Fully fix last overflow

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
This commit is contained in:
Igor Gnatenko 2017-10-19 09:53:32 +02:00
parent 665065a766
commit b2e91f39dc
2 changed files with 55 additions and 1 deletions

View File

@ -0,0 +1,49 @@
# HG changeset patch
# User Sam Lantinga <slouken@libsdl.org>
# Date 1508191062 25200
# Mon Oct 16 14:57:42 2017 -0700
# Node ID 81a4950907a01359f2f9390875291eb3951e6c6b
# Parent 97bc026b46ded1ef28709d246130e66e81f1b513
Fixed bug 3890 - Incomplete fix for CVE-2017-2888
Felix Geyer
http://hg.libsdl.org/SDL/rev/7e0f1498ddb5 tries to fix CVE-2017-2888.
Unfortunately compilers may optimize the second condition "(size / surface->pitch) != surface->h" away.
See https://bugzilla.redhat.com/show_bug.cgi?id=1500623#c2
I've verified that this is also the case on Debian unstable (gcc 7.2).
diff -r 97bc026b46de -r 81a4950907a0 src/video/SDL_surface.c
--- a/src/video/SDL_surface.c Mon Oct 16 14:39:56 2017 -0700
+++ b/src/video/SDL_surface.c Mon Oct 16 14:57:42 2017 -0700
@@ -37,6 +37,10 @@
const void *src, int src_pitch,
Uint32 dst_format, void *dst);
+/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */
+SDL_COMPILE_TIME_ASSERT(surface_size_assumptions,
+ sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32));
+
/* Public routines */
/*
@@ -91,15 +95,16 @@
/* Get the pixels */
if (surface->w && surface->h) {
- int size = (surface->h * surface->pitch);
- if (size < 0 || (size / surface->pitch) != surface->h) {
+ /* Assumptions checked in surface_size_assumptions assert above */
+ Sint64 size = ((Sint64)surface->h * surface->pitch);
+ if (size < 0 || size > SDL_MAX_SINT32) {
/* Overflow... */
SDL_FreeSurface(surface);
SDL_OutOfMemory();
return NULL;
}
- surface->pixels = SDL_malloc(size);
+ surface->pixels = SDL_malloc((size_t)size);
if (!surface->pixels) {
SDL_FreeSurface(surface);
SDL_OutOfMemory();

View File

@ -1,6 +1,6 @@
Name: SDL2
Version: 2.0.6
Release: 3%{?dist}
Release: 4%{?dist}
Summary: A cross-platform multimedia library
License: zlib and MIT
@ -15,6 +15,8 @@ Patch0: multilib.patch
Patch1: SDL2-2.0.6-invalid-dbus-args.patch
# https://hg.libsdl.org/SDL/rev/7e0f1498ddb5
Patch2: SDL2-2.0.6-CVE-2017-2888.patch
# https://hg.libsdl.org/SDL/rev/81a4950907a0
Patch3: SDL2-2.0.6-CVE-2017-2888-2.patch
BuildRequires: alsa-lib-devel
BuildRequires: audiofile-devel
@ -131,6 +133,9 @@ rm -vf %{buildroot}%{_libdir}/*.la
%{_libdir}/lib*.a
%changelog
* Thu Oct 19 2017 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.0.6-4
- Fully fix last overflow
* Wed Oct 11 2017 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.0.6-3
- Fix potential overflow in surface allocation