rpms/SDL
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c8s
rpms:c9s
rpms:c10s
rpms:c9-beta
rpms:c8-beta
rpms:imports/c9-beta/SDL-1.2.15-48.el9
rpms:imports/c8-beta/SDL-1.2.15-39.el8
rpms:imports/c8-beta/SDL-1.2.15-38.el8
rpms:imports/c8-beta/SDL-1.2.15-37.el8
rpms:imports/c8-beta/SDL-1.2.15-35.el8
rpms:imports/c8s/SDL-1.2.15-39.el8
rpms:imports/c8s/SDL-1.2.15-38.el8
rpms:imports/c8s/SDL-1.2.15-37.el8
rpms:imports/c8/SDL-1.2.15-39.el8
rpms:imports/c8/SDL-1.2.15-38.el8
rpms:imports/c8/SDL-1.2.15-37.el8
rpms:imports/c8/SDL-1.2.15-36.el8_1
rpms:imports/c8/SDL-1.2.15-35.el8
...
pull from: rpms:c9-beta
Branches Tags
rpms:c8s
rpms:c9s
rpms:c10s
rpms:c9-beta
rpms:c8-beta
rpms:c8
rpms:imports/c9-beta/SDL-1.2.15-48.el9
rpms:imports/c8-beta/SDL-1.2.15-39.el8
rpms:imports/c8-beta/SDL-1.2.15-38.el8
rpms:imports/c8-beta/SDL-1.2.15-37.el8
rpms:imports/c8-beta/SDL-1.2.15-35.el8
rpms:imports/c8s/SDL-1.2.15-39.el8
rpms:imports/c8s/SDL-1.2.15-38.el8
rpms:imports/c8s/SDL-1.2.15-37.el8
rpms:imports/c8/SDL-1.2.15-39.el8
rpms:imports/c8/SDL-1.2.15-38.el8
rpms:imports/c8/SDL-1.2.15-37.el8
rpms:imports/c8/SDL-1.2.15-36.el8_1
rpms:imports/c8/SDL-1.2.15-35.el8

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

22 changed files with 392 additions and 206 deletions
Show Stats Expand all files Collapse all files

1
.SDL.metadata
View File

@ -1 +1,2 @@
61a0c4976ecc88d1101f1d03105089588d167a40 SOURCES/SDL-1.2.15_repackaged.tar.gz
5778b357370d88bfac9c34e5aba106e2375f8cc7 SOURCES/slouken-pubkey.asc

1
.gitignore vendored
View File

@ -1 +1,2 @@
SOURCES/SDL-1.2.15_repackaged.tar.gz
SOURCES/slouken-pubkey.asc

24
SOURCES/0001-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch → SOURCES/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
View File

@ -1,14 +1,15 @@
From 4b4cac39ba7988df9d8def32360dd842b707ba74 Mon Sep 17 00:00:00 2001
From bb11ffcff5ae2f25bead921c2a299e7e63d8a759 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Sat, 8 Jun 2019 17:57:43 -0700
Subject: [PATCH 01/11] CVE-2019-7572: Fix a buffer overread in
IMA_ADPCM_nibble If an IMA ADPCM block contained an initial index out of step
table range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used
this bogus value and that lead to a buffer overread.
Date: Thu, 14 Feb 2019 16:51:54 +0100
Subject: [PATCH] CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If an IMA ADPCM block contained an initial index out of step table
range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used
this bogus value and that lead to a buffer overread.
This patch fixes it by moving clamping the index value at the
beginning of IMA_ADPCM_nibble() function instead of the end after
an update.
@ -17,18 +18,15 @@ CVE-2019-7572
https://bugzilla.libsdl.org/show_bug.cgi?id=4495
Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
---
src/audio/SDL_wave.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index b4ad6c787..ba1fb5252 100644
index 2968b3d..69d62dc 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -264,6 +264,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
@@ -275,6 +275,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
};
Sint32 delta, step;
@ -43,7 +41,7 @@ index b4ad6c787..ba1fb5252 100644
/* Compute difference and new sample value */
step = step_table[state->index];
delta = step >> 3;
@@ -275,12 +283,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
@@ -286,12 +294,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
/* Update index value */
state->index += index_table[nybble];
@ -57,5 +55,5 @@ index b4ad6c787..ba1fb5252 100644
/* Clamp output sample */
if ( state->sample > max_audioval ) {
--
2.21.0
2.20.1

28
SOURCES/0006-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch → SOURCES/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
View File

@ -1,14 +1,15 @@
From b637e14f849130449544c8899aed716a2f049b75 Mon Sep 17 00:00:00 2001
From 6086741bda4d43cc227500bc7645a829380e6326 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 08:57:11 -0700
Subject: [PATCH 06/11] CVE-2019-7572: Fix a buffer overwrite in
IMA_ADPCM_decode If data chunk was longer than expected based on a WAV format
definition, IMA_ADPCM_decode() tried to write past the output buffer. This
patch fixes it.
Date: Fri, 15 Feb 2019 09:21:45 +0100
Subject: [PATCH] CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If data chunk was longer than expected based on a WAV format
definition, IMA_ADPCM_decode() tried to write past the output
buffer. This patch fixes it.
Based on patch from
<https://bugzilla.libsdl.org/show_bug.cgi?id=4496>.
@ -16,18 +17,15 @@ CVE-2019-7572
https://bugzilla.libsdl.org/show_bug.cgi?id=4495
Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
---
src/audio/SDL_wave.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 3eedd20a1..4159eb710 100644
index 69d62dc..91e89e8 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -346,7 +346,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
@@ -336,7 +336,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
{
struct IMA_ADPCM_decodestate *state;
@ -36,7 +34,7 @@ index 3eedd20a1..4159eb710 100644
Sint32 encoded_len, samplesleft;
unsigned int c, channels;
@@ -373,6 +373,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
@@ -363,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
return(-1);
}
decoded = *audio_buf;
@ -44,7 +42,7 @@ index 3eedd20a1..4159eb710 100644
/* Get ready... Go! */
while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
@@ -392,6 +393,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
@@ -382,6 +383,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
}
/* Store the initial sample we start with */
@ -52,7 +50,7 @@ index 3eedd20a1..4159eb710 100644
decoded[0] = (Uint8)(state[c].sample&0xFF);
decoded[1] = (Uint8)(state[c].sample>>8);
decoded += 2;
@@ -402,6 +404,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
@@ -392,6 +394,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
while ( samplesleft > 0 ) {
for ( c=0; c<channels; ++c ) {
if (encoded + 4 > encoded_end) goto invalid_size;
@ -62,5 +60,5 @@ index 3eedd20a1..4159eb710 100644
c, channels, &state[c]);
encoded += 4;
--
2.21.0
2.20.1

