pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/devel/SDL
Module Name: pkgsrc
Committed By: nia
Date: Sun Jul 21 11:14:38 UTC 2019
Modified Files:
pkgsrc/devel/SDL: Makefile distinfo
pkgsrc/devel/SDL/patches: patch-src_video_x11_SDL_x11video.c
Added Files:
pkgsrc/devel/SDL/patches: patch-src_audio_SDL__wave.c
patch-src_video_SDL__bmp.c patch-src_video_SDL__pixels.c
patch-src_video_nanox_SDL__nxvideo.c
Log Message:
SDL: Backport fixes from upstream's hg for the following CVEs:
CVE-2019-7572 - buffer-overflow
CVE-2019-7573 - heap-overflow
CVE-2019-7574 - heap-overflow
CVE-2019-7575 - heap-overflow
CVE-2019-7576 - heap-overflow
CVE-2019-7577 - buffer-overflow
CVE-2019-7578 - heap-overflow
CVE-2019-7635 - heap-overflow
CVE-2019-7636 - heap-overflow
CVE-2019-7637 - heap-overflow
CVE-2019-7638 - heap-overflow
Bump PKGREVISION.
To generate a diff of this commit:
cvs rdiff -u -r1.132 -r1.133 pkgsrc/devel/SDL/Makefile
cvs rdiff -u -r1.80 -r1.81 pkgsrc/devel/SDL/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/devel/SDL/patches/patch-src_audio_SDL__wave.c \
pkgsrc/devel/SDL/patches/patch-src_video_SDL__bmp.c \
pkgsrc/devel/SDL/patches/patch-src_video_SDL__pixels.c \
pkgsrc/devel/SDL/patches/patch-src_video_nanox_SDL__nxvideo.c
cvs rdiff -u -r1.1 -r1.2 \
pkgsrc/devel/SDL/patches/patch-src_video_x11_SDL_x11video.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/devel/SDL/Makefile
diff -u pkgsrc/devel/SDL/Makefile:1.132 pkgsrc/devel/SDL/Makefile:1.133
--- pkgsrc/devel/SDL/Makefile:1.132 Wed Jul 17 21:45:23 2019
+++ pkgsrc/devel/SDL/Makefile Sun Jul 21 11:14:37 2019
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.132 2019/07/17 21:45:23 wiz Exp $
+# $NetBSD: Makefile,v 1.133 2019/07/21 11:14:37 nia Exp $
DISTNAME= SDL-1.2.15
-PKGREVISION= 26
+PKGREVISION= 27
CATEGORIES= devel games
MASTER_SITES= http://www.libsdl.org/release/
Index: pkgsrc/devel/SDL/distinfo
diff -u pkgsrc/devel/SDL/distinfo:1.80 pkgsrc/devel/SDL/distinfo:1.81
--- pkgsrc/devel/SDL/distinfo:1.80 Mon Dec 25 00:18:39 2017
+++ pkgsrc/devel/SDL/distinfo Sun Jul 21 11:14:38 2019
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.80 2017/12/25 00:18:39 ryoon Exp $
+$NetBSD: distinfo,v 1.81 2019/07/21 11:14:38 nia Exp $
SHA1 (SDL-1.2.15.tar.gz) = 0c5f193ced810b0d7ce3ab06d808cbb5eef03a2c
RMD160 (SDL-1.2.15.tar.gz) = d4802a090cb4a24eeb0c8ce5690802f596d394c3
@@ -6,13 +6,17 @@ SHA512 (SDL-1.2.15.tar.gz) = ac392d916e6
Size (SDL-1.2.15.tar.gz) = 3920622 bytes
SHA1 (patch-aa) = 00fb7a85caf8fc9f08298d0a07a4587757fdffb0
SHA1 (patch-ac) = 8b2dddff9ad449b19b35ef364e2d960e46284563
+SHA1 (patch-src_audio_SDL__wave.c) = ff42d973c9c5a7643ffa5acb248e15e821d2145f
SHA1 (patch-src_audio_bsd_SDL__bsdaudio.c) = 7f5fbf4d839e52fce028810dc807b404fcd51442
SHA1 (patch-src_audio_dma_SDL__dmaaudio.c) = cede64d04e8872b11851bfcacbc99059df973881
SHA1 (patch-src_audio_sun_SDL__sunaudio.c) = 4b492b40d39e6444037dfda55766e4a149cc6c30
SHA1 (patch-src_joystick_bsd_SDL__sysjoystick.c) = a20608d6a4cc8f2c8f5fb2d77a572f373178151b
+SHA1 (patch-src_video_SDL__bmp.c) = 87b14ee02315703479ce522299ffe8d9e83d7e06
+SHA1 (patch-src_video_SDL__pixels.c) = 4a6522ddfc370b2b7e216b79ea3b16a732ab9603
+SHA1 (patch-src_video_nanox_SDL__nxvideo.c) = 653ff4358d62f7093f646fba5ddae2921876144c
SHA1 (patch-src_video_quartz_SDL__QuartzVideo.h) = 19d952bade06dbd646e94f42139c38436969b1a8
