Compare commits

...

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

22 changed files with 392 additions and 206 deletions

View File

@ -1 +1,2 @@
61a0c4976ecc88d1101f1d03105089588d167a40 SOURCES/SDL-1.2.15_repackaged.tar.gz 61a0c4976ecc88d1101f1d03105089588d167a40 SOURCES/SDL-1.2.15_repackaged.tar.gz
5778b357370d88bfac9c34e5aba106e2375f8cc7 SOURCES/slouken-pubkey.asc

1
.gitignore vendored
View File

@ -1 +1,2 @@
SOURCES/SDL-1.2.15_repackaged.tar.gz SOURCES/SDL-1.2.15_repackaged.tar.gz
SOURCES/slouken-pubkey.asc

View File

@ -1,14 +1,15 @@
From 4b4cac39ba7988df9d8def32360dd842b707ba74 Mon Sep 17 00:00:00 2001 From bb11ffcff5ae2f25bead921c2a299e7e63d8a759 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Sat, 8 Jun 2019 17:57:43 -0700 Date: Thu, 14 Feb 2019 16:51:54 +0100
Subject: [PATCH 01/11] CVE-2019-7572: Fix a buffer overread in Subject: [PATCH] CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble
IMA_ADPCM_nibble If an IMA ADPCM block contained an initial index out of step
table range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used
this bogus value and that lead to a buffer overread.
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit
If an IMA ADPCM block contained an initial index out of step table
range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used
this bogus value and that lead to a buffer overread.
This patch fixes it by moving clamping the index value at the This patch fixes it by moving clamping the index value at the
beginning of IMA_ADPCM_nibble() function instead of the end after beginning of IMA_ADPCM_nibble() function instead of the end after
an update. an update.
@ -17,18 +18,15 @@ CVE-2019-7572
https://bugzilla.libsdl.org/show_bug.cgi?id=4495 https://bugzilla.libsdl.org/show_bug.cgi?id=4495
Signed-off-by: Petr Písař <ppisar@redhat.com> Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
--- ---
src/audio/SDL_wave.c | 14 ++++++++------ src/audio/SDL_wave.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-) 1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index b4ad6c787..ba1fb5252 100644 index 2968b3d..69d62dc 100644
--- a/src/audio/SDL_wave.c --- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c +++ b/src/audio/SDL_wave.c
@@ -264,6 +264,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) @@ -275,6 +275,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
}; };
Sint32 delta, step; Sint32 delta, step;
@ -43,7 +41,7 @@ index b4ad6c787..ba1fb5252 100644
/* Compute difference and new sample value */ /* Compute difference and new sample value */
step = step_table[state->index]; step = step_table[state->index];
delta = step >> 3; delta = step >> 3;
@@ -275,12 +283,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) @@ -286,12 +294,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
/* Update index value */ /* Update index value */
state->index += index_table[nybble]; state->index += index_table[nybble];
@ -57,5 +55,5 @@ index b4ad6c787..ba1fb5252 100644
/* Clamp output sample */ /* Clamp output sample */
if ( state->sample > max_audioval ) { if ( state->sample > max_audioval ) {
-- --
2.21.0 2.20.1

View File

@ -1,14 +1,15 @@
From b637e14f849130449544c8899aed716a2f049b75 Mon Sep 17 00:00:00 2001 From 6086741bda4d43cc227500bc7645a829380e6326 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 08:57:11 -0700 Date: Fri, 15 Feb 2019 09:21:45 +0100
Subject: [PATCH 06/11] CVE-2019-7572: Fix a buffer overwrite in Subject: [PATCH] CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode
IMA_ADPCM_decode If data chunk was longer than expected based on a WAV format
definition, IMA_ADPCM_decode() tried to write past the output buffer. This
patch fixes it.
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit
If data chunk was longer than expected based on a WAV format
definition, IMA_ADPCM_decode() tried to write past the output
buffer. This patch fixes it.
Based on patch from Based on patch from
<https://bugzilla.libsdl.org/show_bug.cgi?id=4496>. <https://bugzilla.libsdl.org/show_bug.cgi?id=4496>.
@ -16,18 +17,15 @@ CVE-2019-7572
https://bugzilla.libsdl.org/show_bug.cgi?id=4495 https://bugzilla.libsdl.org/show_bug.cgi?id=4495
Signed-off-by: Petr Písař <ppisar@redhat.com> Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
--- ---
src/audio/SDL_wave.c | 6 +++++- src/audio/SDL_wave.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-) 1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 3eedd20a1..4159eb710 100644 index 69d62dc..91e89e8 100644
--- a/src/audio/SDL_wave.c --- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c +++ b/src/audio/SDL_wave.c
@@ -346,7 +346,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded, @@ -336,7 +336,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
{ {
struct IMA_ADPCM_decodestate *state; struct IMA_ADPCM_decodestate *state;
@ -36,7 +34,7 @@ index 3eedd20a1..4159eb710 100644
Sint32 encoded_len, samplesleft; Sint32 encoded_len, samplesleft;
unsigned int c, channels; unsigned int c, channels;
@@ -373,6 +373,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) @@ -363,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
return(-1); return(-1);
} }
decoded = *audio_buf; decoded = *audio_buf;
@ -44,7 +42,7 @@ index 3eedd20a1..4159eb710 100644
/* Get ready... Go! */ /* Get ready... Go! */
while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) { while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
@@ -392,6 +393,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) @@ -382,6 +383,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
} }
/* Store the initial sample we start with */ /* Store the initial sample we start with */
@ -52,7 +50,7 @@ index 3eedd20a1..4159eb710 100644
decoded[0] = (Uint8)(state[c].sample&0xFF); decoded[0] = (Uint8)(state[c].sample&0xFF);
decoded[1] = (Uint8)(state[c].sample>>8); decoded[1] = (Uint8)(state[c].sample>>8);
decoded += 2; decoded += 2;
@@ -402,6 +404,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) @@ -392,6 +394,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
while ( samplesleft > 0 ) { while ( samplesleft > 0 ) {
for ( c=0; c<channels; ++c ) { for ( c=0; c<channels; ++c ) {
if (encoded + 4 > encoded_end) goto invalid_size; if (encoded + 4 > encoded_end) goto invalid_size;
@ -62,5 +60,5 @@ index 3eedd20a1..4159eb710 100644
c, channels, &state[c]); c, channels, &state[c]);
encoded += 4; encoded += 4;
-- --
2.21.0 2.20.1

