scanline is too wide");
|
||||
+ return(0);
|
||||
+ }
|
||||
+ pitch = (pitch + 3) & ~3;
|
||||
+ }
|
||||
+ if (pitch > 0xFFFF) {
|
||||
+ SDL_SetError("A scanline is too wide");
|
||||
+ return(0);
|
||||
+ }
|
||||
+ return((Uint16)pitch);
|
||||
}
|
||||
/*
|
||||
* Match an RGB value to a particular palette index
|
||||
diff --git a/src/video/gapi/SDL_gapivideo.c b/src/video/gapi/SDL_gapivideo.c
|
||||
index 86deadc75..8a0648536 100644
|
||||
--- a/src/video/gapi/SDL_gapivideo.c
|
||||
+++ b/src/video/gapi/SDL_gapivideo.c
|
||||
@@ -733,6 +733,9 @@ SDL_Surface *GAPI_SetVideoMode(_THIS, SDL_Surface *current,
|
||||
video->w = gapi->w = width;
|
||||
video->h = gapi->h = height;
|
||||
video->pitch = SDL_CalculatePitch(video);
|
||||
+ if (!current->pitch) {
|
||||
+ return(NULL);
|
||||
+ }
|
||||
|
||||
/* Small fix for WinCE/Win32 - when activating window
|
||||
SDL_VideoSurface is equal to zero, so activating code
|
||||
diff --git a/src/video/nanox/SDL_nxvideo.c b/src/video/nanox/SDL_nxvideo.c
|
||||
index b188e0958..cbdd09a08 100644
|
||||
--- a/src/video/nanox/SDL_nxvideo.c
|
||||
+++ b/src/video/nanox/SDL_nxvideo.c
|
||||
@@ -378,6 +378,10 @@ SDL_Surface * NX_SetVideoMode (_THIS, SDL_Surface * current,
|
||||
current -> w = width ;
|
||||
current -> h = height ;
|
||||
current -> pitch = SDL_CalculatePitch (current) ;
|
||||
+ if (!current->pitch) {
|
||||
+ current = NULL;
|
||||
+ goto done;
|
||||
+ }
|
||||
NX_ResizeImage (this, current, flags) ;
|
||||
}
|
||||
|
||||
diff --git a/src/video/ps2gs/SDL_gsvideo.c b/src/video/ps2gs/SDL_gsvideo.c
|
||||
index e172c60dc..329086680 100644
|
||||
--- a/src/video/ps2gs/SDL_gsvideo.c
|
||||
+++ b/src/video/ps2gs/SDL_gsvideo.c
|
||||
@@ -479,6 +479,9 @@ static SDL_Surface *GS_SetVideoMode(_THIS, SDL_Surface *current,
|
||||
current->w = width;
|
||||
current->h = height;
|
||||
current->pitch = SDL_CalculatePitch(current);
|
||||
+ if (!current->pitch) {
|
||||
+ return(NULL);
|
||||
+ }
|
||||
|
||||
/* Memory map the DMA area for block memory transfer */
|
||||
if ( ! mapped_mem ) {
|
||||
diff --git a/src/video/ps3/SDL_ps3video.c b/src/video/ps3/SDL_ps3video.c
|
||||
index d5519e051..17848e33a 100644
|
||||
--- a/src/video/ps3/SDL_ps3video.c
|
||||
+++ b/src/video/ps3/SDL_ps3video.c
|
||||
@@ -339,6 +339,9 @@ static SDL_Surface *PS3_SetVideoMode(_THIS, SDL_Surface * current, int width, in
|
||||
current->w = width;
|
||||
current->h = height;
|
||||
current->pitch = SDL_CalculatePitch(current);
|
||||
+ if (!current->pitch) {
|
||||
+ return(NULL);
|
||||
+ }
|
||||
|
||||
/* Alloc aligned mem for current->pixels */
|
||||
s_pixels = memalign(16, current->h * current->pitch);
|
||||
diff --git a/src/video/windib/SDL_dibvideo.c b/src/video/windib/SDL_dibvideo.c
|
||||
index 6187bfcf7..86ebb12a3 100644
|
||||
--- a/src/video/windib/SDL_dibvideo.c
|
||||
+++ b/src/video/windib/SDL_dibvideo.c
|
||||
@@ -675,6 +675,9 @@ SDL_Surface *DIB_SetVideoMode(_THIS, SDL_Surface *current,
|
||||
video->w = width;
|
||||
video->h = height;
|
||||
video->pitch = SDL_CalculatePitch(video);
|
||||
+ if (!current->pitch) {
|
||||
+ return(NULL);
|
||||
+ }
|
||||
|
||||
/* Small fix for WinCE/Win32 - when activating window
|
||||
SDL_VideoSurface is equal to zero, so activating code
|
||||
diff --git a/src/video/windx5/SDL_dx5video.c b/src/video/windx5/SDL_dx5video.c
|
||||
index f80ca97b0..39fc4fc37 100644
|
||||
--- a/src/video/windx5/SDL_dx5video.c
|
||||
+++ b/src/video/windx5/SDL_dx5video.c
|
||||
@@ -1127,6 +1127,9 @@ SDL_Surface *DX5_SetVideoMode(_THIS, SDL_Surface *current,
|
||||
video->w = width;
|
||||
video->h = height;
|
||||
video->pitch = SDL_CalculatePitch(video);
|
||||
+ if (!current->pitch) {
|
||||
+ return(NULL);
|
||||
+ }
|
||||
|
||||
#ifndef NO_CHANGEDISPLAYSETTINGS
|
||||
/* Set fullscreen mode if appropriate.