SHA1 (patch-src_video_wscons_SDL__wsconsevents.c) = 1c874c46edb325907eda3bfa7580c788294f6d21
SHA1 (patch-src_video_wscons_SDL__wsconsevents__c.h) = 97206e2aca0b620005217d9d07ad1177516cac92
SHA1 (patch-src_video_wscons_SDL__wsconsvideo.c) = 741ac9570c4e6e554a191660011b7e3bbe30ce7c
SHA1 (patch-src_video_wscons_SDL__wsconsvideo.h) = efc75da910cfe370b7361a0b9d2b90837c6b9aa9
-SHA1 (patch-src_video_x11_SDL_x11video.c) = 624fbb7e701d6de6ec93096beea7c085125934aa
+SHA1 (patch-src_video_x11_SDL_x11video.c) = 249d2bcc6194be739e46a7ea2288da61d0c941e4
Index: pkgsrc/devel/SDL/patches/patch-src_video_x11_SDL_x11video.c
diff -u pkgsrc/devel/SDL/patches/patch-src_video_x11_SDL_x11video.c:1.1 pkgsrc/devel/SDL/patches/patch-src_video_x11_SDL_x11video.c:1.2
--- pkgsrc/devel/SDL/patches/patch-src_video_x11_SDL_x11video.c:1.1 Mon Feb 20 14:55:59 2012
+++ pkgsrc/devel/SDL/patches/patch-src_video_x11_SDL_x11video.c Sun Jul 21 11:14:38 2019
@@ -1,7 +1,12 @@
-$NetBSD: patch-src_video_x11_SDL_x11video.c,v 1.1 2012/02/20 14:55:59 jdc Exp $
+$NetBSD: patch-src_video_x11_SDL_x11video.c,v 1.2 2019/07/21 11:14:38 nia Exp $
+Hunk 1:
We need to call XChangeProperty(..., 32, ...) with an object aligned as long.
+Hunk 2:
+CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch
+From https://hg.libsdl.org/SDL/rev/9b0e5c555c0f
+
--- src/video/x11/SDL_x11video.c.orig 2012-02-14 22:26:01.000000000 +0000
+++ src/video/x11/SDL_x11video.c 2012-02-14 22:53:45.000000000 +0000
@@ -418,16 +418,21 @@
@@ -29,3 +34,14 @@ We need to call XChangeProperty(..., 32,
XChangeProperty(SDL_Display, WMwindow, WM_CLIENT_MACHINE, XA_STRING, 8,
PropModeReplace, (unsigned char *)hostname, SDL_strlen(hostname));
}
+@@ -1225,6 +1225,10 @@ SDL_Surface *X11_SetVideoMode(_THIS, SDL
+ current->w = width;
+ current->h = height;
+ current->pitch = SDL_CalculatePitch(current);
++ if (!current->pitch) {
++ current = NULL;
++ goto done;
++ }
+ if (X11_ResizeImage(this, current, flags) < 0) {
+ current = NULL;
+ goto done;
Added files:
Index: pkgsrc/devel/SDL/patches/patch-src_audio_SDL__wave.c
diff -u /dev/null pkgsrc/devel/SDL/patches/patch-src_audio_SDL__wave.c:1.1
--- /dev/null Sun Jul 21 11:14:38 2019
+++ pkgsrc/devel/SDL/patches/patch-src_audio_SDL__wave.c Sun Jul 21 11:14:38 2019
@@ -0,0 +1,279 @@
+$NetBSD: patch-src_audio_SDL__wave.c,v 1.1 2019/07/21 11:14:38 nia Exp $
+
+Various CVE fixes from upstream's hg:
+
+CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble
+12800:e52413f52586
+CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode
+12818:a8afedbcaea0
+CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in InitMS_ADPCM
+12819:fcbecae42795
+CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode
+12815:a6e3d2f5183e
+CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode
+12821:a936f9bd3e38
+CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble and MS_ADPCM_decode
+12817:faf9abbcfb5f
+CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
+12816:416136310b88
+CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
+12801:388987dff7bf
+
+--- src/audio/SDL_wave.c.orig 2012-01-19 06:30:06.000000000 +0000
++++ src/audio/SDL_wave.c
+@@ -44,12 +44,13 @@ static struct MS_ADPCM_decoder {
+ struct MS_ADPCM_decodestate state[2];
+ } MS_ADPCM_state;
+
+-static int InitMS_ADPCM(WaveFMT *format)
++static int InitMS_ADPCM(WaveFMT *format, int length)
+ {
+- Uint8 *rogue_feel;
++ Uint8 *rogue_feel, *rogue_feel_end;
+ int i;
+
+ /* Set the rogue pointer to the MS_ADPCM specific data */
++ if (length < sizeof(*format)) goto too_short;
+ MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
+ MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
+ MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
+@@ -58,9 +59,11 @@ static int InitMS_ADPCM(WaveFMT *format)
+ MS_ADPCM_state.wavefmt.bitspersample =
+ SDL_SwapLE16(format->bitspersample);
+ rogue_feel = (Uint8 *)format+sizeof(*format);
++ rogue_feel_end = (Uint8 *)format + length;
+ if ( sizeof(*format) == 16 ) {
+ rogue_feel += sizeof(Uint16);
+ }
++ if (rogue_feel + 4 > rogue_feel_end) goto too_short;
+ MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ rogue_feel += sizeof(Uint16);
+ MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]);
+@@ -70,12 +73,16 @@ static int InitMS_ADPCM(WaveFMT *format)
+ return(-1);
+ }
+ for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) {
++ if (rogue_feel + 4 > rogue_feel_end) goto too_short;
+ MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ rogue_feel += sizeof(Uint16);
+ MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ rogue_feel += sizeof(Uint16);
+ }
+ return(0);
++too_short:
++ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format");
++ return(-1);
+ }
+
+ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
+@@ -115,7 +122,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_
+ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ struct MS_ADPCM_decodestate *state[2];
+- Uint8 *freeable, *encoded, *decoded;
++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+ Sint32 encoded_len, samplesleft;
+ Sint8 nybble, stereo;
+ Sint16 *coeff[2];
+@@ -124,6 +131,7 @@ static int MS_ADPCM_decode(Uint8 **audio
+ /* Allocate the proper sized output buffer */
+ encoded_len = *audio_len;
+ encoded = *audio_buf;
++ encoded_end = encoded + encoded_len;
+ freeable = *audio_buf;
+ *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) *
+ MS_ADPCM_state.wSamplesPerBlock*
+@@ -134,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio
+ return(-1);
+ }
+ decoded = *audio_buf;
++ decoded_end = decoded + *audio_len;
+
+ /* Get ready... Go! */
+ stereo = (MS_ADPCM_state.wavefmt.channels == 2);
+@@ -141,10 +150,14 @@ static int MS_ADPCM_decode(Uint8 **audio
+ state[1] = &MS_ADPCM_state.state[stereo];
+ while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
+ /* Grab the initial information for this block */
++ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size;
+ state[0]->hPredictor = *encoded++;
+ if ( stereo ) {
+ state[1]->hPredictor = *encoded++;
+ }
++ if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) {
++ goto invalid_predictor;
++ }
+ state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
+ encoded += sizeof(Sint16);
+ if ( stereo ) {
+@@ -167,6 +180,7 @@ static int MS_ADPCM_decode(Uint8 **audio
+ coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
+
+ /* Store the two initial samples we start with */
++ if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size;
+ decoded[0] = state[0]->iSamp2&0xFF;
+ decoded[1] = state[0]->iSamp2>>8;
+ decoded += 2;
+@@ -188,6 +202,9 @@ static int MS_ADPCM_decode(Uint8 **audio
+ samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
+ MS_ADPCM_state.wavefmt.channels;
+ while ( samplesleft > 0 ) {
++ if (encoded + 1 > encoded_end) goto invalid_size;