21
SOURCES/0007-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch → SOURCES/SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
View File

@ -1,28 +1,27 @@
From 45ef356d8c01a3941286b35b90eb319959f20f2c Mon Sep 17 00:00:00 2001
From 3e2c89e516701f3586dfeadec13932f665371d2a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 09:06:23 -0700
Subject: [PATCH 07/11] CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in
InitMS_ADPCM If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing
it could read past the end of chunk data. This patch fixes it.
Date: Fri, 15 Feb 2019 10:36:13 +0100
Subject: [PATCH] CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in
InitMS_ADPCM
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it
could read past the end of chunk data. This patch fixes it.
CVE-2019-7573
https://bugzilla.libsdl.org/show_bug.cgi?id=4491
CVE-2019-7576
https://bugzilla.libsdl.org/show_bug.cgi?id=4490
Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
---
src/audio/SDL_wave.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 4159eb710..88ac2cca6 100644
index 91e89e8..1d446ed 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -44,12 +44,13 @@ static struct MS_ADPCM_decoder {
@ -70,7 +69,7 @@ index 4159eb710..88ac2cca6 100644
}
static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
@@ -495,7 +502,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
@@ -485,7 +492,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
break;
case MS_ADPCM_CODE:
/* Try to understand this */
@ -80,5 +79,5 @@ index 4159eb710..88ac2cca6 100644
goto done;
}
--
2.21.0
2.20.1

30
SOURCES/0003-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch → SOURCES/SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
View File

@ -1,30 +1,28 @@
From db0282cbe00a64cc65ba445ea21928d72dc26d97 Mon Sep 17 00:00:00 2001
From 9b2eee24768889378032077423cb6a3221a8ad18 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 08:50:59 -0700
Subject: [PATCH 03/11] CVE-2019-7574: Fix a buffer overread in
IMA_ADPCM_decode If data chunk was shorter than expected based on a WAV
format definition, IMA_ADPCM_decode() tried to read past the data chunk
buffer. This patch fixes it.
Date: Thu, 14 Feb 2019 15:41:47 +0100
Subject: [PATCH] CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If data chunk was shorter than expected based on a WAV format
definition, IMA_ADPCM_decode() tried to read past the data chunk
buffer. This patch fixes it.
CVE-2019-7574
https://bugzilla.libsdl.org/show_bug.cgi?id=4496
Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
---
src/audio/SDL_wave.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 21ee4dc3c..66f804421 100644
index b6c49de..2968b3d 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -331,7 +331,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
@@ -334,7 +334,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
{
struct IMA_ADPCM_decodestate *state;
@ -33,7 +31,7 @@ index 21ee4dc3c..66f804421 100644
Sint32 encoded_len, samplesleft;
unsigned int c, channels;
@@ -347,6 +347,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
@@ -350,6 +350,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
/* Allocate the proper sized output buffer */
encoded_len = *audio_len;
encoded = *audio_buf;
@ -41,7 +39,7 @@ index 21ee4dc3c..66f804421 100644
freeable = *audio_buf;
*audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) *
IMA_ADPCM_state.wSamplesPerBlock*
@@ -362,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
@@ -365,6 +366,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
/* Grab the initial information for this block */
for ( c=0; c<channels; ++c ) {
@ -49,7 +47,7 @@ index 21ee4dc3c..66f804421 100644
/* Fill the state information for this block */
state[c].sample = ((encoded[1]<<8)|encoded[0]);
encoded += 2;
@@ -384,6 +386,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
@@ -387,6 +389,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
while ( samplesleft > 0 ) {
for ( c=0; c<channels; ++c ) {
@ -57,7 +55,7 @@ index 21ee4dc3c..66f804421 100644
Fill_IMA_ADPCM_block(decoded, encoded,
c, channels, &state[c]);
encoded += 4;
@@ -395,6 +398,10 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
@@ -398,6 +401,10 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
}
SDL_free(freeable);
return(0);
@ -69,5 +67,5 @@ index 21ee4dc3c..66f804421 100644
SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
--
2.21.0
2.20.1

32
SOURCES/0008-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch → SOURCES/SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
View File