View File

@ -1,28 +1,27 @@
From 45ef356d8c01a3941286b35b90eb319959f20f2c Mon Sep 17 00:00:00 2001 From 3e2c89e516701f3586dfeadec13932f665371d2a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 09:06:23 -0700 Date: Fri, 15 Feb 2019 10:36:13 +0100
Subject: [PATCH 07/11] CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in Subject: [PATCH] CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in
InitMS_ADPCM If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing InitMS_ADPCM
it could read past the end of chunk data. This patch fixes it.
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit
If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it
could read past the end of chunk data. This patch fixes it.
CVE-2019-7573 CVE-2019-7573
https://bugzilla.libsdl.org/show_bug.cgi?id=4491 https://bugzilla.libsdl.org/show_bug.cgi?id=4491
CVE-2019-7576 CVE-2019-7576
https://bugzilla.libsdl.org/show_bug.cgi?id=4490 https://bugzilla.libsdl.org/show_bug.cgi?id=4490
Signed-off-by: Petr Písař <ppisar@redhat.com> Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
--- ---
src/audio/SDL_wave.c | 13 ++++++++++--- src/audio/SDL_wave.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-) 1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 4159eb710..88ac2cca6 100644 index 91e89e8..1d446ed 100644
--- a/src/audio/SDL_wave.c --- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c +++ b/src/audio/SDL_wave.c
@@ -44,12 +44,13 @@ static struct MS_ADPCM_decoder { @@ -44,12 +44,13 @@ static struct MS_ADPCM_decoder {
@ -70,7 +69,7 @@ index 4159eb710..88ac2cca6 100644
} }
static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
@@ -495,7 +502,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, @@ -485,7 +492,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
break; break;
case MS_ADPCM_CODE: case MS_ADPCM_CODE:
/* Try to understand this */ /* Try to understand this */
@ -80,5 +79,5 @@ index 4159eb710..88ac2cca6 100644
goto done; goto done;
} }
-- --
2.21.0 2.20.1

View File

@ -1,30 +1,28 @@
From db0282cbe00a64cc65ba445ea21928d72dc26d97 Mon Sep 17 00:00:00 2001 From 9b2eee24768889378032077423cb6a3221a8ad18 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 08:50:59 -0700 Date: Thu, 14 Feb 2019 15:41:47 +0100
Subject: [PATCH 03/11] CVE-2019-7574: Fix a buffer overread in Subject: [PATCH] CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode
IMA_ADPCM_decode If data chunk was shorter than expected based on a WAV
format definition, IMA_ADPCM_decode() tried to read past the data chunk
buffer. This patch fixes it.
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit
If data chunk was shorter than expected based on a WAV format
definition, IMA_ADPCM_decode() tried to read past the data chunk
buffer. This patch fixes it.
CVE-2019-7574 CVE-2019-7574
https://bugzilla.libsdl.org/show_bug.cgi?id=4496 https://bugzilla.libsdl.org/show_bug.cgi?id=4496
Signed-off-by: Petr Písař <ppisar@redhat.com> Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
--- ---
src/audio/SDL_wave.c | 9 ++++++++- src/audio/SDL_wave.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-) 1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 21ee4dc3c..66f804421 100644 index b6c49de..2968b3d 100644
--- a/src/audio/SDL_wave.c --- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c +++ b/src/audio/SDL_wave.c
@@ -331,7 +331,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded, @@ -334,7 +334,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
{ {
struct IMA_ADPCM_decodestate *state; struct IMA_ADPCM_decodestate *state;
@ -33,7 +31,7 @@ index 21ee4dc3c..66f804421 100644
Sint32 encoded_len, samplesleft; Sint32 encoded_len, samplesleft;
unsigned int c, channels; unsigned int c, channels;
@@ -347,6 +347,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) @@ -350,6 +350,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
/* Allocate the proper sized output buffer */ /* Allocate the proper sized output buffer */
encoded_len = *audio_len; encoded_len = *audio_len;
encoded = *audio_buf; encoded = *audio_buf;
@ -41,7 +39,7 @@ index 21ee4dc3c..66f804421 100644
freeable = *audio_buf; freeable = *audio_buf;
*audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) * *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) *
IMA_ADPCM_state.wSamplesPerBlock* IMA_ADPCM_state.wSamplesPerBlock*
@@ -362,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) @@ -365,6 +366,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) { while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
/* Grab the initial information for this block */ /* Grab the initial information for this block */
for ( c=0; c<channels; ++c ) { for ( c=0; c<channels; ++c ) {
@ -49,7 +47,7 @@ index 21ee4dc3c..66f804421 100644
/* Fill the state information for this block */ /* Fill the state information for this block */
state[c].sample = ((encoded[1]<<8)|encoded[0]); state[c].sample = ((encoded[1]<<8)|encoded[0]);
encoded += 2; encoded += 2;
@@ -384,6 +386,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) @@ -387,6 +389,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels; samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
while ( samplesleft > 0 ) { while ( samplesleft > 0 ) {
for ( c=0; c<channels; ++c ) { for ( c=0; c<channels; ++c ) {
@ -57,7 +55,7 @@ index 21ee4dc3c..66f804421 100644
Fill_IMA_ADPCM_block(decoded, encoded, Fill_IMA_ADPCM_block(decoded, encoded,
c, channels, &state[c]); c, channels, &state[c]);
encoded += 4; encoded += 4;
@@ -395,6 +398,10 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) @@ -398,6 +401,10 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
} }
SDL_free(freeable); SDL_free(freeable);
return(0); return(0);
@ -69,5 +67,5 @@ index 21ee4dc3c..66f804421 100644
SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
-- --
2.21.0 2.20.1

View File

@ -1,13 +1,14 @@
From 730c8b917e7deecc3cdf9ac9eb20e2b7e6450356 Mon Sep 17 00:00:00 2001 From e1f80cadb079e35103e6eebf160a818815c823df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 09:25:05 -0700 Date: Thu, 14 Feb 2019 14:51:52 +0100
Subject: [PATCH 08/11] CVE-2019-7575: Fix a buffer overwrite in Subject: [PATCH] CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode
MS_ADPCM_decode If a WAV format defines shorter audio stream and decoded MS
ADPCM data chunk is longer, decoding continued past the output audio buffer.
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit
If a WAV format defines shorter audio stream and decoded MS ADPCM data chunk
is longer, decoding continued past the output audio buffer.
This fix is based on a patch from This fix is based on a patch from
<https://bugzilla.libsdl.org/show_bug.cgi?id=4492>. <https://bugzilla.libsdl.org/show_bug.cgi?id=4492>.
@ -15,18 +16,15 @@ https://bugzilla.libsdl.org/show_bug.cgi?id=4493
CVE-2019-7575 CVE-2019-7575
Signed-off-by: Petr Písař <ppisar@redhat.com> Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
--- ---
src/audio/SDL_wave.c | 13 ++++++++----- src/audio/SDL_wave.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-) 1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 88ac2cca6..5f9365147 100644 index e42d01c..b6c49de 100644
--- a/src/audio/SDL_wave.c --- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c +++ b/src/audio/SDL_wave.c
@@ -122,7 +122,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, @@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
{ {
struct MS_ADPCM_decodestate *state[2]; struct MS_ADPCM_decodestate *state[2];
@ -35,7 +33,7 @@ index 88ac2cca6..5f9365147 100644
Sint32 encoded_len, samplesleft; Sint32 encoded_len, samplesleft;
Sint8 nybble, stereo; Sint8 nybble, stereo;
Sint16 *coeff[2]; Sint16 *coeff[2];
@@ -142,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) @@ -135,6 +135,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
return(-1); return(-1);
} }
decoded = *audio_buf; decoded = *audio_buf;
@ -43,7 +41,7 @@ index 88ac2cca6..5f9365147 100644
/* Get ready... Go! */ /* Get ready... Go! */
stereo = (MS_ADPCM_state.wavefmt.channels == 2); stereo = (MS_ADPCM_state.wavefmt.channels == 2);
@@ -149,7 +150,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) @@ -142,7 +143,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
state[1] = &MS_ADPCM_state.state[stereo]; state[1] = &MS_ADPCM_state.state[stereo];
while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) { while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
/* Grab the initial information for this block */ /* Grab the initial information for this block */
@ -52,7 +50,7 @@ index 88ac2cca6..5f9365147 100644
state[0]->hPredictor = *encoded++; state[0]->hPredictor = *encoded++;
if ( stereo ) { if ( stereo ) {
state[1]->hPredictor = *encoded++; state[1]->hPredictor = *encoded++;
@@ -179,6 +180,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) @@ -169,6 +170,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor]; coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
/* Store the two initial samples we start with */ /* Store the two initial samples we start with */
@ -60,7 +58,7 @@ index 88ac2cca6..5f9365147 100644
decoded[0] = state[0]->iSamp2&0xFF; decoded[0] = state[0]->iSamp2&0xFF;
decoded[1] = state[0]->iSamp2>>8; decoded[1] = state[0]->iSamp2>>8;
decoded += 2; decoded += 2;
@@ -200,7 +202,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) @@ -190,7 +192,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)* samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
MS_ADPCM_state.wavefmt.channels; MS_ADPCM_state.wavefmt.channels;
while ( samplesleft > 0 ) { while ( samplesleft > 0 ) {
@ -70,7 +68,7 @@ index 88ac2cca6..5f9365147 100644
nybble = (*encoded)>>4; nybble = (*encoded)>>4;
new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]); new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
@@ -223,8 +226,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) @@ -213,8 +216,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
} }
SDL_free(freeable); SDL_free(freeable);
return(0); return(0);
@ -80,7 +78,7 @@ index 88ac2cca6..5f9365147 100644
+ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder"); + SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
SDL_free(freeable); SDL_free(freeable);
return(-1); return(-1);
invalid_predictor: }
-- --
2.21.0 2.20.1