|
||||
diff --git a/src/video/x11/SDL_x11video.c b/src/video/x11/SDL_x11video.c
|
||||
index 79e60f971..45d1f79be 100644
|
||||
--- a/src/video/x11/SDL_x11video.c
|
||||
+++ b/src/video/x11/SDL_x11video.c
|
||||
@@ -1220,6 +1220,10 @@ SDL_Surface *X11_SetVideoMode(_THIS, SDL_Surface *current,
|
||||
current->w = width;
|
||||
current->h = height;
|
||||
current->pitch = SDL_CalculatePitch(current);
|
||||
+ if (!current->pitch) {
|
||||
+ current = NULL;
|
||||
+ goto done;
|
||||
+ }
|
||||
if (X11_ResizeImage(this, current, flags) < 0) {
|
||||
current = NULL;
|
||||
goto done;
|
||||
--
|
||||
2.21.0
|
||||
|
@ -10,7 +10,7 @@
|
||||
|
||||
Name: SDL
|
||||
Version: 1.2.15
|
||||
Release: 37%{?dist}
|
||||
Release: 38%{?dist}
|
||||
Summary: A cross-platform multimedia library
|
||||
URL: http://www.libsdl.org/
|
||||
# The license of the file src/video/fbcon/riva_mmio.h is bad, but the contents
|
||||
@ -49,6 +49,18 @@ Patch9: 0001-fix-small-errors-detected-by-coverity.patch
|
||||
# upstream bug #4538, in upstream after 1.2.15
|
||||
Patch10: SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch
|
||||
|
||||
Patch11: 0001-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
|
||||
Patch12: 0002-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
|
||||
Patch13: 0003-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
|
||||
Patch14: 0004-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
|
||||
Patch15: 0005-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
|
||||
Patch16: 0006-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
|
||||
Patch17: 0007-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
|
||||
Patch18: 0008-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
|
||||
Patch19: 0009-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
|
||||
Patch20: 0010-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
|
||||
Patch21: 0011-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
|
||||
|
||||
BuildRequires: alsa-lib-devel
|
||||
%if %{with arts}
|
||||
BuildRequires: arts-devel
|
||||
@ -125,6 +137,17 @@ applications.
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
%patch20 -p1
|
||||
%patch21 -p1
|
||||
|
||||
for F in CREDITS; do
|
||||
iconv -f iso8859-1 -t utf-8 < "$F" > "${F}.utf"
|
||||
@ -202,6 +225,12 @@ rm -f %{buildroot}%{_libdir}/*.la
|
||||
%{_libdir}/lib*.a
|
||||
|
||||
%changelog
|
||||
* Mon Mar 23 2020 Wim Taymans <wtaymans@redhat.com> - 1.2.15-38
|
||||
- fix CVEs
|
||||
- Resolves: rhbz#1716209, rhbz#1716210, rhbz#1716211, rhbz#1716212,
|
||||
rhbz#1716213, rhbz#1716214, rhbz#1716215, rhbz#1716216,
|
||||
rhbz#1716217, rhbz#1716218, rhbz#1716219
|
||||
|
||||
* Thu Nov 21 2019 Wim Taymans <wtaymans@redhat.com> - 1.2.15-37
|
||||
- Rebuild
|
||||
- Resolves: rhbz#1756279
|
||||
|
Loading…
Reference in New Issue
Block a user