@ -1,13 +1,14 @@
From 730c8b917e7deecc3cdf9ac9eb20e2b7e6450356 Mon Sep 17 00:00:00 2001
From e1f80cadb079e35103e6eebf160a818815c823df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 09:25:05 -0700
Subject: [PATCH 08/11] CVE-2019-7575: Fix a buffer overwrite in
MS_ADPCM_decode If a WAV format defines shorter audio stream and decoded MS
ADPCM data chunk is longer, decoding continued past the output audio buffer.
Date: Thu, 14 Feb 2019 14:51:52 +0100
Subject: [PATCH] CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If a WAV format defines shorter audio stream and decoded MS ADPCM data chunk
is longer, decoding continued past the output audio buffer.
This fix is based on a patch from
<https://bugzilla.libsdl.org/show_bug.cgi?id=4492>.
@ -15,18 +16,15 @@ https://bugzilla.libsdl.org/show_bug.cgi?id=4493
CVE-2019-7575
Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
---
src/audio/SDL_wave.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 88ac2cca6..5f9365147 100644
index e42d01c..b6c49de 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -122,7 +122,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
{
struct MS_ADPCM_decodestate *state[2];
@ -35,7 +33,7 @@ index 88ac2cca6..5f9365147 100644
Sint32 encoded_len, samplesleft;
Sint8 nybble, stereo;
Sint16 *coeff[2];
@@ -142,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
@@ -135,6 +135,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
return(-1);
}
decoded = *audio_buf;
@ -43,7 +41,7 @@ index 88ac2cca6..5f9365147 100644
/* Get ready... Go! */
stereo = (MS_ADPCM_state.wavefmt.channels == 2);
@@ -149,7 +150,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
@@ -142,7 +143,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
state[1] = &MS_ADPCM_state.state[stereo];
while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
/* Grab the initial information for this block */
@ -52,7 +50,7 @@ index 88ac2cca6..5f9365147 100644
state[0]->hPredictor = *encoded++;
if ( stereo ) {
state[1]->hPredictor = *encoded++;
@@ -179,6 +180,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
@@ -169,6 +170,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
/* Store the two initial samples we start with */
@ -60,7 +58,7 @@ index 88ac2cca6..5f9365147 100644
decoded[0] = state[0]->iSamp2&0xFF;
decoded[1] = state[0]->iSamp2>>8;
decoded += 2;
@@ -200,7 +202,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
@@ -190,7 +192,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
MS_ADPCM_state.wavefmt.channels;
while ( samplesleft > 0 ) {
@ -70,7 +68,7 @@ index 88ac2cca6..5f9365147 100644
nybble = (*encoded)>>4;
new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
@@ -223,8 +226,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
@@ -213,8 +216,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
}
SDL_free(freeable);
return(0);
@ -80,7 +78,7 @@ index 88ac2cca6..5f9365147 100644
+ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
SDL_free(freeable);
return(-1);
invalid_predictor:
}
--
2.21.0
2.20.1

19
SOURCES/0004-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch → SOURCES/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
View File

@ -1,13 +1,15 @@
From d5ec943db7d51fccd7230c9df0c7a2e46d611f50 Mon Sep 17 00:00:00 2001
From ac3d0d365b1f01a6782565feda0c7432a5795671 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 08:54:11 -0700
Subject: [PATCH 04/11] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
If RIFF/WAV data chunk length is shorter then expected for an audio format
defined in preceeding RIFF/WAV format headers, a buffer overread can happen.
Date: Thu, 14 Feb 2019 14:12:22 +0100
Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If RIFF/WAV data chunk length is shorter then expected for an audio
format defined in preceeding RIFF/WAV format headers, a buffer
overread can happen.
This patch fixes it by checking a MS ADPCM data to be decoded are not
past the initialized buffer.
@ -15,15 +17,12 @@ CVE-2019-7577
Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
---
src/audio/SDL_wave.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 66f804421..6c6eb14eb 100644
index b4ad6c7..e42d01c 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
@ -72,5 +71,5 @@ index 66f804421..6c6eb14eb 100644
struct IMA_ADPCM_decodestate {
--
2.21.0
2.20.1

29
SOURCES/0005-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch → SOURCES/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
View File

@ -1,15 +1,17 @@
From 06d20617d0d5bb89a6caf5f2201c93baf03c43c2 Mon Sep 17 00:00:00 2001
From 69cd6157644cb0a5c9edd7b5920232c2ca31c151 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 08:54:29 -0700
Subject: [PATCH 05/11] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble
and MS_ADPCM_decode If a chunk of RIFF/WAV file with MS ADPCM encoding
contains an invalid predictor (a valid predictor's value is between 0 and 6
inclusive), a buffer overread can happen when the predictor is used as an
index into an array of MS ADPCM coefficients.
Date: Tue, 12 Mar 2019 16:21:41 +0100
Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble and
MS_ADPCM_decode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If a chunk of RIFF/WAV file with MS ADPCM encoding contains an invalid
predictor (a valid predictor's value is between 0 and 6 inclusive),
a buffer overread can happen when the predictor is used as an index
into an array of MS ADPCM coefficients.
The overead happens when indexing MS_ADPCM_state.aCoeff[] array in
MS_ADPCM_decode() and later when dereferencing a coef pointer in
MS_ADPCM_nibble().
@ -21,18 +23,15 @@ CVE-2019-7577
Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
---
src/audio/SDL_wave.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 6c6eb14eb..3eedd20a1 100644
index 08f65cb..5f93651 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -147,6 +147,9 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
@@ -155,6 +155,9 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
if ( stereo ) {
state[1]->hPredictor = *encoded++;
}
@ -42,8 +41,8 @@ index 6c6eb14eb..3eedd20a1 100644
state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
encoded += sizeof(Sint16);
if ( stereo ) {
@@ -217,6 +220,10 @@ too_short:
SDL_SetError("Too short chunk for a MS ADPCM decoder");
@@ -227,6 +230,10 @@ invalid_size:
SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
SDL_free(freeable);
return(-1);
+invalid_predictor:
@ -54,5 +53,5 @@ index 6c6eb14eb..3eedd20a1 100644
struct IMA_ADPCM_decodestate {
--
2.21.0
2.20.1

24
SOURCES/0002-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch → SOURCES/SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
View File

