22 changed files with 392 additions and 206 deletions
--- a/.SDL.metadata
+++ b/.SDL.metadata
@ -1 +1,2 @@
 61a0c4976ecc88d1101f1d03105089588d167a40 SOURCES/SDL-1.2.15_repackaged.tar.gz
 5778b357370d88bfac9c34e5aba106e2375f8cc7 SOURCES/slouken-pubkey.asc
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
 SOURCES/SDL-1.2.15_repackaged.tar.gz
 SOURCES/slouken-pubkey.asc
--- a/SOURCES/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
+++ b/SOURCES/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
@ -1,14 +1,15 @@
-From 4b4cac39ba7988df9d8def32360dd842b707ba74 Mon Sep 17 00:00:00 2001
+From bb11ffcff5ae2f25bead921c2a299e7e63d8a759 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
-Date: Sat, 8 Jun 2019 17:57:43 -0700
+Date: Thu, 14 Feb 2019 16:51:54 +0100
-Subject: [PATCH 01/11] CVE-2019-7572: Fix a buffer overread in
+Subject: [PATCH] CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble
 IMA_ADPCM_nibble If an IMA ADPCM block contained an initial index out of step
 table range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used
 this bogus value and that lead to a buffer overread.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 If an IMA ADPCM block contained an initial index out of step table
 range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used
 this bogus value and that lead to a buffer overread.
 This patch fixes it by moving clamping the index value at the
 beginning of IMA_ADPCM_nibble() function instead of the end after
 an update.
@ -17,18 +18,15 @@ CVE-2019-7572
 https://bugzilla.libsdl.org/show_bug.cgi?id=4495
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 --HG--
 branch : SDL-1.2
 ---
 src/audio/SDL_wave.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)
 diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
-index b4ad6c787..ba1fb5252 100644
+index 2968b3d..69d62dc 100644
 --- a/src/audio/SDL_wave.c
 +++ b/src/audio/SDL_wave.c
-@@ -264,6 +264,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
+@@ -275,6 +275,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
 	};
 	Sint32 delta, step;
@ -43,7 +41,7 @@ index b4ad6c787..ba1fb5252 100644
 	/* Compute difference and new sample value */
 	step = step_table[state->index];
 	delta = step >> 3;
-@@ -275,12 +283,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
+@@ -286,12 +294,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
 	/* Update index value */
 	state->index += index_table[nybble];
@ -57,5 +55,5 @@ index b4ad6c787..ba1fb5252 100644
 	/* Clamp output sample */
 	if ( state->sample > max_audioval ) {
 -- 
-2.21.0
+2.20.1
--- a/SOURCES/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
+++ b/SOURCES/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
@ -1,14 +1,15 @@
-From b637e14f849130449544c8899aed716a2f049b75 Mon Sep 17 00:00:00 2001
+From 6086741bda4d43cc227500bc7645a829380e6326 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
-Date: Mon, 10 Jun 2019 08:57:11 -0700
+Date: Fri, 15 Feb 2019 09:21:45 +0100
-Subject: [PATCH 06/11] CVE-2019-7572: Fix a buffer overwrite in
+Subject: [PATCH] CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode
 IMA_ADPCM_decode If data chunk was longer than expected based on a WAV format
 definition, IMA_ADPCM_decode() tried to write past the output buffer. This
 patch fixes it.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 If data chunk was longer than expected based on a WAV format
 definition, IMA_ADPCM_decode() tried to write past the output
 buffer. This patch fixes it.
 Based on patch from
 <https://bugzilla.libsdl.org/show_bug.cgi?id=4496>.
@ -16,18 +17,15 @@ CVE-2019-7572
 https://bugzilla.libsdl.org/show_bug.cgi?id=4495
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 --HG--
 branch : SDL-1.2
 ---
 src/audio/SDL_wave.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
 diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
-index 3eedd20a1..4159eb710 100644
+index 69d62dc..91e89e8 100644
 --- a/src/audio/SDL_wave.c
 +++ b/src/audio/SDL_wave.c
-@@ -346,7 +346,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
+@@ -336,7 +336,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
 static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 {
 	struct IMA_ADPCM_decodestate *state;
@ -36,7 +34,7 @@ index 3eedd20a1..4159eb710 100644
 	Sint32 encoded_len, samplesleft;
 	unsigned int c, channels;
-@@ -373,6 +373,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+@@ -363,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 		return(-1);
 	}
 	decoded = *audio_buf;
@ -44,7 +42,7 @@ index 3eedd20a1..4159eb710 100644
 	/* Get ready... Go! */
 	while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
-@@ -392,6 +393,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+@@ -382,6 +383,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 			}
 			/* Store the initial sample we start with */
@ -52,7 +50,7 @@ index 3eedd20a1..4159eb710 100644
 			decoded[0] = (Uint8)(state[c].sample&0xFF);
 			decoded[1] = (Uint8)(state[c].sample>>8);
 			decoded += 2;
-@@ -402,6 +404,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+@@ -392,6 +394,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 		while ( samplesleft > 0 ) {
 			for ( c=0; c<channels; ++c ) {
 				if (encoded + 4 > encoded_end) goto invalid_size;
@ -62,5 +60,5 @@ index 3eedd20a1..4159eb710 100644
 						c, channels, &state[c]);
 				encoded += 4;
 -- 
-2.21.0
+2.20.1
--- a/SOURCES/SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
+++ b/SOURCES/SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
@ -1,28 +1,27 @@
-From 45ef356d8c01a3941286b35b90eb319959f20f2c Mon Sep 17 00:00:00 2001
+From 3e2c89e516701f3586dfeadec13932f665371d2a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
-Date: Mon, 10 Jun 2019 09:06:23 -0700
+Date: Fri, 15 Feb 2019 10:36:13 +0100
-Subject: [PATCH 07/11] CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in
+Subject: [PATCH] CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in
- InitMS_ADPCM If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing
+ InitMS_ADPCM
 it could read past the end of chunk data. This patch fixes it.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it
 could read past the end of chunk data. This patch fixes it.