View File

@ -1,13 +1,15 @@
From d5ec943db7d51fccd7230c9df0c7a2e46d611f50 Mon Sep 17 00:00:00 2001 From ac3d0d365b1f01a6782565feda0c7432a5795671 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 08:54:11 -0700 Date: Thu, 14 Feb 2019 14:12:22 +0100
Subject: [PATCH 04/11] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
If RIFF/WAV data chunk length is shorter then expected for an audio format
defined in preceeding RIFF/WAV format headers, a buffer overread can happen.
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit
If RIFF/WAV data chunk length is shorter then expected for an audio
format defined in preceeding RIFF/WAV format headers, a buffer
overread can happen.
This patch fixes it by checking a MS ADPCM data to be decoded are not This patch fixes it by checking a MS ADPCM data to be decoded are not
past the initialized buffer. past the initialized buffer.
@ -15,15 +17,12 @@ CVE-2019-7577
Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
Signed-off-by: Petr Písař <ppisar@redhat.com> Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
--- ---
src/audio/SDL_wave.c | 10 +++++++++- src/audio/SDL_wave.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-) 1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 66f804421..6c6eb14eb 100644 index b4ad6c7..e42d01c 100644
--- a/src/audio/SDL_wave.c --- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c +++ b/src/audio/SDL_wave.c
@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, @@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
@ -72,5 +71,5 @@ index 66f804421..6c6eb14eb 100644
struct IMA_ADPCM_decodestate { struct IMA_ADPCM_decodestate {
-- --
2.21.0 2.20.1

View File

@ -1,15 +1,17 @@
From 06d20617d0d5bb89a6caf5f2201c93baf03c43c2 Mon Sep 17 00:00:00 2001 From 69cd6157644cb0a5c9edd7b5920232c2ca31c151 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 08:54:29 -0700 Date: Tue, 12 Mar 2019 16:21:41 +0100
Subject: [PATCH 05/11] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble and
and MS_ADPCM_decode If a chunk of RIFF/WAV file with MS ADPCM encoding MS_ADPCM_decode
contains an invalid predictor (a valid predictor's value is between 0 and 6
inclusive), a buffer overread can happen when the predictor is used as an
index into an array of MS ADPCM coefficients.
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit
If a chunk of RIFF/WAV file with MS ADPCM encoding contains an invalid
predictor (a valid predictor's value is between 0 and 6 inclusive),
a buffer overread can happen when the predictor is used as an index
into an array of MS ADPCM coefficients.
The overead happens when indexing MS_ADPCM_state.aCoeff[] array in The overead happens when indexing MS_ADPCM_state.aCoeff[] array in
MS_ADPCM_decode() and later when dereferencing a coef pointer in MS_ADPCM_decode() and later when dereferencing a coef pointer in
MS_ADPCM_nibble(). MS_ADPCM_nibble().
@ -21,18 +23,15 @@ CVE-2019-7577
Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
Signed-off-by: Petr Písař <ppisar@redhat.com> Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
--- ---
src/audio/SDL_wave.c | 7 +++++++ src/audio/SDL_wave.c | 7 +++++++
1 file changed, 7 insertions(+) 1 file changed, 7 insertions(+)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 6c6eb14eb..3eedd20a1 100644 index 08f65cb..5f93651 100644
--- a/src/audio/SDL_wave.c --- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c +++ b/src/audio/SDL_wave.c
@@ -147,6 +147,9 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) @@ -155,6 +155,9 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
if ( stereo ) { if ( stereo ) {
state[1]->hPredictor = *encoded++; state[1]->hPredictor = *encoded++;
} }
@ -42,8 +41,8 @@ index 6c6eb14eb..3eedd20a1 100644
state[0]->iDelta = ((encoded[1]<<8)|encoded[0]); state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
encoded += sizeof(Sint16); encoded += sizeof(Sint16);
if ( stereo ) { if ( stereo ) {
@@ -217,6 +220,10 @@ too_short: @@ -227,6 +230,10 @@ invalid_size:
SDL_SetError("Too short chunk for a MS ADPCM decoder"); SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
SDL_free(freeable); SDL_free(freeable);
return(-1); return(-1);
+invalid_predictor: +invalid_predictor:
@ -54,5 +53,5 @@ index 6c6eb14eb..3eedd20a1 100644
struct IMA_ADPCM_decodestate { struct IMA_ADPCM_decodestate {
-- --
2.21.0 2.20.1