@ -1,29 +1,27 @@
From 210e68f70a5a007b0664239aa557e6b9d1b3e830 Mon Sep 17 00:00:00 2001
From 0eb76f6cabcffa2104e34c26e0f41e6de95356ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Sat, 8 Jun 2019 18:02:09 -0700
Subject: [PATCH 02/11] CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it could
read past the end of chunk data. This patch fixes it.
Date: Fri, 15 Feb 2019 10:56:59 +0100
Subject: [PATCH] CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it
could read past the end of chunk data. This patch fixes it.
CVE-2019-7578
https://bugzilla.libsdl.org/show_bug.cgi?id=4494
Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
---
src/audio/SDL_wave.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index ba1fb5252..21ee4dc3c 100644
index 1d446ed..08f65cb 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -222,11 +222,12 @@ static struct IMA_ADPCM_decoder {
@@ -240,11 +240,12 @@ static struct IMA_ADPCM_decoder {
struct IMA_ADPCM_decodestate state[2];
} IMA_ADPCM_state;
@ -38,7 +36,7 @@ index ba1fb5252..21ee4dc3c 100644
IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
@@ -235,11 +236,16 @@ static int InitIMA_ADPCM(WaveFMT *format)
@@ -253,11 +254,16 @@ static int InitIMA_ADPCM(WaveFMT *format)
IMA_ADPCM_state.wavefmt.bitspersample =
SDL_SwapLE16(format->bitspersample);
rogue_feel = (Uint8 *)format+sizeof(*format);
@ -55,7 +53,7 @@ index ba1fb5252..21ee4dc3c 100644
}
static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
@@ -471,7 +477,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
@@ -500,7 +506,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
break;
case IMA_ADPCM_CODE:
/* Try to understand this */
@ -65,5 +63,5 @@ index ba1fb5252..21ee4dc3c 100644
goto done;
}
--
2.21.0
2.20.1

35
SOURCES/0009-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch → SOURCES/SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
View File

@ -1,19 +1,21 @@
From 974b6b063b652317f1a2df12834c829415529bc5 Mon Sep 17 00:00:00 2001
From beef32b0e510371f3c968d22a1e3d48abbf366c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Tue, 11 Jun 2019 06:28:12 -0700
Subject: [PATCH 09/11] CVE-2019-7635: Reject BMP images with pixel colors out
the palette If a 1-, 4-, or 8-bit per pixel BMP image declares less used
colors than the palette offers an SDL_Surface with a palette of the indicated
number of used colors is created. If some of the image's pixel refer to a
color number higher then the maximal used colors, a subsequent bliting
operation on the surface will look up a color past a blit map (that is based
on the palette) memory. I.e. passing such SDL_Surface to e.g. an
SDL_DisplayFormat() function will result in a buffer overread in a blit
function.
Date: Tue, 19 Feb 2019 14:52:52 +0100
Subject: [PATCH] CVE-2019-7635: Reject BMP images with pixel colors out the
palette
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If a 1-, 4-, or 8-bit per pixel BMP image declares less used colors
than the palette offers an SDL_Surface with a palette of the indicated
number of used colors is created. If some of the image's pixel
refer to a color number higher then the maximal used colors, a subsequent
bliting operation on the surface will look up a color past a blit map
(that is based on the palette) memory. I.e. passing such SDL_Surface
to e.g. an SDL_DisplayFormat() function will result in a buffer overread in
a blit function.
This patch fixes it by validing each pixel's color to be less than the
maximal color number in the palette. A validation failure raises an
error from a SDL_LoadBMP_RW() function.
@ -22,18 +24,15 @@ CVE-2019-7635
https://bugzilla.libsdl.org/show_bug.cgi?id=4498
Signed-off-by: Petr Písař <ppisar@redhat.com>
--HG--
branch : SDL-1.2
---
src/video/SDL_bmp.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
index d56cfd83a..8acae3bcb 100644
index 3accded..8eadc5f 100644
--- a/src/video/SDL_bmp.c
+++ b/src/video/SDL_bmp.c
@@ -296,6 +296,12 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
@@ -300,6 +300,12 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
}
*(bits+i) = (pixel>>shift);
pixel <<= ExpandBMP;
@ -46,7 +45,7 @@ index d56cfd83a..8acae3bcb 100644
} }
break;
@@ -306,6 +312,16 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
@@ -310,6 +316,16 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
was_error = SDL_TRUE;
goto done;
}
@ -64,5 +63,5 @@ index d56cfd83a..8acae3bcb 100644
/* Byte-swap the pixels if needed. Note that the 24bpp
case has already been taken care of above. */
--
2.21.0
2.20.1

23
SOURCES/0011-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch → SOURCES/SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
View File

