pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/devel/SDL SDL: Backport fixes from upstream's hg for t...
details: https://anonhg.NetBSD.org/pkgsrc/rev/9f092b038160
branches: trunk
changeset: 336722:9f092b038160
user: nia <nia%pkgsrc.org@localhost>
date: Sun Jul 21 11:14:37 2019 +0000
description:
SDL: Backport fixes from upstream's hg for the following CVEs:
CVE-2019-7572 - buffer-overflow
CVE-2019-7573 - heap-overflow
CVE-2019-7574 - heap-overflow
CVE-2019-7575 - heap-overflow
CVE-2019-7576 - heap-overflow
CVE-2019-7577 - buffer-overflow
CVE-2019-7578 - heap-overflow
CVE-2019-7635 - heap-overflow
CVE-2019-7636 - heap-overflow
CVE-2019-7637 - heap-overflow
CVE-2019-7638 - heap-overflow
Bump PKGREVISION.
diffstat:
devel/SDL/Makefile | 4 +-
devel/SDL/distinfo | 8 +-
devel/SDL/patches/patch-src_audio_SDL__wave.c | 279 +++++++++++++++++
devel/SDL/patches/patch-src_video_SDL__bmp.c | 69 ++++
devel/SDL/patches/patch-src_video_SDL__pixels.c | 68 ++++
devel/SDL/patches/patch-src_video_nanox_SDL__nxvideo.c | 18 +
devel/SDL/patches/patch-src_video_x11_SDL_x11video.c | 18 +-
7 files changed, 459 insertions(+), 5 deletions(-)
diffs (truncated from 523 to 300 lines):
diff -r 78966457e03c -r 9f092b038160 devel/SDL/Makefile
--- a/devel/SDL/Makefile Sun Jul 21 10:34:51 2019 +0000
+++ b/devel/SDL/Makefile Sun Jul 21 11:14:37 2019 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.132 2019/07/17 21:45:23 wiz Exp $
+# $NetBSD: Makefile,v 1.133 2019/07/21 11:14:37 nia Exp $
DISTNAME= SDL-1.2.15
-PKGREVISION= 26
+PKGREVISION= 27
CATEGORIES= devel games
MASTER_SITES= http://www.libsdl.org/release/
diff -r 78966457e03c -r 9f092b038160 devel/SDL/distinfo
--- a/devel/SDL/distinfo Sun Jul 21 10:34:51 2019 +0000
+++ b/devel/SDL/distinfo Sun Jul 21 11:14:37 2019 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.80 2017/12/25 00:18:39 ryoon Exp $
+$NetBSD: distinfo,v 1.81 2019/07/21 11:14:38 nia Exp $
SHA1 (SDL-1.2.15.tar.gz) = 0c5f193ced810b0d7ce3ab06d808cbb5eef03a2c
RMD160 (SDL-1.2.15.tar.gz) = d4802a090cb4a24eeb0c8ce5690802f596d394c3
@@ -6,13 +6,17 @@
Size (SDL-1.2.15.tar.gz) = 3920622 bytes
SHA1 (patch-aa) = 00fb7a85caf8fc9f08298d0a07a4587757fdffb0
SHA1 (patch-ac) = 8b2dddff9ad449b19b35ef364e2d960e46284563
+SHA1 (patch-src_audio_SDL__wave.c) = ff42d973c9c5a7643ffa5acb248e15e821d2145f
SHA1 (patch-src_audio_bsd_SDL__bsdaudio.c) = 7f5fbf4d839e52fce028810dc807b404fcd51442
SHA1 (patch-src_audio_dma_SDL__dmaaudio.c) = cede64d04e8872b11851bfcacbc99059df973881
SHA1 (patch-src_audio_sun_SDL__sunaudio.c) = 4b492b40d39e6444037dfda55766e4a149cc6c30
SHA1 (patch-src_joystick_bsd_SDL__sysjoystick.c) = a20608d6a4cc8f2c8f5fb2d77a572f373178151b
+SHA1 (patch-src_video_SDL__bmp.c) = 87b14ee02315703479ce522299ffe8d9e83d7e06
+SHA1 (patch-src_video_SDL__pixels.c) = 4a6522ddfc370b2b7e216b79ea3b16a732ab9603
+SHA1 (patch-src_video_nanox_SDL__nxvideo.c) = 653ff4358d62f7093f646fba5ddae2921876144c
SHA1 (patch-src_video_quartz_SDL__QuartzVideo.h) = 19d952bade06dbd646e94f42139c38436969b1a8
SHA1 (patch-src_video_wscons_SDL__wsconsevents.c) = 1c874c46edb325907eda3bfa7580c788294f6d21
SHA1 (patch-src_video_wscons_SDL__wsconsevents__c.h) = 97206e2aca0b620005217d9d07ad1177516cac92
SHA1 (patch-src_video_wscons_SDL__wsconsvideo.c) = 741ac9570c4e6e554a191660011b7e3bbe30ce7c
SHA1 (patch-src_video_wscons_SDL__wsconsvideo.h) = efc75da910cfe370b7361a0b9d2b90837c6b9aa9
-SHA1 (patch-src_video_x11_SDL_x11video.c) = 624fbb7e701d6de6ec93096beea7c085125934aa
+SHA1 (patch-src_video_x11_SDL_x11video.c) = 249d2bcc6194be739e46a7ea2288da61d0c941e4
diff -r 78966457e03c -r 9f092b038160 devel/SDL/patches/patch-src_audio_SDL__wave.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/devel/SDL/patches/patch-src_audio_SDL__wave.c Sun Jul 21 11:14:37 2019 +0000
@@ -0,0 +1,279 @@
+$NetBSD: patch-src_audio_SDL__wave.c,v 1.1 2019/07/21 11:14:38 nia Exp $
+
+Various CVE fixes from upstream's hg:
+
+CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble
+12800:e52413f52586
+CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode
+12818:a8afedbcaea0
+CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in InitMS_ADPCM
+12819:fcbecae42795
+CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode
+12815:a6e3d2f5183e
+CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode
+12821:a936f9bd3e38
+CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble and MS_ADPCM_decode
+12817:faf9abbcfb5f
+CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
+12816:416136310b88
+CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
+12801:388987dff7bf
+
+--- src/audio/SDL_wave.c.orig 2012-01-19 06:30:06.000000000 +0000
++++ src/audio/SDL_wave.c
+@@ -44,12 +44,13 @@ static struct MS_ADPCM_decoder {
+ struct MS_ADPCM_decodestate state[2];
+ } MS_ADPCM_state;
+
+-static int InitMS_ADPCM(WaveFMT *format)
++static int InitMS_ADPCM(WaveFMT *format, int length)
+ {
+- Uint8 *rogue_feel;
++ Uint8 *rogue_feel, *rogue_feel_end;
+ int i;
+
+ /* Set the rogue pointer to the MS_ADPCM specific data */
++ if (length < sizeof(*format)) goto too_short;
+ MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
+ MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
+ MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
+@@ -58,9 +59,11 @@ static int InitMS_ADPCM(WaveFMT *format)
+ MS_ADPCM_state.wavefmt.bitspersample =
+ SDL_SwapLE16(format->bitspersample);
+ rogue_feel = (Uint8 *)format+sizeof(*format);
++ rogue_feel_end = (Uint8 *)format + length;
+ if ( sizeof(*format) == 16 ) {
+ rogue_feel += sizeof(Uint16);
+ }
++ if (rogue_feel + 4 > rogue_feel_end) goto too_short;
+ MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ rogue_feel += sizeof(Uint16);
+ MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]);
+@@ -70,12 +73,16 @@ static int InitMS_ADPCM(WaveFMT *format)
+ return(-1);
+ }
+ for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) {
++ if (rogue_feel + 4 > rogue_feel_end) goto too_short;
+ MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ rogue_feel += sizeof(Uint16);
+ MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ rogue_feel += sizeof(Uint16);
+ }
+ return(0);
++too_short:
++ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format");
++ return(-1);
+ }
+
+ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
+@@ -115,7 +122,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_
+ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ struct MS_ADPCM_decodestate *state[2];
+- Uint8 *freeable, *encoded, *decoded;
++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+ Sint32 encoded_len, samplesleft;
+ Sint8 nybble, stereo;
+ Sint16 *coeff[2];
+@@ -124,6 +131,7 @@ static int MS_ADPCM_decode(Uint8 **audio
+ /* Allocate the proper sized output buffer */
+ encoded_len = *audio_len;
+ encoded = *audio_buf;
++ encoded_end = encoded + encoded_len;
+ freeable = *audio_buf;
+ *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) *
+ MS_ADPCM_state.wSamplesPerBlock*
+@@ -134,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio
+ return(-1);
+ }
+ decoded = *audio_buf;
++ decoded_end = decoded + *audio_len;
+
+ /* Get ready... Go! */
+ stereo = (MS_ADPCM_state.wavefmt.channels == 2);
+@@ -141,10 +150,14 @@ static int MS_ADPCM_decode(Uint8 **audio
+ state[1] = &MS_ADPCM_state.state[stereo];
+ while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
+ /* Grab the initial information for this block */
++ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size;
+ state[0]->hPredictor = *encoded++;
+ if ( stereo ) {
+ state[1]->hPredictor = *encoded++;
+ }
++ if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) {
++ goto invalid_predictor;
++ }
+ state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
+ encoded += sizeof(Sint16);
+ if ( stereo ) {
+@@ -167,6 +180,7 @@ static int MS_ADPCM_decode(Uint8 **audio
+ coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
+
+ /* Store the two initial samples we start with */
++ if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size;
+ decoded[0] = state[0]->iSamp2&0xFF;
+ decoded[1] = state[0]->iSamp2>>8;
+ decoded += 2;
+@@ -188,6 +202,9 @@ static int MS_ADPCM_decode(Uint8 **audio
+ samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
+ MS_ADPCM_state.wavefmt.channels;
+ while ( samplesleft > 0 ) {
++ if (encoded + 1 > encoded_end) goto invalid_size;
++ if (decoded + 4 > decoded_end) goto invalid_size;
++
+ nybble = (*encoded)>>4;
+ new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
+ decoded[0] = new_sample&0xFF;
+@@ -209,6 +226,14 @@ static int MS_ADPCM_decode(Uint8 **audio
+ }
+ SDL_free(freeable);
+ return(0);
++invalid_size:
++ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
++ SDL_free(freeable);
++ return(-1);
++invalid_predictor:
++ SDL_SetError("Invalid predictor value for a MS ADPCM decoder");
++ SDL_free(freeable);
++ return(-1);
+ }
+
+ struct IMA_ADPCM_decodestate {
+@@ -222,11 +247,12 @@ static struct IMA_ADPCM_decoder {
+ struct IMA_ADPCM_decodestate state[2];
+ } IMA_ADPCM_state;
+
+-static int InitIMA_ADPCM(WaveFMT *format)
++static int InitIMA_ADPCM(WaveFMT *format, int length)
+ {
+- Uint8 *rogue_feel;
++ Uint8 *rogue_feel, *rogue_feel_end;
+
+ /* Set the rogue pointer to the IMA_ADPCM specific data */
++ if (length < sizeof(*format)) goto too_short;
+ IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
+ IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
+ IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
+@@ -235,11 +261,16 @@ static int InitIMA_ADPCM(WaveFMT *format
+ IMA_ADPCM_state.wavefmt.bitspersample =
+ SDL_SwapLE16(format->bitspersample);
+ rogue_feel = (Uint8 *)format+sizeof(*format);
++ rogue_feel_end = (Uint8 *)format + length;
+ if ( sizeof(*format) == 16 ) {
+ rogue_feel += sizeof(Uint16);
+ }
++ if (rogue_feel + 2 > rogue_feel_end) goto too_short;
+ IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ return(0);
++too_short:
++ SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format");
++ return(-1);
+ }
+
+ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
+@@ -264,6 +295,14 @@ static Sint32 IMA_ADPCM_nibble(struct IM
+ };
+ Sint32 delta, step;
+
++ /* Clamp index value. The inital value can be invalid. */
++ if ( state->index > 88 ) {
++ state->index = 88;
++ } else
++ if ( state->index < 0 ) {
++ state->index = 0;
++ }
++
+ /* Compute difference and new sample value */
+ step = step_table[state->index];
+ delta = step >> 3;
+@@ -275,12 +314,6 @@ static Sint32 IMA_ADPCM_nibble(struct IM
+
+ /* Update index value */
+ state->index += index_table[nybble];
+- if ( state->index > 88 ) {
+- state->index = 88;
+- } else
+- if ( state->index < 0 ) {
+- state->index = 0;
+- }
+
+ /* Clamp output sample */
+ if ( state->sample > max_audioval ) {
+@@ -323,7 +356,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *
+ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ struct IMA_ADPCM_decodestate *state;
+- Uint8 *freeable, *encoded, *decoded;
++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+ Sint32 encoded_len, samplesleft;
+ unsigned int c, channels;
+
+@@ -339,6 +372,7 @@ static int IMA_ADPCM_decode(Uint8 **audi
+ /* Allocate the proper sized output buffer */
+ encoded_len = *audio_len;
+ encoded = *audio_buf;
++ encoded_end = encoded + encoded_len;
+ freeable = *audio_buf;
+ *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) *
+ IMA_ADPCM_state.wSamplesPerBlock*
+@@ -349,11 +383,13 @@ static int IMA_ADPCM_decode(Uint8 **audi
+ return(-1);
+ }
+ decoded = *audio_buf;
++ decoded_end = decoded + *audio_len;
+
+ /* Get ready... Go! */
+ while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
+ /* Grab the initial information for this block */
+ for ( c=0; c<channels; ++c ) {
++ if (encoded + 4 > encoded_end) goto invalid_size;
+ /* Fill the state information for this block */
+ state[c].sample = ((encoded[1]<<8)|encoded[0]);
+ encoded += 2;
+@@ -367,6 +403,7 @@ static int IMA_ADPCM_decode(Uint8 **audi
+ }
+
+ /* Store the initial sample we start with */
++ if (decoded + 2 > decoded_end) goto invalid_size;
+ decoded[0] = (Uint8)(state[c].sample&0xFF);
+ decoded[1] = (Uint8)(state[c].sample>>8);
+ decoded += 2;
+@@ -376,6 +413,9 @@ static int IMA_ADPCM_decode(Uint8 **audi
+ samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
+ while ( samplesleft > 0 ) {
+ for ( c=0; c<channels; ++c ) {
++ if (encoded + 4 > encoded_end) goto invalid_size;
++ if (decoded + 4 * 4 * channels > decoded_end)
++ goto invalid_size;
+ Fill_IMA_ADPCM_block(decoded, encoded,
+ c, channels, &state[c]);
+ encoded += 4;
+@@ -387,6 +427,10 @@ static int IMA_ADPCM_decode(Uint8 **audi
+ }
+ SDL_free(freeable);
+ return(0);
++invalid_size:
Home |
Main Index |
Thread Index |
Old Index