View File

@ -1,29 +1,27 @@
From 210e68f70a5a007b0664239aa557e6b9d1b3e830 Mon Sep 17 00:00:00 2001 From 0eb76f6cabcffa2104e34c26e0f41e6de95356ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Sat, 8 Jun 2019 18:02:09 -0700 Date: Fri, 15 Feb 2019 10:56:59 +0100
Subject: [PATCH 02/11] CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM Subject: [PATCH] CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it could
read past the end of chunk data. This patch fixes it.
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit
If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it
could read past the end of chunk data. This patch fixes it.
CVE-2019-7578 CVE-2019-7578
https://bugzilla.libsdl.org/show_bug.cgi?id=4494 https://bugzilla.libsdl.org/show_bug.cgi?id=4494
Signed-off-by: Petr Písař <ppisar@redhat.com> Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
--- ---
src/audio/SDL_wave.c | 12 +++++++++--- src/audio/SDL_wave.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-) 1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index ba1fb5252..21ee4dc3c 100644 index 1d446ed..08f65cb 100644
--- a/src/audio/SDL_wave.c --- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c +++ b/src/audio/SDL_wave.c
@@ -222,11 +222,12 @@ static struct IMA_ADPCM_decoder { @@ -240,11 +240,12 @@ static struct IMA_ADPCM_decoder {
struct IMA_ADPCM_decodestate state[2]; struct IMA_ADPCM_decodestate state[2];
} IMA_ADPCM_state; } IMA_ADPCM_state;
@ -38,7 +36,7 @@ index ba1fb5252..21ee4dc3c 100644
IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
@@ -235,11 +236,16 @@ static int InitIMA_ADPCM(WaveFMT *format) @@ -253,11 +254,16 @@ static int InitIMA_ADPCM(WaveFMT *format)
IMA_ADPCM_state.wavefmt.bitspersample = IMA_ADPCM_state.wavefmt.bitspersample =
SDL_SwapLE16(format->bitspersample); SDL_SwapLE16(format->bitspersample);
rogue_feel = (Uint8 *)format+sizeof(*format); rogue_feel = (Uint8 *)format+sizeof(*format);
@ -55,7 +53,7 @@ index ba1fb5252..21ee4dc3c 100644
} }
static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
@@ -471,7 +477,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, @@ -500,7 +506,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
break; break;
case IMA_ADPCM_CODE: case IMA_ADPCM_CODE:
/* Try to understand this */ /* Try to understand this */
@ -65,5 +63,5 @@ index ba1fb5252..21ee4dc3c 100644
goto done; goto done;
} }
-- --
2.21.0 2.20.1

View File

@ -1,19 +1,21 @@
From 974b6b063b652317f1a2df12834c829415529bc5 Mon Sep 17 00:00:00 2001 From beef32b0e510371f3c968d22a1e3d48abbf366c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Tue, 11 Jun 2019 06:28:12 -0700 Date: Tue, 19 Feb 2019 14:52:52 +0100
Subject: [PATCH 09/11] CVE-2019-7635: Reject BMP images with pixel colors out Subject: [PATCH] CVE-2019-7635: Reject BMP images with pixel colors out the
the palette If a 1-, 4-, or 8-bit per pixel BMP image declares less used palette
colors than the palette offers an SDL_Surface with a palette of the indicated
number of used colors is created. If some of the image's pixel refer to a
color number higher then the maximal used colors, a subsequent bliting
operation on the surface will look up a color past a blit map (that is based
on the palette) memory. I.e. passing such SDL_Surface to e.g. an
SDL_DisplayFormat() function will result in a buffer overread in a blit
function.
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit
If a 1-, 4-, or 8-bit per pixel BMP image declares less used colors
than the palette offers an SDL_Surface with a palette of the indicated
number of used colors is created. If some of the image's pixel
refer to a color number higher then the maximal used colors, a subsequent
bliting operation on the surface will look up a color past a blit map
(that is based on the palette) memory. I.e. passing such SDL_Surface
to e.g. an SDL_DisplayFormat() function will result in a buffer overread in
a blit function.
This patch fixes it by validing each pixel's color to be less than the This patch fixes it by validing each pixel's color to be less than the
maximal color number in the palette. A validation failure raises an maximal color number in the palette. A validation failure raises an
error from a SDL_LoadBMP_RW() function. error from a SDL_LoadBMP_RW() function.
@ -22,18 +24,15 @@ CVE-2019-7635
https://bugzilla.libsdl.org/show_bug.cgi?id=4498 https://bugzilla.libsdl.org/show_bug.cgi?id=4498
Signed-off-by: Petr Písař <ppisar@redhat.com> Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
--- ---
src/video/SDL_bmp.c | 16 ++++++++++++++++ src/video/SDL_bmp.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+) 1 file changed, 16 insertions(+)
diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
index d56cfd83a..8acae3bcb 100644 index 3accded..8eadc5f 100644
--- a/src/video/SDL_bmp.c --- a/src/video/SDL_bmp.c
+++ b/src/video/SDL_bmp.c +++ b/src/video/SDL_bmp.c
@@ -296,6 +296,12 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) @@ -300,6 +300,12 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
} }
*(bits+i) = (pixel>>shift); *(bits+i) = (pixel>>shift);
pixel <<= ExpandBMP; pixel <<= ExpandBMP;
@ -46,7 +45,7 @@ index d56cfd83a..8acae3bcb 100644
} } } }
break; break;
@@ -306,6 +312,16 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) @@ -310,6 +316,16 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
was_error = SDL_TRUE; was_error = SDL_TRUE;
goto done; goto done;
} }
@ -64,5 +63,5 @@ index d56cfd83a..8acae3bcb 100644
/* Byte-swap the pixels if needed. Note that the 24bpp /* Byte-swap the pixels if needed. Note that the 24bpp
case has already been taken care of above. */ case has already been taken care of above. */
-- --
2.21.0 2.20.1