@ -1,8 +1,7 @@
From 7cafd3e820489f17f86d0d897ad9719ef54599f1 Mon Sep 17 00:00:00 2001
From cc50d843089c8cf386c3e0f9cb2fae0b258a9b7b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 18 Feb 2019 13:53:16 +0100
Subject: [PATCH 11/11] CVE-2019-7637: Fix in integer overflow in
SDL_CalculatePitch
Subject: [PATCH] CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -41,7 +40,7 @@ Signed-off-by: Petr Písař <ppisar@redhat.com>
8 files changed, 57 insertions(+), 7 deletions(-)
diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c
index 1a7fd518f..44626b749 100644
index 1a7fd51..44626b7 100644
--- a/src/video/SDL_pixels.c
+++ b/src/video/SDL_pixels.c
@@ -286,26 +286,53 @@ void SDL_DitherColors(SDL_Color *colors, int bpp)
@ -106,7 +105,7 @@ index 1a7fd518f..44626b749 100644
/*
* Match an RGB value to a particular palette index
diff --git a/src/video/gapi/SDL_gapivideo.c b/src/video/gapi/SDL_gapivideo.c
index 86deadc75..8a0648536 100644
index 86deadc..8a06485 100644
--- a/src/video/gapi/SDL_gapivideo.c
+++ b/src/video/gapi/SDL_gapivideo.c
@@ -733,6 +733,9 @@ SDL_Surface *GAPI_SetVideoMode(_THIS, SDL_Surface *current,
@ -120,7 +119,7 @@ index 86deadc75..8a0648536 100644
/* Small fix for WinCE/Win32 - when activating window
SDL_VideoSurface is equal to zero, so activating code
diff --git a/src/video/nanox/SDL_nxvideo.c b/src/video/nanox/SDL_nxvideo.c
index b188e0958..cbdd09a08 100644
index b188e09..cbdd09a 100644
--- a/src/video/nanox/SDL_nxvideo.c
+++ b/src/video/nanox/SDL_nxvideo.c
@@ -378,6 +378,10 @@ SDL_Surface * NX_SetVideoMode (_THIS, SDL_Surface * current,
@ -135,7 +134,7 @@ index b188e0958..cbdd09a08 100644
}
diff --git a/src/video/ps2gs/SDL_gsvideo.c b/src/video/ps2gs/SDL_gsvideo.c
index e172c60dc..329086680 100644
index e172c60..3290866 100644
--- a/src/video/ps2gs/SDL_gsvideo.c
+++ b/src/video/ps2gs/SDL_gsvideo.c
@@ -479,6 +479,9 @@ static SDL_Surface *GS_SetVideoMode(_THIS, SDL_Surface *current,
@ -149,7 +148,7 @@ index e172c60dc..329086680 100644
/* Memory map the DMA area for block memory transfer */
if ( ! mapped_mem ) {
diff --git a/src/video/ps3/SDL_ps3video.c b/src/video/ps3/SDL_ps3video.c
index d5519e051..17848e33a 100644
index d5519e0..17848e3 100644
--- a/src/video/ps3/SDL_ps3video.c
+++ b/src/video/ps3/SDL_ps3video.c
@@ -339,6 +339,9 @@ static SDL_Surface *PS3_SetVideoMode(_THIS, SDL_Surface * current, int width, in
@ -163,7 +162,7 @@ index d5519e051..17848e33a 100644
/* Alloc aligned mem for current->pixels */
s_pixels = memalign(16, current->h * current->pitch);
diff --git a/src/video/windib/SDL_dibvideo.c b/src/video/windib/SDL_dibvideo.c
index 6187bfcf7..86ebb12a3 100644
index 6187bfc..86ebb12 100644
--- a/src/video/windib/SDL_dibvideo.c
+++ b/src/video/windib/SDL_dibvideo.c
@@ -675,6 +675,9 @@ SDL_Surface *DIB_SetVideoMode(_THIS, SDL_Surface *current,
@ -177,7 +176,7 @@ index 6187bfcf7..86ebb12a3 100644
/* Small fix for WinCE/Win32 - when activating window
SDL_VideoSurface is equal to zero, so activating code
diff --git a/src/video/windx5/SDL_dx5video.c b/src/video/windx5/SDL_dx5video.c
index f80ca97b0..39fc4fc37 100644
index f80ca97..39fc4fc 100644
--- a/src/video/windx5/SDL_dx5video.c
+++ b/src/video/windx5/SDL_dx5video.c
@@ -1127,6 +1127,9 @@ SDL_Surface *DX5_SetVideoMode(_THIS, SDL_Surface *current,
@ -191,7 +190,7 @@ index f80ca97b0..39fc4fc37 100644
#ifndef NO_CHANGEDISPLAYSETTINGS
/* Set fullscreen mode if appropriate.
diff --git a/src/video/x11/SDL_x11video.c b/src/video/x11/SDL_x11video.c
index 79e60f971..45d1f79be 100644
index 79e60f9..45d1f79 100644
--- a/src/video/x11/SDL_x11video.c
+++ b/src/video/x11/SDL_x11video.c
@@ -1220,6 +1220,10 @@ SDL_Surface *X11_SetVideoMode(_THIS, SDL_Surface *current,
@ -206,5 +205,5 @@ index 79e60f971..45d1f79be 100644
current = NULL;
goto done;
--
2.21.0
2.20.1

10
SOURCES/0010-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch → SOURCES/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
View File

@ -1,8 +1,8 @@
From 73161afdf77e2cf90f47c9be0bc970dadedb5d7c Mon Sep 17 00:00:00 2001
From 28b1433b4bd7982524f2418420e8cc01786df5c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Fri, 15 Feb 2019 16:52:27 +0100
Subject: [PATCH 10/11] CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images
with too high number of colors
Subject: [PATCH] CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images with
too high number of colors
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -37,7 +37,7 @@ Signed-off-by: Petr Písař <ppisar@redhat.com>
1 file changed, 4 insertions(+)
diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
index 8acae3bcb..8eadc5f66 100644
index d56cfd8..3accded 100644
--- a/src/video/SDL_bmp.c
+++ b/src/video/SDL_bmp.c
@@ -233,6 +233,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
@ -52,5 +52,5 @@ index 8acae3bcb..8eadc5f66 100644
if ( biSize == 12 ) {
for ( i = 0; i < (int)biClrUsed; ++i ) {
--
2.21.0
2.20.1

0
SOURCES/0001-Fixed-bug-4108-Missing-break-statements-in-SDL_CDRes.patch → SOURCES/SDL-1.2.15-Fixed-bug-4108-Missing-break-statements-in-SDL_CDRes.patch
View File

42
SOURCES/SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch Normal file
View File

@ -0,0 +1,42 @@
From 70c3d0e97755e1b208ceba2ae012877797f15627 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Thu, 21 Feb 2019 10:57:41 +0100
Subject: [PATCH] Reject 2, 3, 5, 6, 7-bpp BMP images
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BMP decoder assumes less than 8 bit depth images have 1 or 4 bits
per pixel. No other depths are correctly translated to an 8bpp
surface.
This patch rejects loading these images.
https://bugzilla.libsdl.org/show_bug.cgi?id=4498
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
src/video/SDL_bmp.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
index 8eadc5f..758d4bb 100644
--- a/src/video/SDL_bmp.c
+++ b/src/video/SDL_bmp.c
@@ -163,6 +163,14 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
ExpandBMP = biBitCount;
biBitCount = 8;
break;
+ case 2:
+ case 3:
+ case 5:
+ case 6:
+ case 7:
+ SDL_SetError("%d-bpp BMP images are not supported", biBitCount);
+ was_error = SDL_TRUE;
+ goto done;
default:
ExpandBMP = 0;
break;
--
2.20.1