 CVE-2019-7573
 https://bugzilla.libsdl.org/show_bug.cgi?id=4491
 CVE-2019-7576
 https://bugzilla.libsdl.org/show_bug.cgi?id=4490
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 --HG--
 branch : SDL-1.2
 ---
 src/audio/SDL_wave.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)
 diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
-index 4159eb710..88ac2cca6 100644
+index 91e89e8..1d446ed 100644
 --- a/src/audio/SDL_wave.c
 +++ b/src/audio/SDL_wave.c
@@ -44,12 +44,13 @@ static struct MS_ADPCM_decoder {
@ -70,7 +69,7 @@ index 4159eb710..88ac2cca6 100644
 }
 static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
-@@ -495,7 +502,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
+@@ -485,7 +492,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
 			break;
 		case MS_ADPCM_CODE:
 			/* Try to understand this */
@ -80,5 +79,5 @@ index 4159eb710..88ac2cca6 100644
 				goto done;
 			}
 -- 
-2.21.0
+2.20.1
--- a/SOURCES/SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
+++ b/SOURCES/SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
@ -1,30 +1,28 @@
-From db0282cbe00a64cc65ba445ea21928d72dc26d97 Mon Sep 17 00:00:00 2001
+From 9b2eee24768889378032077423cb6a3221a8ad18 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
-Date: Mon, 10 Jun 2019 08:50:59 -0700
+Date: Thu, 14 Feb 2019 15:41:47 +0100
-Subject: [PATCH 03/11] CVE-2019-7574: Fix a buffer overread in
+Subject: [PATCH] CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode
 IMA_ADPCM_decode If data chunk was shorter than expected based on a WAV
 format definition, IMA_ADPCM_decode() tried to read past the data chunk
 buffer. This patch fixes it.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 If data chunk was shorter than expected based on a WAV format
 definition, IMA_ADPCM_decode() tried to read past the data chunk
 buffer. This patch fixes it.
 CVE-2019-7574
 https://bugzilla.libsdl.org/show_bug.cgi?id=4496
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 --HG--
 branch : SDL-1.2
 ---
 src/audio/SDL_wave.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)
 diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
-index 21ee4dc3c..66f804421 100644
+index b6c49de..2968b3d 100644
 --- a/src/audio/SDL_wave.c
 +++ b/src/audio/SDL_wave.c
-@@ -331,7 +331,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
+@@ -334,7 +334,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
 static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 {
 	struct IMA_ADPCM_decodestate *state;
@ -33,7 +31,7 @@ index 21ee4dc3c..66f804421 100644
 	Sint32 encoded_len, samplesleft;
 	unsigned int c, channels;
-@@ -347,6 +347,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+@@ -350,6 +350,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 	/* Allocate the proper sized output buffer */
 	encoded_len = *audio_len;
 	encoded = *audio_buf;
@ -41,7 +39,7 @@ index 21ee4dc3c..66f804421 100644
 	freeable = *audio_buf;
 	*audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) * 
 				IMA_ADPCM_state.wSamplesPerBlock*
-@@ -362,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+@@ -365,6 +366,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 	while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
 		/* Grab the initial information for this block */
 		for ( c=0; c<channels; ++c ) {
@ -49,7 +47,7 @@ index 21ee4dc3c..66f804421 100644
 			/* Fill the state information for this block */
 			state[c].sample = ((encoded[1]<<8)|encoded[0]);
 			encoded += 2;
-@@ -384,6 +386,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+@@ -387,6 +389,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 		samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
 		while ( samplesleft > 0 ) {
 			for ( c=0; c<channels; ++c ) {
@ -57,7 +55,7 @@ index 21ee4dc3c..66f804421 100644
 				Fill_IMA_ADPCM_block(decoded, encoded,
 						c, channels, &state[c]);
 				encoded += 4;
-@@ -395,6 +398,10 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+@@ -398,6 +401,10 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 	}
 	SDL_free(freeable);
 	return(0);
@ -69,5 +67,5 @@ index 21ee4dc3c..66f804421 100644
 SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
 -- 
-2.21.0
+2.20.1
--- a/SOURCES/SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
+++ b/SOURCES/SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
@ -1,13 +1,14 @@
-From 730c8b917e7deecc3cdf9ac9eb20e2b7e6450356 Mon Sep 17 00:00:00 2001
+From e1f80cadb079e35103e6eebf160a818815c823df Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
-Date: Mon, 10 Jun 2019 09:25:05 -0700
+Date: Thu, 14 Feb 2019 14:51:52 +0100
-Subject: [PATCH 08/11] CVE-2019-7575: Fix a buffer overwrite in
+Subject: [PATCH] CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode
 MS_ADPCM_decode If a WAV format defines shorter audio stream and decoded MS
 ADPCM data chunk is longer, decoding continued past the output audio buffer.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 If a WAV format defines shorter audio stream and decoded MS ADPCM data chunk
 is longer, decoding continued past the output audio buffer.
 This fix is based on a patch from
 <https://bugzilla.libsdl.org/show_bug.cgi?id=4492>.
@ -15,18 +16,15 @@ https://bugzilla.libsdl.org/show_bug.cgi?id=4493
 CVE-2019-7575
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 --HG--
 branch : SDL-1.2
 ---
 src/audio/SDL_wave.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)
 diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
-index 88ac2cca6..5f9365147 100644
+index e42d01c..b6c49de 100644
 --- a/src/audio/SDL_wave.c
 +++ b/src/audio/SDL_wave.c
-@@ -122,7 +122,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
+@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
 static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 {
 	struct MS_ADPCM_decodestate *state[2];
@ -35,7 +33,7 @@ index 88ac2cca6..5f9365147 100644
 	Sint32 encoded_len, samplesleft;
 	Sint8 nybble, stereo;
 	Sint16 *coeff[2];
-@@ -142,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+@@ -135,6 +135,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 		return(-1);
 	}
 	decoded = *audio_buf;
@ -43,7 +41,7 @@ index 88ac2cca6..5f9365147 100644
 	/* Get ready... Go! */
 	stereo = (MS_ADPCM_state.wavefmt.channels == 2);
-@@ -149,7 +150,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+@@ -142,7 +143,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 	state[1] = &MS_ADPCM_state.state[stereo];
 	while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
 		/* Grab the initial information for this block */
@ -52,7 +50,7 @@ index 88ac2cca6..5f9365147 100644
 		state[0]->hPredictor = *encoded++;
 		if ( stereo ) {
 			state[1]->hPredictor = *encoded++;
-@@ -179,6 +180,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+@@ -169,6 +170,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 		coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
 		/* Store the two initial samples we start with */
@ -60,7 +58,7 @@ index 88ac2cca6..5f9365147 100644
 		decoded[0] = state[0]->iSamp2&0xFF;
 		decoded[1] = state[0]->iSamp2>>8;
 		decoded += 2;
-@@ -200,7 +202,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+@@ -190,7 +192,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 		samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
 					MS_ADPCM_state.wavefmt.channels;
 		while ( samplesleft > 0 ) {
@ -70,7 +68,7 @@ index 88ac2cca6..5f9365147 100644
 			nybble = (*encoded)>>4;
 			new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
-@@ -223,8 +226,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+@@ -213,8 +216,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 	}
 	SDL_free(freeable);
 	return(0);
@ -80,7 +78,7 @@ index 88ac2cca6..5f9365147 100644
 +	SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
 	SDL_free(freeable);
 	return(-1);
- invalid_predictor:
+ }
 -- 
-2.21.0
+2.20.1
--- a/SOURCES/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
+++ b/SOURCES/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
@ -1,13 +1,15 @@
-From d5ec943db7d51fccd7230c9df0c7a2e46d611f50 Mon Sep 17 00:00:00 2001
+From ac3d0d365b1f01a6782565feda0c7432a5795671 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
-Date: Mon, 10 Jun 2019 08:54:11 -0700
+Date: Thu, 14 Feb 2019 14:12:22 +0100
-Subject: [PATCH 04/11] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
+Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
 If RIFF/WAV data chunk length is shorter then expected for an audio format
 defined in preceeding RIFF/WAV format headers, a buffer overread can happen.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 If RIFF/WAV data chunk length is shorter then expected for an audio
 format defined in preceeding RIFF/WAV format headers, a buffer
 overread can happen.
 This patch fixes it by checking a MS ADPCM data to be decoded are not
 past the initialized buffer.
@ -15,15 +17,12 @@ CVE-2019-7577
 Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 --HG--
 branch : SDL-1.2
 ---
 src/audio/SDL_wave.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)
 diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
-index 66f804421..6c6eb14eb 100644
+index b4ad6c7..e42d01c 100644
 --- a/src/audio/SDL_wave.c
 +++ b/src/audio/SDL_wave.c
@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
@ -72,5 +71,5 @@ index 66f804421..6c6eb14eb 100644
 struct IMA_ADPCM_decodestate {
 -- 
-2.21.0
+2.20.1
--- a/SOURCES/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
+++ b/SOURCES/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
@ -1,15 +1,17 @@
-From 06d20617d0d5bb89a6caf5f2201c93baf03c43c2 Mon Sep 17 00:00:00 2001
+From 69cd6157644cb0a5c9edd7b5920232c2ca31c151 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
-Date: Mon, 10 Jun 2019 08:54:29 -0700
+Date: Tue, 12 Mar 2019 16:21:41 +0100
-Subject: [PATCH 05/11] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble
+Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble and
- and MS_ADPCM_decode If a chunk of RIFF/WAV file with MS ADPCM encoding
+ MS_ADPCM_decode
 contains an invalid predictor (a valid predictor's value is between 0 and 6
 inclusive), a buffer overread can happen when the predictor is used as an
 index into an array of MS ADPCM coefficients.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 If a chunk of RIFF/WAV file with MS ADPCM encoding contains an invalid
 predictor (a valid predictor's value is between 0 and 6 inclusive),
 a buffer overread can happen when the predictor is used as an index
 into an array of MS ADPCM coefficients.
 The overead happens when indexing MS_ADPCM_state.aCoeff[] array in
 MS_ADPCM_decode() and later when dereferencing a coef pointer in
 MS_ADPCM_nibble().
@ -21,18 +23,15 @@ CVE-2019-7577
 Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 --HG--
 branch : SDL-1.2
 ---
 src/audio/SDL_wave.c | 7 +++++++
 1 file changed, 7 insertions(+)
 diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
-index 6c6eb14eb..3eedd20a1 100644
+index 08f65cb..5f93651 100644
 --- a/src/audio/SDL_wave.c
 +++ b/src/audio/SDL_wave.c
-@@ -147,6 +147,9 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+@@ -155,6 +155,9 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
 		if ( stereo ) {
 			state[1]->hPredictor = *encoded++;
 		}
@ -42,8 +41,8 @@ index 6c6eb14eb..3eedd20a1 100644
 		state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
 		encoded += sizeof(Sint16);
 		if ( stereo ) {
-@@ -217,6 +220,10 @@ too_short:
+@@ -227,6 +230,10 @@ invalid_size:
- 	SDL_SetError("Too short chunk for a MS ADPCM decoder");
+ 	SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
 	SDL_free(freeable);
 	return(-1);
 +invalid_predictor:
@ -54,5 +53,5 @@ index 6c6eb14eb..3eedd20a1 100644
 struct IMA_ADPCM_decodestate {
 -- 
-2.21.0
+2.20.1
--- a/SOURCES/SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
+++ b/SOURCES/SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
@ -1,29 +1,27 @@
-From 210e68f70a5a007b0664239aa557e6b9d1b3e830 Mon Sep 17 00:00:00 2001
+From 0eb76f6cabcffa2104e34c26e0f41e6de95356ff Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
-Date: Sat, 8 Jun 2019 18:02:09 -0700
+Date: Fri, 15 Feb 2019 10:56:59 +0100
-Subject: [PATCH 02/11] CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
+Subject: [PATCH] CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
 If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it could
 read past the end of chunk data. This patch fixes it.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it
 could read past the end of chunk data. This patch fixes it.
 CVE-2019-7578
 https://bugzilla.libsdl.org/show_bug.cgi?id=4494
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 --HG--
 branch : SDL-1.2
 ---
 src/audio/SDL_wave.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)
 diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
-index ba1fb5252..21ee4dc3c 100644
+index 1d446ed..08f65cb 100644
 --- a/src/audio/SDL_wave.c
 +++ b/src/audio/SDL_wave.c
-@@ -222,11 +222,12 @@ static struct IMA_ADPCM_decoder {
+@@ -240,11 +240,12 @@ static struct IMA_ADPCM_decoder {
 	struct IMA_ADPCM_decodestate state[2];
 } IMA_ADPCM_state;
@ -38,7 +36,7 @@ index ba1fb5252..21ee4dc3c 100644
 	IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
 	IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
 	IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
-@@ -235,11 +236,16 @@ static int InitIMA_ADPCM(WaveFMT *format)
+@@ -253,11 +254,16 @@ static int InitIMA_ADPCM(WaveFMT *format)
 	IMA_ADPCM_state.wavefmt.bitspersample =
 					 SDL_SwapLE16(format->bitspersample);
 	rogue_feel = (Uint8 *)format+sizeof(*format);
@ -55,7 +53,7 @@ index ba1fb5252..21ee4dc3c 100644
 }
 static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
-@@ -471,7 +477,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
+@@ -500,7 +506,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
 			break;
 		case IMA_ADPCM_CODE:
 			/* Try to understand this */
@ -65,5 +63,5 @@ index ba1fb5252..21ee4dc3c 100644
 				goto done;
 			}
 -- 
-2.21.0
+2.20.1
--- a/SOURCES/SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
+++ b/SOURCES/SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
@ -1,19 +1,21 @@
-From 974b6b063b652317f1a2df12834c829415529bc5 Mon Sep 17 00:00:00 2001
+From beef32b0e510371f3c968d22a1e3d48abbf366c6 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
-Date: Tue, 11 Jun 2019 06:28:12 -0700
+Date: Tue, 19 Feb 2019 14:52:52 +0100
-Subject: [PATCH 09/11] CVE-2019-7635: Reject BMP images with pixel colors out
+Subject: [PATCH] CVE-2019-7635: Reject BMP images with pixel colors out the
- the palette If a 1-, 4-, or 8-bit per pixel BMP image declares less used
+ palette
 colors than the palette offers an SDL_Surface with a palette of the indicated
 number of used colors is created. If some of the image's pixel refer to a
 color number higher then the maximal used colors, a subsequent bliting
 operation on the surface will look up a color past a blit map (that is based
 on the palette) memory. I.e. passing such SDL_Surface to e.g. an
 SDL_DisplayFormat() function will result in a buffer overread in a blit
 function.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 If a 1-, 4-, or 8-bit per pixel BMP image declares less used colors
 than the palette offers an SDL_Surface with a palette of the indicated
 number of used colors is created. If some of the image's pixel
 refer to a color number higher then the maximal used colors, a subsequent
 bliting operation on the surface will look up a color past a blit map
 (that is based on the palette) memory. I.e. passing such SDL_Surface
 to e.g. an SDL_DisplayFormat() function will result in a buffer overread in
 a blit function.
 This patch fixes it by validing each pixel's color to be less than the
 maximal color number in the palette. A validation failure raises an
 error from a SDL_LoadBMP_RW() function.
@ -22,18 +24,15 @@ CVE-2019-7635
 https://bugzilla.libsdl.org/show_bug.cgi?id=4498
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 --HG--
 branch : SDL-1.2
 ---
 src/video/SDL_bmp.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
-index d56cfd83a..8acae3bcb 100644
+index 3accded..8eadc5f 100644
 --- a/src/video/SDL_bmp.c
 +++ b/src/video/SDL_bmp.c
-@@ -296,6 +296,12 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
+@@ -300,6 +300,12 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
 				}
 				*(bits+i) = (pixel>>shift);
 				pixel <<= ExpandBMP;
@ -46,7 +45,7 @@ index d56cfd83a..8acae3bcb 100644
 			} }
 			break;
-@@ -306,6 +312,16 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
+@@ -310,6 +316,16 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
 				was_error = SDL_TRUE;
 				goto done;
 			}
@ -64,5 +63,5 @@ index d56cfd83a..8acae3bcb 100644
 			/* Byte-swap the pixels if needed. Note that the 24bpp
 			   case has already been taken care of above. */
 -- 
-2.21.0
+2.20.1
--- a/SOURCES/SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
+++ b/SOURCES/SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
@ -1,8 +1,7 @@
-From 7cafd3e820489f17f86d0d897ad9719ef54599f1 Mon Sep 17 00:00:00 2001
+From cc50d843089c8cf386c3e0f9cb2fae0b258a9b7b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
 Date: Mon, 18 Feb 2019 13:53:16 +0100
-Subject: [PATCH 11/11] CVE-2019-7637: Fix in integer overflow in
+Subject: [PATCH] CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch
 SDL_CalculatePitch
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -41,7 +40,7 @@ Signed-off-by: Petr Písař <ppisar@redhat.com>
 8 files changed, 57 insertions(+), 7 deletions(-)
 diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c
-index 1a7fd518f..44626b749 100644
+index 1a7fd51..44626b7 100644
 --- a/src/video/SDL_pixels.c
 +++ b/src/video/SDL_pixels.c
@@ -286,26 +286,53 @@ void SDL_DitherColors(SDL_Color *colors, int bpp)
@ -106,7 +105,7 @@ index 1a7fd518f..44626b749 100644
 /*
  * Match an RGB value to a particular palette index
 diff --git a/src/video/gapi/SDL_gapivideo.c b/src/video/gapi/SDL_gapivideo.c
-index 86deadc75..8a0648536 100644
+index 86deadc..8a06485 100644
 --- a/src/video/gapi/SDL_gapivideo.c
 +++ b/src/video/gapi/SDL_gapivideo.c
@@ -733,6 +733,9 @@ SDL_Surface *GAPI_SetVideoMode(_THIS, SDL_Surface *current,
@ -120,7 +119,7 @@ index 86deadc75..8a0648536 100644
 	/* Small fix for WinCE/Win32 - when activating window
 	   SDL_VideoSurface is equal to zero, so activating code
 diff --git a/src/video/nanox/SDL_nxvideo.c b/src/video/nanox/SDL_nxvideo.c
-index b188e0958..cbdd09a08 100644
+index b188e09..cbdd09a 100644
 --- a/src/video/nanox/SDL_nxvideo.c
 +++ b/src/video/nanox/SDL_nxvideo.c
@@ -378,6 +378,10 @@ SDL_Surface * NX_SetVideoMode (_THIS, SDL_Surface * current,
@ -135,7 +134,7 @@ index b188e0958..cbdd09a08 100644
     }
 diff --git a/src/video/ps2gs/SDL_gsvideo.c b/src/video/ps2gs/SDL_gsvideo.c
-index e172c60dc..329086680 100644
+index e172c60..3290866 100644
 --- a/src/video/ps2gs/SDL_gsvideo.c
 +++ b/src/video/ps2gs/SDL_gsvideo.c
@@ -479,6 +479,9 @@ static SDL_Surface *GS_SetVideoMode(_THIS, SDL_Surface *current,
@ -149,7 +148,7 @@ index e172c60dc..329086680 100644
 	/* Memory map the DMA area for block memory transfer */
 	if ( ! mapped_mem ) {
 diff --git a/src/video/ps3/SDL_ps3video.c b/src/video/ps3/SDL_ps3video.c
-index d5519e051..17848e33a 100644
+index d5519e0..17848e3 100644
 --- a/src/video/ps3/SDL_ps3video.c
 +++ b/src/video/ps3/SDL_ps3video.c
@@ -339,6 +339,9 @@ static SDL_Surface *PS3_SetVideoMode(_THIS, SDL_Surface * current, int width, in
@ -163,7 +162,7 @@ index d5519e051..17848e33a 100644
 	/* Alloc aligned mem for current->pixels */
 	s_pixels = memalign(16, current->h * current->pitch);
 diff --git a/src/video/windib/SDL_dibvideo.c b/src/video/windib/SDL_dibvideo.c
-index 6187bfcf7..86ebb12a3 100644
+index 6187bfc..86ebb12 100644
 --- a/src/video/windib/SDL_dibvideo.c
 +++ b/src/video/windib/SDL_dibvideo.c
@@ -675,6 +675,9 @@ SDL_Surface *DIB_SetVideoMode(_THIS, SDL_Surface *current,
@ -177,7 +176,7 @@ index 6187bfcf7..86ebb12a3 100644
 	/* Small fix for WinCE/Win32 - when activating window
 	   SDL_VideoSurface is equal to zero, so activating code
 diff --git a/src/video/windx5/SDL_dx5video.c b/src/video/windx5/SDL_dx5video.c
-index f80ca97b0..39fc4fc37 100644
+index f80ca97..39fc4fc 100644
 --- a/src/video/windx5/SDL_dx5video.c
 +++ b/src/video/windx5/SDL_dx5video.c
@@ -1127,6 +1127,9 @@ SDL_Surface *DX5_SetVideoMode(_THIS, SDL_Surface *current,
@ -191,7 +190,7 @@ index f80ca97b0..39fc4fc37 100644
 #ifndef NO_CHANGEDISPLAYSETTINGS
 		/* Set fullscreen mode if appropriate.
 diff --git a/src/video/x11/SDL_x11video.c b/src/video/x11/SDL_x11video.c
-index 79e60f971..45d1f79be 100644
+index 79e60f9..45d1f79 100644
 --- a/src/video/x11/SDL_x11video.c
 +++ b/src/video/x11/SDL_x11video.c
@@ -1220,6 +1220,10 @@ SDL_Surface *X11_SetVideoMode(_THIS, SDL_Surface *current,
@ -206,5 +205,5 @@ index 79e60f971..45d1f79be 100644
 			current = NULL;
 			goto done;
 -- 
-2.21.0
+2.20.1
--- a/SOURCES/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
+++ b/SOURCES/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
@ -1,8 +1,8 @@
-From 73161afdf77e2cf90f47c9be0bc970dadedb5d7c Mon Sep 17 00:00:00 2001
+From 28b1433b4bd7982524f2418420e8cc01786df5c4 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
 Date: Fri, 15 Feb 2019 16:52:27 +0100
-Subject: [PATCH 10/11] CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images
+Subject: [PATCH] CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images with
- with too high number of colors
+ too high number of colors
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -37,7 +37,7 @@ Signed-off-by: Petr Písař <ppisar@redhat.com>
 1 file changed, 4 insertions(+)
 diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
-index 8acae3bcb..8eadc5f66 100644
+index d56cfd8..3accded 100644
 --- a/src/video/SDL_bmp.c
 +++ b/src/video/SDL_bmp.c
@@ -233,6 +233,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
@ -52,5 +52,5 @@ index 8acae3bcb..8eadc5f66 100644
 		if ( biSize == 12 ) {
 			for ( i = 0; i < (int)biClrUsed; ++i ) {
 -- 
-2.21.0
+2.20.1
--- a/SOURCES/SDL-1.2.15-Fixed-bug-4108-Missing-break-statements-in-SDL_CDRes.patch
+++ b/SOURCES/SDL-1.2.15-Fixed-bug-4108-Missing-break-statements-in-SDL_CDRes.patch
--- a/SOURCES/SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch
+++ b/SOURCES/SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch
@ -0,0 +1,42 @@
 From 70c3d0e97755e1b208ceba2ae012877797f15627 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
 Date: Thu, 21 Feb 2019 10:57:41 +0100
 Subject: [PATCH] Reject 2, 3, 5, 6, 7-bpp BMP images
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 BMP decoder assumes less than 8 bit depth images have 1 or 4 bits
 per pixel. No other depths are correctly translated to an 8bpp
 surface.
 This patch rejects loading these images.
 https://bugzilla.libsdl.org/show_bug.cgi?id=4498
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 src/video/SDL_bmp.c | 8 ++++++++
 1 file changed, 8 insertions(+)
 diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
 index 8eadc5f..758d4bb 100644
 --- a/src/video/SDL_bmp.c
 +++ b/src/video/SDL_bmp.c
@@ -163,6 +163,14 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
 			ExpandBMP = biBitCount;
 			biBitCount = 8;
 			break;
 +		case 2:
 +		case 3:
 +		case 5:
 +		case 6:
 +		case 7:
 +			SDL_SetError("%d-bpp BMP images are not supported", biBitCount);
 +			was_error = SDL_TRUE;
 +			goto done;
 		default:
 			ExpandBMP = 0;
 			break;
 -- 
 2.20.1
--- a/SOURCES/SDL-1.2.15-Use-system-glext.h.patch
+++ b/SOURCES/SDL-1.2.15-Use-system-glext.h.patch
@ -0,0 +1,32 @@
 From cf8a0c3d75005436d3ed3ea0ae258cdef5b10ebe Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
 Date: Mon, 14 Jan 2019 12:10:21 +0100
 Subject: [PATCH] Use system glext.h
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 mesa-18.2.6 changed GL_GLEXT_VERSION and that conflicts with the bundled
 glext.h definitions. Use system glext.h instead via GL/gl.h.