++ if (decoded + 4 > decoded_end) goto invalid_size;
++
+ nybble = (*encoded)>>4;
+ new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
+ decoded[0] = new_sample&0xFF;
+@@ -209,6 +226,14 @@ static int MS_ADPCM_decode(Uint8 **audio
+ }
+ SDL_free(freeable);
+ return(0);
++invalid_size:
++ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
++ SDL_free(freeable);
++ return(-1);
++invalid_predictor:
++ SDL_SetError("Invalid predictor value for a MS ADPCM decoder");
++ SDL_free(freeable);
++ return(-1);
+ }
+
+ struct IMA_ADPCM_decodestate {
+@@ -222,11 +247,12 @@ static struct IMA_ADPCM_decoder {
+ struct IMA_ADPCM_decodestate state[2];
+ } IMA_ADPCM_state;
+
+-static int InitIMA_ADPCM(WaveFMT *format)
++static int InitIMA_ADPCM(WaveFMT *format, int length)
+ {
+- Uint8 *rogue_feel;
++ Uint8 *rogue_feel, *rogue_feel_end;
+
+ /* Set the rogue pointer to the IMA_ADPCM specific data */
++ if (length < sizeof(*format)) goto too_short;
+ IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
+ IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
+ IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
+@@ -235,11 +261,16 @@ static int InitIMA_ADPCM(WaveFMT *format
+ IMA_ADPCM_state.wavefmt.bitspersample =
+ SDL_SwapLE16(format->bitspersample);
+ rogue_feel = (Uint8 *)format+sizeof(*format);
++ rogue_feel_end = (Uint8 *)format + length;
+ if ( sizeof(*format) == 16 ) {
+ rogue_feel += sizeof(Uint16);
+ }
++ if (rogue_feel + 2 > rogue_feel_end) goto too_short;
+ IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ return(0);
++too_short:
++ SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format");
++ return(-1);
+ }
+
+ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
+@@ -264,6 +295,14 @@ static Sint32 IMA_ADPCM_nibble(struct IM
+ };
+ Sint32 delta, step;
+
++ /* Clamp index value. The inital value can be invalid. */
++ if ( state->index > 88 ) {
++ state->index = 88;
++ } else
++ if ( state->index < 0 ) {
++ state->index = 0;
++ }
++
+ /* Compute difference and new sample value */
+ step = step_table[state->index];
+ delta = step >> 3;
+@@ -275,12 +314,6 @@ static Sint32 IMA_ADPCM_nibble(struct IM
+
+ /* Update index value */
+ state->index += index_table[nybble];
+- if ( state->index > 88 ) {
+- state->index = 88;
+- } else
+- if ( state->index < 0 ) {
+- state->index = 0;
+- }
+
+ /* Clamp output sample */
+ if ( state->sample > max_audioval ) {
+@@ -323,7 +356,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *
+ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ struct IMA_ADPCM_decodestate *state;
+- Uint8 *freeable, *encoded, *decoded;
++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+ Sint32 encoded_len, samplesleft;
+ unsigned int c, channels;
+
+@@ -339,6 +372,7 @@ static int IMA_ADPCM_decode(Uint8 **audi
+ /* Allocate the proper sized output buffer */
+ encoded_len = *audio_len;
+ encoded = *audio_buf;
++ encoded_end = encoded + encoded_len;
+ freeable = *audio_buf;
+ *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) *
+ IMA_ADPCM_state.wSamplesPerBlock*
+@@ -349,11 +383,13 @@ static int IMA_ADPCM_decode(Uint8 **audi
+ return(-1);
+ }
+ decoded = *audio_buf;
++ decoded_end = decoded + *audio_len;
+
+ /* Get ready... Go! */
+ while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
+ /* Grab the initial information for this block */
+ for ( c=0; c<channels; ++c ) {
++ if (encoded + 4 > encoded_end) goto invalid_size;
+ /* Fill the state information for this block */
+ state[c].sample = ((encoded[1]<<8)|encoded[0]);
+ encoded += 2;
+@@ -367,6 +403,7 @@ static int IMA_ADPCM_decode(Uint8 **audi
+ }
+
+ /* Store the initial sample we start with */
++ if (decoded + 2 > decoded_end) goto invalid_size;
+ decoded[0] = (Uint8)(state[c].sample&0xFF);
+ decoded[1] = (Uint8)(state[c].sample>>8);
+ decoded += 2;
+@@ -376,6 +413,9 @@ static int IMA_ADPCM_decode(Uint8 **audi
+ samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
+ while ( samplesleft > 0 ) {
+ for ( c=0; c<channels; ++c ) {
++ if (encoded + 4 > encoded_end) goto invalid_size;
++ if (decoded + 4 * 4 * channels > decoded_end)
++ goto invalid_size;
+ Fill_IMA_ADPCM_block(decoded, encoded,
+ c, channels, &state[c]);
+ encoded += 4;
+@@ -387,6 +427,10 @@ static int IMA_ADPCM_decode(Uint8 **audi
+ }
+ SDL_free(freeable);
+ return(0);
++invalid_size:
++ SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder");
++ SDL_free(freeable);
++ return(-1);
+ }
+
+ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
+@@ -461,7 +505,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWop
+ break;
+ case MS_ADPCM_CODE:
+ /* Try to understand this */
+- if ( InitMS_ADPCM(format) < 0 ) {
++ if ( InitMS_ADPCM(format, lenread) < 0 ) {
+ was_error = 1;
+ goto done;
+ }
+@@ -469,7 +513,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWop
+ break;
+ case IMA_ADPCM_CODE:
+ /* Try to understand this */
+- if ( InitIMA_ADPCM(format) < 0 ) {
++ if ( InitIMA_ADPCM(format, lenread) < 0 ) {
+ was_error = 1;
+ goto done;
+ }
Index: pkgsrc/devel/SDL/patches/patch-src_video_SDL__bmp.c
diff -u /dev/null pkgsrc/devel/SDL/patches/patch-src_video_SDL__bmp.c:1.1
--- /dev/null Sun Jul 21 11:14:38 2019
+++ pkgsrc/devel/SDL/patches/patch-src_video_SDL__bmp.c Sun Jul 21 11:14:38 2019
@@ -0,0 +1,69 @@
+$NetBSD: patch-src_video_SDL__bmp.c,v 1.1 2019/07/21 11:14:38 nia Exp $
+
+CVE-2019-7635: Reject BMP images with pixel colors out the palette
+From upstream hg 12831:f1f5878be5db
+
+CVE-2019-7636, CVE-2019-7638
+From upstream hg 12612:07c39cbbeacf
+
+Reject 2, 3, 5, 6, 7-bpp BMP images
+From upstreah hg 12646:4646533663ae
+
+--- src/video/SDL_bmp.c.orig 2012-01-19 06:30:06.000000000 +0000
++++ src/video/SDL_bmp.c
+@@ -163,6 +163,14 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops
+ ExpandBMP = biBitCount;
+ biBitCount = 8;
+ break;
++ case 2:
++ case 3:
++ case 5:
++ case 6:
++ case 7:
++ SDL_SetError("%d-bpp BMP images are not supported", biBitCount);
++ was_error = SDL_TRUE;
++ goto done;
+ default:
+ ExpandBMP = 0;
+ break;
+@@ -233,6 +241,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops
+ if ( palette ) {
+ if ( biClrUsed == 0 ) {
+ biClrUsed = 1 << biBitCount;
++ } else if (biClrUsed > (1 << biBitCount)) {
++ SDL_SetError("BMP file has an invalid number of colors");
++ was_error = SDL_TRUE;
++ goto done;
+ }
+ if ( biSize == 12 ) {
+ for ( i = 0; i < (int)biClrUsed; ++i ) {
+@@ -296,6 +308,12 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops
+ }
+ *(bits+i) = (pixel>>shift);
+ pixel <<= ExpandBMP;
++ if ( bits[i] >= biClrUsed ) {
++ SDL_SetError(
++ "A BMP image contains a pixel with a color out of the palette");
++ was_error = SDL_TRUE;
++ goto done;
++ }
+ } }
+ break;
+
+@@ -306,6 +324,16 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops
+ was_error = SDL_TRUE;
+ goto done;
+ }
++ if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) {
++ for ( i=0; i<surface->w; ++i ) {
++ if ( bits[i] >= biClrUsed ) {
++ SDL_SetError(
++ "A BMP image contains a pixel with a color out of the palette");
++ was_error = SDL_TRUE;
++ goto done;
++ }
++ }
++ }
+ #if SDL_BYTEORDER == SDL_BIG_ENDIAN
+ /* Byte-swap the pixels if needed. Note that the 24bpp
+ case has already been taken care of above. */
Index: pkgsrc/devel/SDL/patches/patch-src_video_SDL__pixels.c
diff -u /dev/null pkgsrc/devel/SDL/patches/patch-src_video_SDL__pixels.c:1.1
--- /dev/null Sun Jul 21 11:14:38 2019
+++ pkgsrc/devel/SDL/patches/patch-src_video_SDL__pixels.c Sun Jul 21 11:14:38 2019
@@ -0,0 +1,68 @@
+$NetBSD: patch-src_video_SDL__pixels.c,v 1.1 2019/07/21 11:14:38 nia Exp $
+
+CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch
+From https://hg.libsdl.org/SDL/rev/9b0e5c555c0f
+
+--- src/video/SDL_pixels.c.orig 2012-01-19 06:30:06.000000000 +0000
++++ src/video/SDL_pixels.c
+@@ -286,26 +286,53 @@ void SDL_DitherColors(SDL_Color *colors,
+ }
+ }
+ /*
+- * Calculate the pad-aligned scanline width of a surface
++ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of
++ * an error.
+ */
+ Uint16 SDL_CalculatePitch(SDL_Surface *surface)
+ {
+- Uint16 pitch;
++ unsigned int pitch = 0;
+
+ /* Surface should be 4-byte aligned for speed */
+- pitch = surface->w*surface->format->BytesPerPixel;
++ /* The code tries to prevent from an Uint16 overflow. */;
++ for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) {
++ pitch += (unsigned int)surface->w;
++ if (pitch < surface->w) {
++ SDL_SetError("A scanline is too wide");
++ return(0);
++ }
++ }
+ switch (surface->format->BitsPerPixel) {
+ case 1:
+- pitch = (pitch+7)/8;
++ if (pitch % 8) {
++ pitch = pitch / 8 + 1;
++ } else {
++ pitch = pitch / 8;
++ }
+ break;
+ case 4:
+- pitch = (pitch+1)/2;
++ if (pitch % 2) {
++ pitch = pitch / 2 + 1;
++ } else {
++ pitch = pitch / 2;
++ }
+ break;
+ default:
+ break;
+ }
+- pitch = (pitch + 3) & ~3; /* 4-byte aligning */
+- return(pitch);
++ /* 4-byte aligning */
++ if (pitch & 3) {
++ if (pitch + 3 < pitch) {
++ SDL_SetError("A scanline is too wide");
++ return(0);
++ }
++ pitch = (pitch + 3) & ~3;
++ }
++ if (pitch > 0xFFFF) {
++ SDL_SetError("A scanline is too wide");
++ return(0);
++ }
++ return((Uint16)pitch);
+ }
+ /*
+ * Match an RGB value to a particular palette index
Index: pkgsrc/devel/SDL/patches/patch-src_video_nanox_SDL__nxvideo.c
diff -u /dev/null pkgsrc/devel/SDL/patches/patch-src_video_nanox_SDL__nxvideo.c:1.1
--- /dev/null Sun Jul 21 11:14:38 2019
+++ pkgsrc/devel/SDL/patches/patch-src_video_nanox_SDL__nxvideo.c Sun Jul 21 11:14:38 2019
@@ -0,0 +1,18 @@
+$NetBSD: patch-src_video_nanox_SDL__nxvideo.c,v 1.1 2019/07/21 11:14:38 nia Exp $
+
+CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch
+From https://hg.libsdl.org/SDL/rev/9b0e5c555c0f
+
+--- src/video/nanox/SDL_nxvideo.c.orig 2012-01-19 06:30:06.000000000 +0000
++++ src/video/nanox/SDL_nxvideo.c
+@@ -378,6 +378,10 @@ SDL_Surface * NX_SetVideoMode (_THIS, SD
+ current -> w = width ;
+ current -> h = height ;
+ current -> pitch = SDL_CalculatePitch (current) ;
++ if (!current->pitch) {
++ current = NULL;
++ goto done;
++ }
+ NX_ResizeImage (this, current, flags) ;
+ }
+
Home |
Main Index |
Thread Index |
Old Index