32
SOURCES/SDL-1.2.15-Use-system-glext.h.patch Normal file
View File

@ -0,0 +1,32 @@
From cf8a0c3d75005436d3ed3ea0ae258cdef5b10ebe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 14 Jan 2019 12:10:21 +0100
Subject: [PATCH] Use system glext.h
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
mesa-18.2.6 changed GL_GLEXT_VERSION and that conflicts with the bundled
glext.h definitions. Use system glext.h instead via GL/gl.h.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
include/SDL_opengl.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/SDL_opengl.h b/include/SDL_opengl.h
index 3d791d6..3a77b11 100644
--- a/include/SDL_opengl.h
+++ b/include/SDL_opengl.h
@@ -33,6 +33,8 @@
#endif
#include <windows.h>
#endif
+/* mesa changes GL_GLEXT_VERSION, use system glext.h instead via GL/gl.h */
+#define NO_SDL_GLEXT
#ifndef NO_SDL_GLEXT
#define __glext_h_ /* Don't let gl.h include glext.h */
#endif
--
2.17.2

0
SOURCES/0001-fix-small-errors-detected-by-coverity.patch → SOURCES/SDL-1.2.15-fix-small-errors-detected-by-coverity.patch
View File

45
SOURCES/SDL-1.2.15-fix_copy_paste_mistakes_in_commit_9b0e5c555c0f.patch Normal file
View File

@ -0,0 +1,45 @@
changeset: 12980:32075e9e2135
branch: SDL-1.2
tag: tip
parent: 12977:37d0eba8fa17
user: Ozkan Sezer <sezeroz@gmail.com>
date: Fri Aug 02 00:35:05 2019 +0300
summary: fix copy+paste mistakes in commit 9b0e5c555c0f (CVE-2019-7637 fix):
diff -r 37d0eba8fa17 -r 32075e9e2135 src/video/gapi/SDL_gapivideo.c
--- a/src/video/gapi/SDL_gapivideo.c Wed Jul 31 23:50:10 2019 +0300
+++ b/src/video/gapi/SDL_gapivideo.c Fri Aug 02 00:35:05 2019 +0300
@@ -733,7 +733,7 @@
video->w = gapi->w = width;
video->h = gapi->h = height;
video->pitch = SDL_CalculatePitch(video);
- if (!current->pitch) {
+ if (!video->pitch) {
return(NULL);
}
diff -r 37d0eba8fa17 -r 32075e9e2135 src/video/windib/SDL_dibvideo.c
--- a/src/video/windib/SDL_dibvideo.c Wed Jul 31 23:50:10 2019 +0300
+++ b/src/video/windib/SDL_dibvideo.c Fri Aug 02 00:35:05 2019 +0300
@@ -675,7 +675,7 @@
video->w = width;
video->h = height;
video->pitch = SDL_CalculatePitch(video);
- if (!current->pitch) {
+ if (!video->pitch) {
return(NULL);
}
diff -r 37d0eba8fa17 -r 32075e9e2135 src/video/windx5/SDL_dx5video.c
--- a/src/video/windx5/SDL_dx5video.c Wed Jul 31 23:50:10 2019 +0300
+++ b/src/video/windx5/SDL_dx5video.c Fri Aug 02 00:35:05 2019 +0300
@@ -1127,7 +1127,7 @@
video->w = width;
video->h = height;
video->pitch = SDL_CalculatePitch(video);
- if (!current->pitch) {
+ if (!video->pitch) {
return(NULL);
}

BIN
SOURCES/SDL-1.2.15.tar.gz.sig Normal file
View File

Binary file not shown.

2
SOURCES/SDL_config.h
View File

@ -71,6 +71,8 @@
#include "SDL_config-mipsel.h"
#elif defined(__mips)
#include "SDL_config-mips.h"
#elif defined(__riscv) && defined(__riscv_xlen) && __riscv_xlen == 64
#include "SDL_config-riscv64.h"
#else
#error "The SDL-devel package is not usable with the architecture."
#endif

2
SOURCES/repackage.sh
View File

@ -35,6 +35,8 @@ repackaged_tgz="${repackaged_tar}.gz"
# pre checks
[ ! -f "${orig_tgz}" ] && { echo "ERROR: ${orig_tgz} does not exist"; exit 1; }
/usr/lib/rpm/redhat/gpgverify --keyring=slouken-pubkey.asc \
--signature="${orig_tgz}.sig" --data="${orig_tgz}" || exit 1;
[ -f "${repackaged_tgz}" ] && { echo "ERROR: ${repackaged_tgz} already exist"; exit 1; }
# repackage