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 include/SDL_opengl.h | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/include/SDL_opengl.h b/include/SDL_opengl.h
 index 3d791d6..3a77b11 100644
 --- a/include/SDL_opengl.h
 +++ b/include/SDL_opengl.h
@@ -33,6 +33,8 @@
 #endif
 #include <windows.h>
 #endif
 +/* mesa changes GL_GLEXT_VERSION, use system glext.h instead via GL/gl.h */
 +#define NO_SDL_GLEXT
 #ifndef NO_SDL_GLEXT
 #define __glext_h_  /* Don't let gl.h include glext.h */
 #endif
 -- 
 2.17.2
--- a/SOURCES/SDL-1.2.15-fix-small-errors-detected-by-coverity.patch
+++ b/SOURCES/SDL-1.2.15-fix-small-errors-detected-by-coverity.patch
--- a/SOURCES/SDL-1.2.15-fix_copy_paste_mistakes_in_commit_9b0e5c555c0f.patch
+++ b/SOURCES/SDL-1.2.15-fix_copy_paste_mistakes_in_commit_9b0e5c555c0f.patch
@ -0,0 +1,45 @@
 changeset:   12980:32075e9e2135
 branch:      SDL-1.2
 tag:         tip
 parent:      12977:37d0eba8fa17
 user:        Ozkan Sezer <sezeroz@gmail.com>
 date:        Fri Aug 02 00:35:05 2019 +0300
 summary:     fix copy+paste mistakes in commit 9b0e5c555c0f (CVE-2019-7637 fix):
 diff -r 37d0eba8fa17 -r 32075e9e2135 src/video/gapi/SDL_gapivideo.c
 --- a/src/video/gapi/SDL_gapivideo.c	Wed Jul 31 23:50:10 2019 +0300
 +++ b/src/video/gapi/SDL_gapivideo.c	Fri Aug 02 00:35:05 2019 +0300
@@ -733,7 +733,7 @@
 	video->w = gapi->w = width;
 	video->h = gapi->h = height;
 	video->pitch = SDL_CalculatePitch(video); 
 -	if (!current->pitch) {
 +	if (!video->pitch) {
 		return(NULL);
 	}
 diff -r 37d0eba8fa17 -r 32075e9e2135 src/video/windib/SDL_dibvideo.c
 --- a/src/video/windib/SDL_dibvideo.c	Wed Jul 31 23:50:10 2019 +0300
 +++ b/src/video/windib/SDL_dibvideo.c	Fri Aug 02 00:35:05 2019 +0300
@@ -675,7 +675,7 @@
 	video->w = width;
 	video->h = height;
 	video->pitch = SDL_CalculatePitch(video);
 -	if (!current->pitch) {
 +	if (!video->pitch) {
 		return(NULL);
 	}
 diff -r 37d0eba8fa17 -r 32075e9e2135 src/video/windx5/SDL_dx5video.c
 --- a/src/video/windx5/SDL_dx5video.c	Wed Jul 31 23:50:10 2019 +0300
 +++ b/src/video/windx5/SDL_dx5video.c	Fri Aug 02 00:35:05 2019 +0300
@@ -1127,7 +1127,7 @@
 		video->w = width;
 		video->h = height;
 		video->pitch = SDL_CalculatePitch(video);
 -		if (!current->pitch) {
 +		if (!video->pitch) {
 			return(NULL);
 		}
--- a/SOURCES/SDL-1.2.15.tar.gz.sig
+++ b/SOURCES/SDL-1.2.15.tar.gz.sig
--- a/SOURCES/SDL_config.h
+++ b/SOURCES/SDL_config.h
@ -71,6 +71,8 @@
 #include "SDL_config-mipsel.h"
 #elif defined(__mips)
 #include "SDL_config-mips.h"
 #elif defined(__riscv) && defined(__riscv_xlen) && __riscv_xlen == 64
 #include "SDL_config-riscv64.h"
 #else
 #error "The SDL-devel package is not usable with the architecture."
 #endif
--- a/SOURCES/repackage.sh
+++ b/SOURCES/repackage.sh
@ -35,6 +35,8 @@ repackaged_tgz="${repackaged_tar}.gz"
 # pre checks
 [ ! -f "${orig_tgz}" ] && { echo "ERROR: ${orig_tgz} does not exist"; exit 1; }
 /usr/lib/rpm/redhat/gpgverify --keyring=slouken-pubkey.asc \
    --signature="${orig_tgz}.sig" --data="${orig_tgz}" || exit 1;
 [ -f "${repackaged_tgz}" ] && { echo "ERROR: ${repackaged_tgz} already exist"; exit 1; }
 # repackage
--- a/SPECS/SDL.spec
+++ b/SPECS/SDL.spec
@ -10,9 +10,9 @@
 Name:       SDL
 Version:    1.2.15
-Release:    39%{?dist}
+Release:    48%{?dist}
 Summary:    A cross-platform multimedia library
-URL:        http://www.libsdl.org/
+URL:        https://www.libsdl.org/
 # The license of the file src/video/fbcon/riva_mmio.h is bad, but the contents
 # of the file has been relicensed to MIT in 2008 by Nvidia for the 
 # xf86_video-nv driver, therefore it can be considered ok.
@ -20,11 +20,13 @@ URL:        http://www.libsdl.org/
 # it to zlib on 2016-02-21,
 # <https://www.mccaughan.org.uk/software/qsort.c-1.14>, bug #1381888.
 License:    LGPLv2+
-# Source: http://www.libsdl.org/release/%%{name}-%%{version}.tar.gz
+# Source: %%{url}/release/%%{name}-%%{version}.tar.gz
 # To create the repackaged archive use ./repackage.sh %%{version}
 Source0:    %{name}-%{version}_repackaged.tar.gz
-Source1:    SDL_config.h
+Source1:    %{url}/release/%{name}-%{version}.tar.gz.sig
-Source2:    repackage.sh
+Source2:    https://slouken.libsdl.org/slouken-pubkey.asc
 Source3:    SDL_config.h
 Source4:    repackage.sh
 Patch0:     SDL-1.2.12-multilib.patch
 # Rejected by upstream as sdl1155, rh480065
 Patch1:     SDL-1.2.10-GrabNotViewable.patch
@ -42,24 +44,61 @@ Patch5:     SDL-1.2.15-no-default-backing-store.patch
 Patch6:     SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch
 # Fix vec_perm() usage on little-endian 64-bit PowerPC, bug #1392465
 Patch7:     SDL-1.2.15-vec_perm-ppc64le.patch
-#fixed upstream
+# Use system glext.h to prevent from clashing on a GL_GLEXT_VERSION definition,
-Patch8:	    0001-Fixed-bug-4108-Missing-break-statements-in-SDL_CDRes.patch
+# rh1662778
-#fixes for small errors
+Patch8:     SDL-1.2.15-Use-system-glext.h.patch
-Patch9:	    0001-fix-small-errors-detected-by-coverity.patch
+# Fix CVE-2019-7577 (a buffer overread in MS_ADPCM_decode), bug #1676510,
 # upstream bug #4492, in upstream after 1.2.15
 Patch9:     SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
 # Fix CVE-2019-7575 (a buffer overwrite in MS_ADPCM_decode), bug #1676744,
 # upstream bug #4493, in upstream after 1.2.15
 Patch10:    SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
 # Fix CVE-2019-7574 (a buffer overread in IMA_ADPCM_decode), bug #1676750,
 # upstream bug #4496, in upstream after 1.2.15
 Patch11:    SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
 # Fix CVE-2019-7572 (a buffer overread in IMA_ADPCM_nibble), bug #1676754,
 # upstream bug #4495, in upstream after 1.2.15
 Patch12:    SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
 # Fix CVE-2019-7572 (a buffer overwrite in IMA_ADPCM_nibble), bug #1676754,
 # upstream bug #4495, in upstream after 1.2.15
 Patch13:    SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
 # Fix CVE-2019-7573, CVE-2019-7576 (buffer overreads in InitMS_ADPCM),
 # bugs #1676752, #1676756, upstream bugs #4491, #4490,
 # in upstream after 1.2.15
 Patch14:    SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
 # Fix CVE-2019-7578, (a buffer overread in InitIMA_ADPCM), bug #1676782,
 # upstream bug #4491, in upstream after 1.2.15
 Patch15:    SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
 # Fix CVE-2019-7638, CVE-2019-7636 (buffer overflows when processing BMP
 # images with too high number of colors), bugs #1677144, #1677157,
 # upstream bugs #4500, #4499, in upstream after 1.2.15
 Patch16:    SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
 # Fix CVE-2019-7637 (an integer overflow in SDL_CalculatePitch), bug #1677152,
 # upstream bug #4497, in upstream after 1.2.15
 Patch17:    SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
 # Fix CVE-2019-7635 (a buffer overread when blitting a BMP image with pixel
 # colors out the palette), bug #1677159, upstream bug #4498,
 # in upstream after 1.2.15
 Patch18:    SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
 # Reject 2, 3, 5, 6, 7-bpp BMP images (related to CVE-2019-7635),
 # bug #1677159, upstream bug #4498, in upstream after 1.2.15
 Patch19:    SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch
 # Fix CVE-2019-7577 (Fix a buffer overread in MS_ADPCM_nibble and
 # MS_ADPCM_decode on an invalid predictor), bug #1676510, upstream bug #4492,
 # in upstream after 1.2.15
 Patch20:    SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
 # Fix retrieving an error code after stopping and resuming a CD-ROM playback,
 # upstream bug #4108, in upstream after 1.2.15
 Patch21:    SDL-1.2.15-Fixed-bug-4108-Missing-break-statements-in-SDL_CDRes.patch
 # Fix SDL_Surface reference counter initialization and a possible crash when
 # opening a mouse device when using a framebuffer video output, bug #1602687
 Patch22:    SDL-1.2.15-fix-small-errors-detected-by-coverity.patch
 # Fix Windows drivers broken with a patch for CVE-2019-7637, bug #1677152,
 # upstream bug #4497, in upstream after 1.2.15
 Patch23:    SDL-1.2.15-fix_copy_paste_mistakes_in_commit_9b0e5c555c0f.patch
 # Fix CVE-2019-13616 (a heap buffer over-read in BlitNtoN), bug #1747237,
 # upstream bug #4538, in upstream after 1.2.15
-Patch10:    SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch
+Patch24:    SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch
 Patch11:	0001-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
 Patch12:	0002-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
 Patch13:	0003-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
 Patch14:	0004-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
 Patch15:	0005-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
 Patch16:	0006-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
 Patch17:	0007-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
 Patch18:	0008-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
 Patch19:	0009-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
 Patch20:	0010-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
 Patch21:	0011-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
 BuildRequires:  alsa-lib-devel
 %if %{with arts}
@ -148,7 +187,9 @@ applications.
 %patch19 -p1
 %patch20 -p1
 %patch21 -p1
-
+%patch22 -p1
 %patch23 -p1
 %patch24 -p1
 for F in CREDITS; do 
    iconv -f iso8859-1 -t utf-8 < "$F" > "${F}.utf"
    touch --reference "$F" "${F}.utf"
@ -158,14 +199,13 @@ done
 # Compilation without ESD
 sed -i -e 's/.*AM_PATH_ESD.*//' configure.in
 %endif
 # Update config.sub to support aarch64, bug #926510
 cp -p /usr/share/automake-*/config.{sub,guess} build-scripts
 %build
 aclocal
 libtoolize
 autoconf
 %configure \
    --enable-video-opengl \
    --disable-video-svga \
    --disable-video-ggi \
    --disable-video-aalib \
@ -189,32 +229,28 @@ autoconf
    --enable-alsa \
    --disable-video-ps3 \
    --disable-rpath
-make %{?_smp_mflags}
+%{make_build}
 %install
-make install DESTDIR=%{buildroot}
+%{make_install}
 # Rename SDL_config.h to SDL_config-<arch>.h to avoid file conflicts on
 # multilib systems and install SDL_config.h wrapper
 mv %{buildroot}/%{_includedir}/SDL/SDL_config.h %{buildroot}/%{_includedir}/SDL/SDL_config-%{_arch}.h
-install -m644 %{SOURCE1} %{buildroot}/%{_includedir}/SDL/SDL_config.h
+install -m644 %{SOURCE3} %{buildroot}/%{_includedir}/SDL/SDL_config.h
 # remove libtool .la file
 rm -f %{buildroot}%{_libdir}/*.la
 %post -p /sbin/ldconfig
 %postun -p /sbin/ldconfig
 %files
 %license COPYING
 %doc BUGS CREDITS README-SDL.txt
-%{_libdir}/lib*.so.*
+%{_libdir}/libSDL-1.2.so.*
 %files devel
 %doc README docs.html docs/html docs/index.html TODO WhatsNew
 %{_bindir}/*-config
-%{_libdir}/lib*.so
+%{_libdir}/libSDL.so
 %{_libdir}/pkgconfig/sdl.pc
 %{_includedir}/SDL
 %{_datadir}/aclocal/*
@ -225,42 +261,82 @@ rm -f %{buildroot}%{_libdir}/*.la
 %{_libdir}/lib*.a
 %changelog
-* Tue Dec 15 2020 Wim Taymans <wtaymans@redhat.com> - 1.2.15-39
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.2.15-48
- copy config.{sub,guess} from /usr/share/automake
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
- Resolves: rhbz#1907503
+  Related: rhbz#1991688
-* Mon Mar 23 2020 Wim Taymans <wtaymans@redhat.com> - 1.2.15-38
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.2.15-47
- fix CVEs
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 - Resolves: rhbz#1716209, rhbz#1716210, rhbz#1716211, rhbz#1716212,
            rhbz#1716213, rhbz#1716214, rhbz#1716215, rhbz#1716216,
 	    rhbz#1716217, rhbz#1716218, rhbz#1716219
-* Thu Nov 21 2019 Wim Taymans <wtaymans@redhat.com> - 1.2.15-37
+* Mon Jan 25 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-46
- Rebuild
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 - Resolves: rhbz#1756279
-* Fri Aug 30 2019 Petr Pisar <ppisar@redhat.com> - 1.2.15-36
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-45
 - Second attempt - Rebuilt for
  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-44
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-43
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Fri Aug 30 2019 Petr Pisar <ppisar@redhat.com> - 1.2.15-42
 - Fix CVE-2019-13616 (a heap buffer over-read in BlitNtoN) (bug #1747237)
 - Resolves: rhbz#1756279
-* Mon May 27 2019 Wim Taymans <wtaymans@redhat.com> - 1.2.15-35
+* Fri Aug 02 2019 Petr Pisar <ppisar@redhat.com> - 1.2.15-41
- Rebuild after gating
+- Fix Windows drivers broken with a patch for CVE-2019-7637 (bug #1677152)
- Resolves: rhbz#1602687
+- Update URL to use secured HTTP protocol
-* Tue Apr 30 2019 Wim Taymans <wtaymans@redhat.com> - 1.2.15-34
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-40
- Rebuild
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 - Resolves: rhbz#1602687
-* Mon Apr 29 2019 Wim Taymans <wtaymans@redhat.com> - 1.2.15-33
+* Mon Jun 03 2019 Petr Pisar <ppisar@redhat.com> - 1.2.15-39
- Small fixes for problems found by coverity
+- Fix retrieving an error code after stopping and resuming a CD-ROM playback
- Resolves: rhbz#1602687
+  (upstream bug #4108)
 - Fix SDL_Surface reference counter initialization and a possible crash when
  opening a mouse device when using a framebuffer video output (bug #1602687)
-* Thu Aug 16 2018 Wim Taymans <wtaymans@redhat.com> - 1.2.15-32
+* Tue Mar 12 2019 Petr Pisar <ppisar@redhat.com> - 1.2.15-38
- Fix wrong fall throughs in cdrom
+- Fix CVE-2019-7577 completely (a buffer overread in MS_ADPCM_nibble and
- Resolves: rhbz#1602687
+  MS_ADPCM_decode on an invalid predictor) (bug #1676510)
-* Tue Jul 17 2018 Wim Taymans <wtaymans@redhat.com> - 1.2.15-31
+* Fri Feb 15 2019 Petr Pisar <ppisar@redhat.com> - 1.2.15-37
- Remove obsolete audiofile-devel BR
+- Fix CVE-2019-7577 (a buffer overread in MS_ADPCM_decode) (bug #1676510)
 - Fix CVE-2019-7575 (a buffer overwrite in MS_ADPCM_decode) (bug #1676744)
 - Fix CVE-2019-7574 (a buffer overread in IMA_ADPCM_decode) (bug #1676750)
 - Fix CVE-2019-7572 (a buffer overread in IMA_ADPCM_nibble) (bug #1676754)
 - Fix CVE-2019-7572 (a buffer overwrite in IMA_ADPCM_nibble) (bug #1676754)
 - Fix CVE-2019-7573, CVE-2019-7576 (buffer overreads in InitMS_ADPCM)
  (bugs #1676752, #1676756)
 - Fix CVE-2019-7578 (a buffer overread in InitIMA_ADPCM) (bug #1676782)
 - Fix CVE-2019-7638, CVE-2019-7636 (buffer overflows when processing BMP
  images with too high number of colors) (bugs #1677144, #1677157)
 - Fix CVE-2019-7637 (an integer overflow in SDL_CalculatePitch) (bug #1677152)
 - Fix CVE-2019-7635 (a buffer overread when blitting a BMP image with pixel
  colors out the palette) (bug #1677159)
 - Reject 2, 3, 5, 6, 7-bpp BMP images (bug #1677159)
 * Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-36
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Mon Jan 14 2019 Petr Pisar <ppisar@redhat.com> - 1.2.15-35
 - Remove manual updating of config.{guess,sub} - this has been part of
  %%configure since 2013
 - Use system glext.h to prevent from clashing on a GL_GLEXT_VERSION definition
  (bug #1662778)
 * Tue Aug 28 2018 Petr Pisar <ppisar@redhat.com> - 1.2.15-34
 - Remove useless build-time dependency on audiofile-devel
 * Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-33
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Tue Mar 27 2018 David Abdurachmanov <david.abdurachmanov@gmail.com> - 1.2.15-32
 - Add riscv64 to SDL_config.h
 * Thu Mar 22 2018 Petr Pisar <ppisar@redhat.com> - 1.2.15-31
 - Remove post scriptlets with ldconfig
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-30
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
`@ -1 +1,2 @@`
	`61a0c4976ecc88d1101f1d03105089588d167a40 SOURCES/SDL-1.2.15_repackaged.tar.gz`	`61a0c4976ecc88d1101f1d03105089588d167a40 SOURCES/SDL-1.2.15_repackaged.tar.gz`
		`5778b357370d88bfac9c34e5aba106e2375f8cc7 SOURCES/slouken-pubkey.asc`
`@ -1 +1,2 @@`
	`SOURCES/SDL-1.2.15_repackaged.tar.gz`	`SOURCES/SDL-1.2.15_repackaged.tar.gz`
		`SOURCES/slouken-pubkey.asc`