View File

@ -1,8 +1,7 @@
From 7cafd3e820489f17f86d0d897ad9719ef54599f1 Mon Sep 17 00:00:00 2001 From cc50d843089c8cf386c3e0f9cb2fae0b258a9b7b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 18 Feb 2019 13:53:16 +0100 Date: Mon, 18 Feb 2019 13:53:16 +0100
Subject: [PATCH 11/11] CVE-2019-7637: Fix in integer overflow in Subject: [PATCH] CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch
SDL_CalculatePitch
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit
@ -41,7 +40,7 @@ Signed-off-by: Petr Písař <ppisar@redhat.com>
8 files changed, 57 insertions(+), 7 deletions(-) 8 files changed, 57 insertions(+), 7 deletions(-)
diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c
index 1a7fd518f..44626b749 100644 index 1a7fd51..44626b7 100644
--- a/src/video/SDL_pixels.c --- a/src/video/SDL_pixels.c
+++ b/src/video/SDL_pixels.c +++ b/src/video/SDL_pixels.c
@@ -286,26 +286,53 @@ void SDL_DitherColors(SDL_Color *colors, int bpp) @@ -286,26 +286,53 @@ void SDL_DitherColors(SDL_Color *colors, int bpp)
@ -106,7 +105,7 @@ index 1a7fd518f..44626b749 100644
/* /*
* Match an RGB value to a particular palette index * Match an RGB value to a particular palette index
diff --git a/src/video/gapi/SDL_gapivideo.c b/src/video/gapi/SDL_gapivideo.c diff --git a/src/video/gapi/SDL_gapivideo.c b/src/video/gapi/SDL_gapivideo.c
index 86deadc75..8a0648536 100644 index 86deadc..8a06485 100644
--- a/src/video/gapi/SDL_gapivideo.c --- a/src/video/gapi/SDL_gapivideo.c
+++ b/src/video/gapi/SDL_gapivideo.c +++ b/src/video/gapi/SDL_gapivideo.c
@@ -733,6 +733,9 @@ SDL_Surface *GAPI_SetVideoMode(_THIS, SDL_Surface *current, @@ -733,6 +733,9 @@ SDL_Surface *GAPI_SetVideoMode(_THIS, SDL_Surface *current,
@ -120,7 +119,7 @@ index 86deadc75..8a0648536 100644
/* Small fix for WinCE/Win32 - when activating window /* Small fix for WinCE/Win32 - when activating window
SDL_VideoSurface is equal to zero, so activating code SDL_VideoSurface is equal to zero, so activating code
diff --git a/src/video/nanox/SDL_nxvideo.c b/src/video/nanox/SDL_nxvideo.c diff --git a/src/video/nanox/SDL_nxvideo.c b/src/video/nanox/SDL_nxvideo.c
index b188e0958..cbdd09a08 100644 index b188e09..cbdd09a 100644
--- a/src/video/nanox/SDL_nxvideo.c --- a/src/video/nanox/SDL_nxvideo.c
+++ b/src/video/nanox/SDL_nxvideo.c +++ b/src/video/nanox/SDL_nxvideo.c
@@ -378,6 +378,10 @@ SDL_Surface * NX_SetVideoMode (_THIS, SDL_Surface * current, @@ -378,6 +378,10 @@ SDL_Surface * NX_SetVideoMode (_THIS, SDL_Surface * current,
@ -135,7 +134,7 @@ index b188e0958..cbdd09a08 100644
} }
diff --git a/src/video/ps2gs/SDL_gsvideo.c b/src/video/ps2gs/SDL_gsvideo.c diff --git a/src/video/ps2gs/SDL_gsvideo.c b/src/video/ps2gs/SDL_gsvideo.c
index e172c60dc..329086680 100644 index e172c60..3290866 100644
--- a/src/video/ps2gs/SDL_gsvideo.c --- a/src/video/ps2gs/SDL_gsvideo.c
+++ b/src/video/ps2gs/SDL_gsvideo.c +++ b/src/video/ps2gs/SDL_gsvideo.c
@@ -479,6 +479,9 @@ static SDL_Surface *GS_SetVideoMode(_THIS, SDL_Surface *current, @@ -479,6 +479,9 @@ static SDL_Surface *GS_SetVideoMode(_THIS, SDL_Surface *current,
@ -149,7 +148,7 @@ index e172c60dc..329086680 100644
/* Memory map the DMA area for block memory transfer */ /* Memory map the DMA area for block memory transfer */
if ( ! mapped_mem ) { if ( ! mapped_mem ) {
diff --git a/src/video/ps3/SDL_ps3video.c b/src/video/ps3/SDL_ps3video.c diff --git a/src/video/ps3/SDL_ps3video.c b/src/video/ps3/SDL_ps3video.c
index d5519e051..17848e33a 100644 index d5519e0..17848e3 100644
--- a/src/video/ps3/SDL_ps3video.c --- a/src/video/ps3/SDL_ps3video.c
+++ b/src/video/ps3/SDL_ps3video.c +++ b/src/video/ps3/SDL_ps3video.c
@@ -339,6 +339,9 @@ static SDL_Surface *PS3_SetVideoMode(_THIS, SDL_Surface * current, int width, in @@ -339,6 +339,9 @@ static SDL_Surface *PS3_SetVideoMode(_THIS, SDL_Surface * current, int width, in
@ -163,7 +162,7 @@ index d5519e051..17848e33a 100644
/* Alloc aligned mem for current->pixels */ /* Alloc aligned mem for current->pixels */
s_pixels = memalign(16, current->h * current->pitch); s_pixels = memalign(16, current->h * current->pitch);
diff --git a/src/video/windib/SDL_dibvideo.c b/src/video/windib/SDL_dibvideo.c diff --git a/src/video/windib/SDL_dibvideo.c b/src/video/windib/SDL_dibvideo.c
index 6187bfcf7..86ebb12a3 100644 index 6187bfc..86ebb12 100644
--- a/src/video/windib/SDL_dibvideo.c --- a/src/video/windib/SDL_dibvideo.c
+++ b/src/video/windib/SDL_dibvideo.c +++ b/src/video/windib/SDL_dibvideo.c
@@ -675,6 +675,9 @@ SDL_Surface *DIB_SetVideoMode(_THIS, SDL_Surface *current, @@ -675,6 +675,9 @@ SDL_Surface *DIB_SetVideoMode(_THIS, SDL_Surface *current,
@ -177,7 +176,7 @@ index 6187bfcf7..86ebb12a3 100644
/* Small fix for WinCE/Win32 - when activating window /* Small fix for WinCE/Win32 - when activating window
SDL_VideoSurface is equal to zero, so activating code SDL_VideoSurface is equal to zero, so activating code
diff --git a/src/video/windx5/SDL_dx5video.c b/src/video/windx5/SDL_dx5video.c diff --git a/src/video/windx5/SDL_dx5video.c b/src/video/windx5/SDL_dx5video.c
index f80ca97b0..39fc4fc37 100644 index f80ca97..39fc4fc 100644
--- a/src/video/windx5/SDL_dx5video.c --- a/src/video/windx5/SDL_dx5video.c
+++ b/src/video/windx5/SDL_dx5video.c +++ b/src/video/windx5/SDL_dx5video.c
@@ -1127,6 +1127,9 @@ SDL_Surface *DX5_SetVideoMode(_THIS, SDL_Surface *current, @@ -1127,6 +1127,9 @@ SDL_Surface *DX5_SetVideoMode(_THIS, SDL_Surface *current,
@ -191,7 +190,7 @@ index f80ca97b0..39fc4fc37 100644
#ifndef NO_CHANGEDISPLAYSETTINGS #ifndef NO_CHANGEDISPLAYSETTINGS
/* Set fullscreen mode if appropriate. /* Set fullscreen mode if appropriate.
diff --git a/src/video/x11/SDL_x11video.c b/src/video/x11/SDL_x11video.c diff --git a/src/video/x11/SDL_x11video.c b/src/video/x11/SDL_x11video.c
index 79e60f971..45d1f79be 100644 index 79e60f9..45d1f79 100644
--- a/src/video/x11/SDL_x11video.c --- a/src/video/x11/SDL_x11video.c
+++ b/src/video/x11/SDL_x11video.c +++ b/src/video/x11/SDL_x11video.c
@@ -1220,6 +1220,10 @@ SDL_Surface *X11_SetVideoMode(_THIS, SDL_Surface *current, @@ -1220,6 +1220,10 @@ SDL_Surface *X11_SetVideoMode(_THIS, SDL_Surface *current,
@ -206,5 +205,5 @@ index 79e60f971..45d1f79be 100644
current = NULL; current = NULL;
goto done; goto done;
-- --
2.21.0 2.20.1

View File

@ -1,8 +1,8 @@
From 73161afdf77e2cf90f47c9be0bc970dadedb5d7c Mon Sep 17 00:00:00 2001 From 28b1433b4bd7982524f2418420e8cc01786df5c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Fri, 15 Feb 2019 16:52:27 +0100 Date: Fri, 15 Feb 2019 16:52:27 +0100
Subject: [PATCH 10/11] CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images Subject: [PATCH] CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images with
with too high number of colors too high number of colors
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit
@ -37,7 +37,7 @@ Signed-off-by: Petr Písař <ppisar@redhat.com>
1 file changed, 4 insertions(+) 1 file changed, 4 insertions(+)
diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
index 8acae3bcb..8eadc5f66 100644 index d56cfd8..3accded 100644
--- a/src/video/SDL_bmp.c --- a/src/video/SDL_bmp.c
+++ b/src/video/SDL_bmp.c +++ b/src/video/SDL_bmp.c
@@ -233,6 +233,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) @@ -233,6 +233,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
@ -52,5 +52,5 @@ index 8acae3bcb..8eadc5f66 100644
if ( biSize == 12 ) { if ( biSize == 12 ) {
for ( i = 0; i < (int)biClrUsed; ++i ) { for ( i = 0; i < (int)biClrUsed; ++i ) {
-- --
2.21.0 2.20.1

View File

@ -0,0 +1,42 @@
From 70c3d0e97755e1b208ceba2ae012877797f15627 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Thu, 21 Feb 2019 10:57:41 +0100
Subject: [PATCH] Reject 2, 3, 5, 6, 7-bpp BMP images
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BMP decoder assumes less than 8 bit depth images have 1 or 4 bits
per pixel. No other depths are correctly translated to an 8bpp
surface.
This patch rejects loading these images.
https://bugzilla.libsdl.org/show_bug.cgi?id=4498
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
src/video/SDL_bmp.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
index 8eadc5f..758d4bb 100644
--- a/src/video/SDL_bmp.c
+++ b/src/video/SDL_bmp.c
@@ -163,6 +163,14 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
ExpandBMP = biBitCount;
biBitCount = 8;
break;
+ case 2:
+ case 3:
+ case 5:
+ case 6:
+ case 7:
+ SDL_SetError("%d-bpp BMP images are not supported", biBitCount);
+ was_error = SDL_TRUE;
+ goto done;
default:
ExpandBMP = 0;
break;
--
2.20.1

View File

@ -0,0 +1,32 @@
From cf8a0c3d75005436d3ed3ea0ae258cdef5b10ebe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 14 Jan 2019 12:10:21 +0100
Subject: [PATCH] Use system glext.h
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
mesa-18.2.6 changed GL_GLEXT_VERSION and that conflicts with the bundled
glext.h definitions. Use system glext.h instead via GL/gl.h.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
include/SDL_opengl.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/SDL_opengl.h b/include/SDL_opengl.h
index 3d791d6..3a77b11 100644
--- a/include/SDL_opengl.h
+++ b/include/SDL_opengl.h
@@ -33,6 +33,8 @@
#endif
#include <windows.h>
#endif
+/* mesa changes GL_GLEXT_VERSION, use system glext.h instead via GL/gl.h */
+#define NO_SDL_GLEXT
#ifndef NO_SDL_GLEXT
#define __glext_h_ /* Don't let gl.h include glext.h */
#endif
--
2.17.2

View File

@ -0,0 +1,45 @@
changeset: 12980:32075e9e2135
branch: SDL-1.2
tag: tip
parent: 12977:37d0eba8fa17
user: Ozkan Sezer <sezeroz@gmail.com>
date: Fri Aug 02 00:35:05 2019 +0300
summary: fix copy+paste mistakes in commit 9b0e5c555c0f (CVE-2019-7637 fix):
diff -r 37d0eba8fa17 -r 32075e9e2135 src/video/gapi/SDL_gapivideo.c
--- a/src/video/gapi/SDL_gapivideo.c Wed Jul 31 23:50:10 2019 +0300
+++ b/src/video/gapi/SDL_gapivideo.c Fri Aug 02 00:35:05 2019 +0300
@@ -733,7 +733,7 @@
video->w = gapi->w = width;
video->h = gapi->h = height;
video->pitch = SDL_CalculatePitch(video);
- if (!current->pitch) {
+ if (!video->pitch) {
return(NULL);
}
diff -r 37d0eba8fa17 -r 32075e9e2135 src/video/windib/SDL_dibvideo.c
--- a/src/video/windib/SDL_dibvideo.c Wed Jul 31 23:50:10 2019 +0300
+++ b/src/video/windib/SDL_dibvideo.c Fri Aug 02 00:35:05 2019 +0300
@@ -675,7 +675,7 @@
video->w = width;
video->h = height;
video->pitch = SDL_CalculatePitch(video);
- if (!current->pitch) {
+ if (!video->pitch) {
return(NULL);
}
diff -r 37d0eba8fa17 -r 32075e9e2135 src/video/windx5/SDL_dx5video.c
--- a/src/video/windx5/SDL_dx5video.c Wed Jul 31 23:50:10 2019 +0300
+++ b/src/video/windx5/SDL_dx5video.c Fri Aug 02 00:35:05 2019 +0300
@@ -1127,7 +1127,7 @@
video->w = width;
video->h = height;
video->pitch = SDL_CalculatePitch(video);
- if (!current->pitch) {
+ if (!video->pitch) {
return(NULL);
}

Binary file not shown.

View File

@ -71,6 +71,8 @@
#include "SDL_config-mipsel.h" #include "SDL_config-mipsel.h"
#elif defined(__mips) #elif defined(__mips)
#include "SDL_config-mips.h" #include "SDL_config-mips.h"
#elif defined(__riscv) && defined(__riscv_xlen) && __riscv_xlen == 64
#include "SDL_config-riscv64.h"
#else #else
#error "The SDL-devel package is not usable with the architecture." #error "The SDL-devel package is not usable with the architecture."
#endif #endif

View File

@ -35,6 +35,8 @@ repackaged_tgz="${repackaged_tar}.gz"
# pre checks # pre checks
[ ! -f "${orig_tgz}" ] && { echo "ERROR: ${orig_tgz} does not exist"; exit 1; } [ ! -f "${orig_tgz}" ] && { echo "ERROR: ${orig_tgz} does not exist"; exit 1; }
/usr/lib/rpm/redhat/gpgverify --keyring=slouken-pubkey.asc \
--signature="${orig_tgz}.sig" --data="${orig_tgz}" || exit 1;
[ -f "${repackaged_tgz}" ] && { echo "ERROR: ${repackaged_tgz} already exist"; exit 1; } [ -f "${repackaged_tgz}" ] && { echo "ERROR: ${repackaged_tgz} already exist"; exit 1; }
# repackage # repackage

View File

@ -10,9 +10,9 @@
Name: SDL Name: SDL
Version: 1.2.15 Version: 1.2.15
Release: 39%{?dist} Release: 48%{?dist}
Summary: A cross-platform multimedia library Summary: A cross-platform multimedia library
URL: http://www.libsdl.org/ URL: https://www.libsdl.org/
# The license of the file src/video/fbcon/riva_mmio.h is bad, but the contents # The license of the file src/video/fbcon/riva_mmio.h is bad, but the contents
# of the file has been relicensed to MIT in 2008 by Nvidia for the # of the file has been relicensed to MIT in 2008 by Nvidia for the
# xf86_video-nv driver, therefore it can be considered ok. # xf86_video-nv driver, therefore it can be considered ok.
@ -20,11 +20,13 @@ URL: http://www.libsdl.org/
# it to zlib on 2016-02-21, # it to zlib on 2016-02-21,
# <https://www.mccaughan.org.uk/software/qsort.c-1.14>, bug #1381888. # <https://www.mccaughan.org.uk/software/qsort.c-1.14>, bug #1381888.
License: LGPLv2+ License: LGPLv2+
# Source: http://www.libsdl.org/release/%%{name}-%%{version}.tar.gz # Source: %%{url}/release/%%{name}-%%{version}.tar.gz
# To create the repackaged archive use ./repackage.sh %%{version} # To create the repackaged archive use ./repackage.sh %%{version}
Source0: %{name}-%{version}_repackaged.tar.gz Source0: %{name}-%{version}_repackaged.tar.gz
Source1: SDL_config.h Source1: %{url}/release/%{name}-%{version}.tar.gz.sig
Source2: repackage.sh Source2: https://slouken.libsdl.org/slouken-pubkey.asc
Source3: SDL_config.h
Source4: repackage.sh
Patch0: SDL-1.2.12-multilib.patch Patch0: SDL-1.2.12-multilib.patch
# Rejected by upstream as sdl1155, rh480065 # Rejected by upstream as sdl1155, rh480065
Patch1: SDL-1.2.10-GrabNotViewable.patch Patch1: SDL-1.2.10-GrabNotViewable.patch
@ -42,24 +44,61 @@ Patch5: SDL-1.2.15-no-default-backing-store.patch
Patch6: SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch Patch6: SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch
# Fix vec_perm() usage on little-endian 64-bit PowerPC, bug #1392465 # Fix vec_perm() usage on little-endian 64-bit PowerPC, bug #1392465
Patch7: SDL-1.2.15-vec_perm-ppc64le.patch Patch7: SDL-1.2.15-vec_perm-ppc64le.patch
#fixed upstream # Use system glext.h to prevent from clashing on a GL_GLEXT_VERSION definition,
Patch8: 0001-Fixed-bug-4108-Missing-break-statements-in-SDL_CDRes.patch # rh1662778
#fixes for small errors Patch8: SDL-1.2.15-Use-system-glext.h.patch
Patch9: 0001-fix-small-errors-detected-by-coverity.patch # Fix CVE-2019-7577 (a buffer overread in MS_ADPCM_decode), bug #1676510,
# upstream bug #4492, in upstream after 1.2.15
Patch9: SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
# Fix CVE-2019-7575 (a buffer overwrite in MS_ADPCM_decode), bug #1676744,
# upstream bug #4493, in upstream after 1.2.15
Patch10: SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
# Fix CVE-2019-7574 (a buffer overread in IMA_ADPCM_decode), bug #1676750,
# upstream bug #4496, in upstream after 1.2.15
Patch11: SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
# Fix CVE-2019-7572 (a buffer overread in IMA_ADPCM_nibble), bug #1676754,
# upstream bug #4495, in upstream after 1.2.15
Patch12: SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
# Fix CVE-2019-7572 (a buffer overwrite in IMA_ADPCM_nibble), bug #1676754,
# upstream bug #4495, in upstream after 1.2.15
Patch13: SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
# Fix CVE-2019-7573, CVE-2019-7576 (buffer overreads in InitMS_ADPCM),
# bugs #1676752, #1676756, upstream bugs #4491, #4490,
# in upstream after 1.2.15
Patch14: SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
# Fix CVE-2019-7578, (a buffer overread in InitIMA_ADPCM), bug #1676782,
# upstream bug #4491, in upstream after 1.2.15
Patch15: SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
# Fix CVE-2019-7638, CVE-2019-7636 (buffer overflows when processing BMP
# images with too high number of colors), bugs #1677144, #1677157,
# upstream bugs #4500, #4499, in upstream after 1.2.15
Patch16: SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
# Fix CVE-2019-7637 (an integer overflow in SDL_CalculatePitch), bug #1677152,
# upstream bug #4497, in upstream after 1.2.15
Patch17: SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
# Fix CVE-2019-7635 (a buffer overread when blitting a BMP image with pixel
# colors out the palette), bug #1677159, upstream bug #4498,
# in upstream after 1.2.15
Patch18: SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
# Reject 2, 3, 5, 6, 7-bpp BMP images (related to CVE-2019-7635),
# bug #1677159, upstream bug #4498, in upstream after 1.2.15
Patch19: SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch
# Fix CVE-2019-7577 (Fix a buffer overread in MS_ADPCM_nibble and
# MS_ADPCM_decode on an invalid predictor), bug #1676510, upstream bug #4492,
# in upstream after 1.2.15
Patch20: SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
# Fix retrieving an error code after stopping and resuming a CD-ROM playback,
# upstream bug #4108, in upstream after 1.2.15
Patch21: SDL-1.2.15-Fixed-bug-4108-Missing-break-statements-in-SDL_CDRes.patch
# Fix SDL_Surface reference counter initialization and a possible crash when
# opening a mouse device when using a framebuffer video output, bug #1602687
Patch22: SDL-1.2.15-fix-small-errors-detected-by-coverity.patch
# Fix Windows drivers broken with a patch for CVE-2019-7637, bug #1677152,
# upstream bug #4497, in upstream after 1.2.15
Patch23: SDL-1.2.15-fix_copy_paste_mistakes_in_commit_9b0e5c555c0f.patch
# Fix CVE-2019-13616 (a heap buffer over-read in BlitNtoN), bug #1747237,
# upstream bug #4538, in upstream after 1.2.15 # upstream bug #4538, in upstream after 1.2.15
Patch10: SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch Patch24: SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch
Patch11: 0001-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
Patch12: 0002-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
Patch13: 0003-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
Patch14: 0004-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
Patch15: 0005-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
Patch16: 0006-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
Patch17: 0007-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
Patch18: 0008-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
Patch19: 0009-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
Patch20: 0010-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
Patch21: 0011-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
BuildRequires: alsa-lib-devel BuildRequires: alsa-lib-devel
%if %{with arts} %if %{with arts}
@ -148,7 +187,9 @@ applications.
%patch19 -p1 %patch19 -p1
%patch20 -p1 %patch20 -p1
%patch21 -p1 %patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
for F in CREDITS; do for F in CREDITS; do
iconv -f iso8859-1 -t utf-8 < "$F" > "${F}.utf" iconv -f iso8859-1 -t utf-8 < "$F" > "${F}.utf"
touch --reference "$F" "${F}.utf" touch --reference "$F" "${F}.utf"
@ -158,14 +199,13 @@ done
# Compilation without ESD # Compilation without ESD
sed -i -e 's/.*AM_PATH_ESD.*//' configure.in sed -i -e 's/.*AM_PATH_ESD.*//' configure.in
%endif %endif
# Update config.sub to support aarch64, bug #926510
cp -p /usr/share/automake-*/config.{sub,guess} build-scripts
%build %build
aclocal aclocal
libtoolize libtoolize
autoconf autoconf
%configure \ %configure \
--enable-video-opengl \
--disable-video-svga \ --disable-video-svga \
--disable-video-ggi \ --disable-video-ggi \
--disable-video-aalib \ --disable-video-aalib \
@ -189,32 +229,28 @@ autoconf
--enable-alsa \ --enable-alsa \
--disable-video-ps3 \ --disable-video-ps3 \
--disable-rpath --disable-rpath
make %{?_smp_mflags} %{make_build}
%install %install
make install DESTDIR=%{buildroot} %{make_install}
# Rename SDL_config.h to SDL_config-<arch>.h to avoid file conflicts on # Rename SDL_config.h to SDL_config-<arch>.h to avoid file conflicts on
# multilib systems and install SDL_config.h wrapper # multilib systems and install SDL_config.h wrapper
mv %{buildroot}/%{_includedir}/SDL/SDL_config.h %{buildroot}/%{_includedir}/SDL/SDL_config-%{_arch}.h mv %{buildroot}/%{_includedir}/SDL/SDL_config.h %{buildroot}/%{_includedir}/SDL/SDL_config-%{_arch}.h
install -m644 %{SOURCE1} %{buildroot}/%{_includedir}/SDL/SDL_config.h install -m644 %{SOURCE3} %{buildroot}/%{_includedir}/SDL/SDL_config.h
# remove libtool .la file # remove libtool .la file
rm -f %{buildroot}%{_libdir}/*.la rm -f %{buildroot}%{_libdir}/*.la
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files %files
%license COPYING %license COPYING
%doc BUGS CREDITS README-SDL.txt %doc BUGS CREDITS README-SDL.txt
%{_libdir}/lib*.so.* %{_libdir}/libSDL-1.2.so.*
%files devel %files devel
%doc README docs.html docs/html docs/index.html TODO WhatsNew %doc README docs.html docs/html docs/index.html TODO WhatsNew
%{_bindir}/*-config %{_bindir}/*-config
%{_libdir}/lib*.so %{_libdir}/libSDL.so
%{_libdir}/pkgconfig/sdl.pc %{_libdir}/pkgconfig/sdl.pc
%{_includedir}/SDL %{_includedir}/SDL
%{_datadir}/aclocal/* %{_datadir}/aclocal/*
@ -225,42 +261,82 @@ rm -f %{buildroot}%{_libdir}/*.la
%{_libdir}/lib*.a %{_libdir}/lib*.a
%changelog %changelog
* Tue Dec 15 2020 Wim Taymans <wtaymans@redhat.com> - 1.2.15-39 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.2.15-48
- copy config.{sub,guess} from /usr/share/automake - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
- Resolves: rhbz#1907503 Related: rhbz#1991688
* Mon Mar 23 2020 Wim Taymans <wtaymans@redhat.com> - 1.2.15-38 * Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.2.15-47
- fix CVEs - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
- Resolves: rhbz#1716209, rhbz#1716210, rhbz#1716211, rhbz#1716212,
rhbz#1716213, rhbz#1716214, rhbz#1716215, rhbz#1716216,
rhbz#1716217, rhbz#1716218, rhbz#1716219
* Thu Nov 21 2019 Wim Taymans <wtaymans@redhat.com> - 1.2.15-37 * Mon Jan 25 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-46
- Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
- Resolves: rhbz#1756279
* Fri Aug 30 2019 Petr Pisar <ppisar@redhat.com> - 1.2.15-36 * Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-45
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-44
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-43
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Aug 30 2019 Petr Pisar <ppisar@redhat.com> - 1.2.15-42
- Fix CVE-2019-13616 (a heap buffer over-read in BlitNtoN) (bug #1747237) - Fix CVE-2019-13616 (a heap buffer over-read in BlitNtoN) (bug #1747237)
- Resolves: rhbz#1756279
* Mon May 27 2019 Wim Taymans <wtaymans@redhat.com> - 1.2.15-35 * Fri Aug 02 2019 Petr Pisar <ppisar@redhat.com> - 1.2.15-41
- Rebuild after gating - Fix Windows drivers broken with a patch for CVE-2019-7637 (bug #1677152)
- Resolves: rhbz#1602687 - Update URL to use secured HTTP protocol
* Tue Apr 30 2019 Wim Taymans <wtaymans@redhat.com> - 1.2.15-34 * Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-40
- Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
- Resolves: rhbz#1602687
* Mon Apr 29 2019 Wim Taymans <wtaymans@redhat.com> - 1.2.15-33 * Mon Jun 03 2019 Petr Pisar <ppisar@redhat.com> - 1.2.15-39
- Small fixes for problems found by coverity - Fix retrieving an error code after stopping and resuming a CD-ROM playback
- Resolves: rhbz#1602687 (upstream bug #4108)
- Fix SDL_Surface reference counter initialization and a possible crash when
opening a mouse device when using a framebuffer video output (bug #1602687)
* Thu Aug 16 2018 Wim Taymans <wtaymans@redhat.com> - 1.2.15-32 * Tue Mar 12 2019 Petr Pisar <ppisar@redhat.com> - 1.2.15-38
- Fix wrong fall throughs in cdrom - Fix CVE-2019-7577 completely (a buffer overread in MS_ADPCM_nibble and
- Resolves: rhbz#1602687 MS_ADPCM_decode on an invalid predictor) (bug #1676510)
* Tue Jul 17 2018 Wim Taymans <wtaymans@redhat.com> - 1.2.15-31 * Fri Feb 15 2019 Petr Pisar <ppisar@redhat.com> - 1.2.15-37
- Remove obsolete audiofile-devel BR - Fix CVE-2019-7577 (a buffer overread in MS_ADPCM_decode) (bug #1676510)
- Fix CVE-2019-7575 (a buffer overwrite in MS_ADPCM_decode) (bug #1676744)
- Fix CVE-2019-7574 (a buffer overread in IMA_ADPCM_decode) (bug #1676750)
- Fix CVE-2019-7572 (a buffer overread in IMA_ADPCM_nibble) (bug #1676754)
- Fix CVE-2019-7572 (a buffer overwrite in IMA_ADPCM_nibble) (bug #1676754)
- Fix CVE-2019-7573, CVE-2019-7576 (buffer overreads in InitMS_ADPCM)
(bugs #1676752, #1676756)
- Fix CVE-2019-7578 (a buffer overread in InitIMA_ADPCM) (bug #1676782)
- Fix CVE-2019-7638, CVE-2019-7636 (buffer overflows when processing BMP
images with too high number of colors) (bugs #1677144, #1677157)
- Fix CVE-2019-7637 (an integer overflow in SDL_CalculatePitch) (bug #1677152)
- Fix CVE-2019-7635 (a buffer overread when blitting a BMP image with pixel
colors out the palette) (bug #1677159)
- Reject 2, 3, 5, 6, 7-bpp BMP images (bug #1677159)
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-36
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 14 2019 Petr Pisar <ppisar@redhat.com> - 1.2.15-35
- Remove manual updating of config.{guess,sub} - this has been part of
%%configure since 2013
- Use system glext.h to prevent from clashing on a GL_GLEXT_VERSION definition
(bug #1662778)
* Tue Aug 28 2018 Petr Pisar <ppisar@redhat.com> - 1.2.15-34
- Remove useless build-time dependency on audiofile-devel
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-33
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Mar 27 2018 David Abdurachmanov <david.abdurachmanov@gmail.com> - 1.2.15-32
- Add riscv64 to SDL_config.h
* Thu Mar 22 2018 Petr Pisar <ppisar@redhat.com> - 1.2.15-31
- Remove post scriptlets with ldconfig
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-30 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-30
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild