From 665065a766ef28fe60102223e7d68c863cb9fa22 Mon Sep 17 00:00:00 2001
From: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
Date: Wed, 11 Oct 2017 15:11:05 +0200
Subject: [PATCH] Fix potential overflow in surface allocation

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
---
 SDL2-2.0.6-CVE-2017-2888.patch | 28 ++++++++++++++++++++++++++++
 SDL2.spec                      |  7 ++++++-
 2 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 SDL2-2.0.6-CVE-2017-2888.patch

diff --git a/SDL2-2.0.6-CVE-2017-2888.patch b/SDL2-2.0.6-CVE-2017-2888.patch
new file mode 100644
index 0000000..daa564c
--- /dev/null
+++ b/SDL2-2.0.6-CVE-2017-2888.patch
@@ -0,0 +1,28 @@
+# HG changeset patch
+# User Sam Lantinga <slouken@libsdl.org>
+# Date 1507331870 25200
+#      Fri Oct 06 16:17:50 2017 -0700
+# Node ID 7e0f1498ddb549a338a220534875529ef0ba55ce
+# Parent  dc7245e3d1f2ae032caa7776940af4aebe6afc05
+Fixed potential overflow in surface allocation (thanks Yves!)
+
+diff -r dc7245e3d1f2 -r 7e0f1498ddb5 src/video/SDL_surface.c
+--- a/src/video/SDL_surface.c	Thu Oct 05 09:37:28 2017 -0700
++++ b/src/video/SDL_surface.c	Fri Oct 06 16:17:50 2017 -0700
+@@ -80,7 +80,15 @@
+ 
+     /* Get the pixels */
+     if (surface->w && surface->h) {
+-        surface->pixels = SDL_malloc(surface->h * surface->pitch);
++        int size = (surface->h * surface->pitch);
++        if (size < 0 || (size / surface->pitch) != surface->h) {
++            /* Overflow... */
++            SDL_FreeSurface(surface);
++            SDL_OutOfMemory();
++            return NULL;
++        }
++
++        surface->pixels = SDL_malloc(size);
+         if (!surface->pixels) {
+             SDL_FreeSurface(surface);
+             SDL_OutOfMemory();
diff --git a/SDL2.spec b/SDL2.spec
index 0f43570..8f72ae2 100644
--- a/SDL2.spec
+++ b/SDL2.spec
@@ -1,6 +1,6 @@
 Name:           SDL2
 Version:        2.0.6
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A cross-platform multimedia library
 
 License:        zlib and MIT
@@ -13,6 +13,8 @@ Patch0:         multilib.patch
 # https://bugzilla.libsdl.org/show_bug.cgi?id=3854
 # https://hg.libsdl.org/SDL/rev/dc7245e3d1f2
 Patch1:         SDL2-2.0.6-invalid-dbus-args.patch
+# https://hg.libsdl.org/SDL/rev/7e0f1498ddb5
+Patch2:         SDL2-2.0.6-CVE-2017-2888.patch
 
 BuildRequires:  alsa-lib-devel
 BuildRequires:  audiofile-devel
@@ -129,6 +131,9 @@ rm -vf %{buildroot}%{_libdir}/*.la
 %{_libdir}/lib*.a
 
 %changelog
+* Wed Oct 11 2017 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.0.6-3
+- Fix potential overflow in surface allocation
+
 * Thu Oct 05 2017 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.0.6-2
 - Fix invalid dbus arguments