198
SPECS/SDL.spec
View File

@ -10,9 +10,9 @@
Name: SDL
Version: 1.2.15
Release: 39%{?dist}
Release: 48%{?dist}
Summary: A cross-platform multimedia library
URL: http://www.libsdl.org/
URL: https://www.libsdl.org/
# The license of the file src/video/fbcon/riva_mmio.h is bad, but the contents
# of the file has been relicensed to MIT in 2008 by Nvidia for the
# xf86_video-nv driver, therefore it can be considered ok.
@ -20,11 +20,13 @@ URL: http://www.libsdl.org/
# it to zlib on 2016-02-21,
# <https://www.mccaughan.org.uk/software/qsort.c-1.14>, bug #1381888.
License: LGPLv2+
# Source: http://www.libsdl.org/release/%%{name}-%%{version}.tar.gz
# Source: %%{url}/release/%%{name}-%%{version}.tar.gz
# To create the repackaged archive use ./repackage.sh %%{version}
Source0: %{name}-%{version}_repackaged.tar.gz
Source1: SDL_config.h
Source2: repackage.sh
Source1: %{url}/release/%{name}-%{version}.tar.gz.sig
Source2: https://slouken.libsdl.org/slouken-pubkey.asc
Source3: SDL_config.h
Source4: repackage.sh
Patch0: SDL-1.2.12-multilib.patch
# Rejected by upstream as sdl1155, rh480065
Patch1: SDL-1.2.10-GrabNotViewable.patch
@ -42,24 +44,61 @@ Patch5: SDL-1.2.15-no-default-backing-store.patch
Patch6: SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch
# Fix vec_perm() usage on little-endian 64-bit PowerPC, bug #1392465
Patch7: SDL-1.2.15-vec_perm-ppc64le.patch
#fixed upstream
Patch8: 0001-Fixed-bug-4108-Missing-break-statements-in-SDL_CDRes.patch
#fixes for small errors
Patch9: 0001-fix-small-errors-detected-by-coverity.patch
# Use system glext.h to prevent from clashing on a GL_GLEXT_VERSION definition,
# rh1662778
Patch8: SDL-1.2.15-Use-system-glext.h.patch
# Fix CVE-2019-7577 (a buffer overread in MS_ADPCM_decode), bug #1676510,
# upstream bug #4492, in upstream after 1.2.15
Patch9: SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
# Fix CVE-2019-7575 (a buffer overwrite in MS_ADPCM_decode), bug #1676744,
# upstream bug #4493, in upstream after 1.2.15
Patch10: SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
# Fix CVE-2019-7574 (a buffer overread in IMA_ADPCM_decode), bug #1676750,
# upstream bug #4496, in upstream after 1.2.15
Patch11: SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
# Fix CVE-2019-7572 (a buffer overread in IMA_ADPCM_nibble), bug #1676754,
# upstream bug #4495, in upstream after 1.2.15
Patch12: SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
# Fix CVE-2019-7572 (a buffer overwrite in IMA_ADPCM_nibble), bug #1676754,
# upstream bug #4495, in upstream after 1.2.15
Patch13: SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
# Fix CVE-2019-7573, CVE-2019-7576 (buffer overreads in InitMS_ADPCM),
# bugs #1676752, #1676756, upstream bugs #4491, #4490,
# in upstream after 1.2.15
Patch14: SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
# Fix CVE-2019-7578, (a buffer overread in InitIMA_ADPCM), bug #1676782,
# upstream bug #4491, in upstream after 1.2.15
Patch15: SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
# Fix CVE-2019-7638, CVE-2019-7636 (buffer overflows when processing BMP
# images with too high number of colors), bugs #1677144, #1677157,
# upstream bugs #4500, #4499, in upstream after 1.2.15
Patch16: SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
# Fix CVE-2019-7637 (an integer overflow in SDL_CalculatePitch), bug #1677152,
# upstream bug #4497, in upstream after 1.2.15
Patch17: SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
# Fix CVE-2019-7635 (a buffer overread when blitting a BMP image with pixel
# colors out the palette), bug #1677159, upstream bug #4498,
# in upstream after 1.2.15
Patch18: SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
# Reject 2, 3, 5, 6, 7-bpp BMP images (related to CVE-2019-7635),
# bug #1677159, upstream bug #4498, in upstream after 1.2.15
Patch19: SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch
# Fix CVE-2019-7577 (Fix a buffer overread in MS_ADPCM_nibble and
# MS_ADPCM_decode on an invalid predictor), bug #1676510, upstream bug #4492,
# in upstream after 1.2.15
Patch20: SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
# Fix retrieving an error code after stopping and resuming a CD-ROM playback,
# upstream bug #4108, in upstream after 1.2.15
Patch21: SDL-1.2.15-Fixed-bug-4108-Missing-break-statements-in-SDL_CDRes.patch
# Fix SDL_Surface reference counter initialization and a possible crash when
# opening a mouse device when using a framebuffer video output, bug #1602687
Patch22: SDL-1.2.15-fix-small-errors-detected-by-coverity.patch
# Fix Windows drivers broken with a patch for CVE-2019-7637, bug #1677152,
# upstream bug #4497, in upstream after 1.2.15
Patch23: SDL-1.2.15-fix_copy_paste_mistakes_in_commit_9b0e5c555c0f.patch
# Fix CVE-2019-13616 (a heap buffer over-read in BlitNtoN), bug #1747237,
# upstream bug #4538, in upstream after 1.2.15
Patch10: SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch
Patch11: 0001-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
Patch12: 0002-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
Patch13: 0003-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
Patch14: 0004-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
Patch15: 0005-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
Patch16: 0006-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
Patch17: 0007-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
Patch18: 0008-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
Patch19: 0009-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
Patch20: 0010-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
Patch21: 0011-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
Patch24: SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch
BuildRequires: alsa-lib-devel
%if %{with arts}
@ -148,7 +187,9 @@ applications.
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
for F in CREDITS; do
iconv -f iso8859-1 -t utf-8 < "$F" > "${F}.utf"
touch --reference "$F" "${F}.utf"
@ -158,14 +199,13 @@ done
# Compilation without ESD
sed -i -e 's/.*AM_PATH_ESD.*//' configure.in
%endif
# Update config.sub to support aarch64, bug #926510
cp -p /usr/share/automake-*/config.{sub,guess} build-scripts
%build
aclocal
libtoolize
autoconf
%configure \
--enable-video-opengl \
--disable-video-svga \
--disable-video-ggi \
--disable-video-aalib \
@ -189,32 +229,28 @@ autoconf
--enable-alsa \
--disable-video-ps3 \
--disable-rpath
make %{?_smp_mflags}
%{make_build}
%install
make install DESTDIR=%{buildroot}
%{make_install}
# Rename SDL_config.h to SDL_config-<arch>.h to avoid file conflicts on
# multilib systems and install SDL_config.h wrapper
mv %{buildroot}/%{_includedir}/SDL/SDL_config.h %{buildroot}/%{_includedir}/SDL/SDL_config-%{_arch}.h
install -m644 %{SOURCE1} %{buildroot}/%{_includedir}/SDL/SDL_config.h
install -m644 %{SOURCE3} %{buildroot}/%{_includedir}/SDL/SDL_config.h
# remove libtool .la file
rm -f %{buildroot}%{_libdir}/*.la
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files
%license COPYING
%doc BUGS CREDITS README-SDL.txt
%{_libdir}/lib*.so.*
%{_libdir}/libSDL-1.2.so.*
%files devel
%doc README docs.html docs/html docs/index.html TODO WhatsNew
%{_bindir}/*-config
%{_libdir}/lib*.so
%{_libdir}/libSDL.so
%{_libdir}/pkgconfig/sdl.pc
%{_includedir}/SDL
%{_datadir}/aclocal/*
@ -225,42 +261,82 @@ rm -f %{buildroot}%{_libdir}/*.la
%{_libdir}/lib*.a
%changelog
* Tue Dec 15 2020 Wim Taymans <wtaymans@redhat.com> - 1.2.15-39
- copy config.{sub,guess} from /usr/share/automake
- Resolves: rhbz#1907503
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.2.15-48
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Mon Mar 23 2020 Wim Taymans <wtaymans@redhat.com> - 1.2.15-38
- fix CVEs
- Resolves: rhbz#1716209, rhbz#1716210, rhbz#1716211, rhbz#1716212,
rhbz#1716213, rhbz#1716214, rhbz#1716215, rhbz#1716216,
rhbz#1716217, rhbz#1716218, rhbz#1716219
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.2.15-47
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Thu Nov 21 2019 Wim Taymans <wtaymans@redhat.com> - 1.2.15-37
- Rebuild
- Resolves: rhbz#1756279
* Mon Jan 25 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-46
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Aug 30 2019 Petr Pisar <ppisar@redhat.com> - 1.2.15-36
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-45
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-44
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-43
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Aug 30 2019 Petr Pisar <ppisar@redhat.com> - 1.2.15-42
- Fix CVE-2019-13616 (a heap buffer over-read in BlitNtoN) (bug #1747237)
- Resolves: rhbz#1756279
* Mon May 27 2019 Wim Taymans <wtaymans@redhat.com> - 1.2.15-35
- Rebuild after gating
- Resolves: rhbz#1602687
* Fri Aug 02 2019 Petr Pisar <ppisar@redhat.com> - 1.2.15-41
- Fix Windows drivers broken with a patch for CVE-2019-7637 (bug #1677152)
- Update URL to use secured HTTP protocol
* Tue Apr 30 2019 Wim Taymans <wtaymans@redhat.com> - 1.2.15-34
- Rebuild
- Resolves: rhbz#1602687
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-40
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon Apr 29 2019 Wim Taymans <wtaymans@redhat.com> - 1.2.15-33
- Small fixes for problems found by coverity
- Resolves: rhbz#1602687
* Mon Jun 03 2019 Petr Pisar <ppisar@redhat.com> - 1.2.15-39
- Fix retrieving an error code after stopping and resuming a CD-ROM playback
(upstream bug #4108)
- Fix SDL_Surface reference counter initialization and a possible crash when
opening a mouse device when using a framebuffer video output (bug #1602687)
* Thu Aug 16 2018 Wim Taymans <wtaymans@redhat.com> - 1.2.15-32
- Fix wrong fall throughs in cdrom
- Resolves: rhbz#1602687
* Tue Mar 12 2019 Petr Pisar <ppisar@redhat.com> - 1.2.15-38
- Fix CVE-2019-7577 completely (a buffer overread in MS_ADPCM_nibble and
MS_ADPCM_decode on an invalid predictor) (bug #1676510)
* Tue Jul 17 2018 Wim Taymans <wtaymans@redhat.com> - 1.2.15-31
- Remove obsolete audiofile-devel BR
* Fri Feb 15 2019 Petr Pisar <ppisar@redhat.com> - 1.2.15-37
- Fix CVE-2019-7577 (a buffer overread in MS_ADPCM_decode) (bug #1676510)
- Fix CVE-2019-7575 (a buffer overwrite in MS_ADPCM_decode) (bug #1676744)
- Fix CVE-2019-7574 (a buffer overread in IMA_ADPCM_decode) (bug #1676750)
- Fix CVE-2019-7572 (a buffer overread in IMA_ADPCM_nibble) (bug #1676754)
- Fix CVE-2019-7572 (a buffer overwrite in IMA_ADPCM_nibble) (bug #1676754)
- Fix CVE-2019-7573, CVE-2019-7576 (buffer overreads in InitMS_ADPCM)
(bugs #1676752, #1676756)
- Fix CVE-2019-7578 (a buffer overread in InitIMA_ADPCM) (bug #1676782)
- Fix CVE-2019-7638, CVE-2019-7636 (buffer overflows when processing BMP
images with too high number of colors) (bugs #1677144, #1677157)
- Fix CVE-2019-7637 (an integer overflow in SDL_CalculatePitch) (bug #1677152)
- Fix CVE-2019-7635 (a buffer overread when blitting a BMP image with pixel
colors out the palette) (bug #1677159)
- Reject 2, 3, 5, 6, 7-bpp BMP images (bug #1677159)
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-36
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 14 2019 Petr Pisar <ppisar@redhat.com> - 1.2.15-35
- Remove manual updating of config.{guess,sub} - this has been part of
%%configure since 2013
- Use system glext.h to prevent from clashing on a GL_GLEXT_VERSION definition
(bug #1662778)
* Tue Aug 28 2018 Petr Pisar <ppisar@redhat.com> - 1.2.15-34
- Remove useless build-time dependency on audiofile-devel
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-33
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Mar 27 2018 David Abdurachmanov <david.abdurachmanov@gmail.com> - 1.2.15-32
- Add riscv64 to SDL_config.h
* Thu Mar 22 2018 Petr Pisar <ppisar@redhat.com> - 1.2.15-31
- Remove post scriptlets with ldconfig
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.15-30
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild