pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/devel/SDL SDL: Backport fixes from upstream's hg for t...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/9f092b038160
branches:  trunk
changeset: 336722:9f092b038160
user:      nia <nia%pkgsrc.org@localhost>
date:      Sun Jul 21 11:14:37 2019 +0000

description:
SDL: Backport fixes from upstream's hg for the following CVEs:

CVE-2019-7572 - buffer-overflow
CVE-2019-7573 - heap-overflow
CVE-2019-7574 - heap-overflow
CVE-2019-7575 - heap-overflow
CVE-2019-7576 - heap-overflow
CVE-2019-7577 - buffer-overflow
CVE-2019-7578 - heap-overflow
CVE-2019-7635 - heap-overflow
CVE-2019-7636 - heap-overflow
CVE-2019-7637 - heap-overflow
CVE-2019-7638 - heap-overflow

Bump PKGREVISION.

diffstat:

 devel/SDL/Makefile                                     |    4 +-
 devel/SDL/distinfo                                     |    8 +-
 devel/SDL/patches/patch-src_audio_SDL__wave.c          |  279 +++++++++++++++++
 devel/SDL/patches/patch-src_video_SDL__bmp.c           |   69 ++++
 devel/SDL/patches/patch-src_video_SDL__pixels.c        |   68 ++++
 devel/SDL/patches/patch-src_video_nanox_SDL__nxvideo.c |   18 +
 devel/SDL/patches/patch-src_video_x11_SDL_x11video.c   |   18 +-
 7 files changed, 459 insertions(+), 5 deletions(-)

diffs (truncated from 523 to 300 lines):

diff -r 78966457e03c -r 9f092b038160 devel/SDL/Makefile
--- a/devel/SDL/Makefile        Sun Jul 21 10:34:51 2019 +0000
+++ b/devel/SDL/Makefile        Sun Jul 21 11:14:37 2019 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.132 2019/07/17 21:45:23 wiz Exp $
+# $NetBSD: Makefile,v 1.133 2019/07/21 11:14:37 nia Exp $
 
 DISTNAME=      SDL-1.2.15
-PKGREVISION=   26
+PKGREVISION=   27
 CATEGORIES=    devel games
 MASTER_SITES=  http://www.libsdl.org/release/
 
diff -r 78966457e03c -r 9f092b038160 devel/SDL/distinfo
--- a/devel/SDL/distinfo        Sun Jul 21 10:34:51 2019 +0000
+++ b/devel/SDL/distinfo        Sun Jul 21 11:14:37 2019 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.80 2017/12/25 00:18:39 ryoon Exp $
+$NetBSD: distinfo,v 1.81 2019/07/21 11:14:38 nia Exp $
 
 SHA1 (SDL-1.2.15.tar.gz) = 0c5f193ced810b0d7ce3ab06d808cbb5eef03a2c
 RMD160 (SDL-1.2.15.tar.gz) = d4802a090cb4a24eeb0c8ce5690802f596d394c3
@@ -6,13 +6,17 @@
 Size (SDL-1.2.15.tar.gz) = 3920622 bytes
 SHA1 (patch-aa) = 00fb7a85caf8fc9f08298d0a07a4587757fdffb0
 SHA1 (patch-ac) = 8b2dddff9ad449b19b35ef364e2d960e46284563
+SHA1 (patch-src_audio_SDL__wave.c) = ff42d973c9c5a7643ffa5acb248e15e821d2145f
 SHA1 (patch-src_audio_bsd_SDL__bsdaudio.c) = 7f5fbf4d839e52fce028810dc807b404fcd51442
 SHA1 (patch-src_audio_dma_SDL__dmaaudio.c) = cede64d04e8872b11851bfcacbc99059df973881
 SHA1 (patch-src_audio_sun_SDL__sunaudio.c) = 4b492b40d39e6444037dfda55766e4a149cc6c30
 SHA1 (patch-src_joystick_bsd_SDL__sysjoystick.c) = a20608d6a4cc8f2c8f5fb2d77a572f373178151b
+SHA1 (patch-src_video_SDL__bmp.c) = 87b14ee02315703479ce522299ffe8d9e83d7e06
+SHA1 (patch-src_video_SDL__pixels.c) = 4a6522ddfc370b2b7e216b79ea3b16a732ab9603
+SHA1 (patch-src_video_nanox_SDL__nxvideo.c) = 653ff4358d62f7093f646fba5ddae2921876144c
 SHA1 (patch-src_video_quartz_SDL__QuartzVideo.h) = 19d952bade06dbd646e94f42139c38436969b1a8
 SHA1 (patch-src_video_wscons_SDL__wsconsevents.c) = 1c874c46edb325907eda3bfa7580c788294f6d21
 SHA1 (patch-src_video_wscons_SDL__wsconsevents__c.h) = 97206e2aca0b620005217d9d07ad1177516cac92
 SHA1 (patch-src_video_wscons_SDL__wsconsvideo.c) = 741ac9570c4e6e554a191660011b7e3bbe30ce7c
 SHA1 (patch-src_video_wscons_SDL__wsconsvideo.h) = efc75da910cfe370b7361a0b9d2b90837c6b9aa9
-SHA1 (patch-src_video_x11_SDL_x11video.c) = 624fbb7e701d6de6ec93096beea7c085125934aa
+SHA1 (patch-src_video_x11_SDL_x11video.c) = 249d2bcc6194be739e46a7ea2288da61d0c941e4
diff -r 78966457e03c -r 9f092b038160 devel/SDL/patches/patch-src_audio_SDL__wave.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/devel/SDL/patches/patch-src_audio_SDL__wave.c     Sun Jul 21 11:14:37 2019 +0000
@@ -0,0 +1,279 @@
+$NetBSD: patch-src_audio_SDL__wave.c,v 1.1 2019/07/21 11:14:38 nia Exp $
+
+Various CVE fixes from upstream's hg:
+
+CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble
+12800:e52413f52586
+CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode
+12818:a8afedbcaea0
+CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in InitMS_ADPCM
+12819:fcbecae42795
+CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode
+12815:a6e3d2f5183e
+CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode
+12821:a936f9bd3e38
+CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble and MS_ADPCM_decode
+12817:faf9abbcfb5f
+CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
+12816:416136310b88
+CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
+12801:388987dff7bf
+
+--- src/audio/SDL_wave.c.orig  2012-01-19 06:30:06.000000000 +0000
++++ src/audio/SDL_wave.c
+@@ -44,12 +44,13 @@ static struct MS_ADPCM_decoder {
+       struct MS_ADPCM_decodestate state[2];
+ } MS_ADPCM_state;
+ 
+-static int InitMS_ADPCM(WaveFMT *format)
++static int InitMS_ADPCM(WaveFMT *format, int length)
+ {
+-      Uint8 *rogue_feel;
++      Uint8 *rogue_feel, *rogue_feel_end;
+       int i;
+ 
+       /* Set the rogue pointer to the MS_ADPCM specific data */
++      if (length < sizeof(*format)) goto too_short;
+       MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
+       MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
+       MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
+@@ -58,9 +59,11 @@ static int InitMS_ADPCM(WaveFMT *format)
+       MS_ADPCM_state.wavefmt.bitspersample =
+                                        SDL_SwapLE16(format->bitspersample);
+       rogue_feel = (Uint8 *)format+sizeof(*format);
++      rogue_feel_end = (Uint8 *)format + length;
+       if ( sizeof(*format) == 16 ) {
+               rogue_feel += sizeof(Uint16);
+       }
++      if (rogue_feel + 4 > rogue_feel_end) goto too_short;
+       MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
+       rogue_feel += sizeof(Uint16);
+       MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]);
+@@ -70,12 +73,16 @@ static int InitMS_ADPCM(WaveFMT *format)
+               return(-1);
+       }
+       for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) {
++              if (rogue_feel + 4 > rogue_feel_end) goto too_short;
+               MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]);
+               rogue_feel += sizeof(Uint16);
+               MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]);
+               rogue_feel += sizeof(Uint16);
+       }
+       return(0);
++too_short:
++      SDL_SetError("Unexpected length of a chunk with a MS ADPCM format");
++      return(-1);
+ }
+ 
+ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
+@@ -115,7 +122,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_
+ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+       struct MS_ADPCM_decodestate *state[2];
+-      Uint8 *freeable, *encoded, *decoded;
++      Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+       Sint32 encoded_len, samplesleft;
+       Sint8 nybble, stereo;
+       Sint16 *coeff[2];
+@@ -124,6 +131,7 @@ static int MS_ADPCM_decode(Uint8 **audio
+       /* Allocate the proper sized output buffer */
+       encoded_len = *audio_len;
+       encoded = *audio_buf;
++      encoded_end = encoded + encoded_len;
+       freeable = *audio_buf;
+       *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) * 
+                               MS_ADPCM_state.wSamplesPerBlock*
+@@ -134,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio
+               return(-1);
+       }
+       decoded = *audio_buf;
++      decoded_end = decoded + *audio_len;
+ 
+       /* Get ready... Go! */
+       stereo = (MS_ADPCM_state.wavefmt.channels == 2);
+@@ -141,10 +150,14 @@ static int MS_ADPCM_decode(Uint8 **audio
+       state[1] = &MS_ADPCM_state.state[stereo];
+       while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
+               /* Grab the initial information for this block */
++              if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size;
+               state[0]->hPredictor = *encoded++;
+               if ( stereo ) {
+                       state[1]->hPredictor = *encoded++;
+               }
++              if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) {
++                      goto invalid_predictor;
++              }
+               state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
+               encoded += sizeof(Sint16);
+               if ( stereo ) {
+@@ -167,6 +180,7 @@ static int MS_ADPCM_decode(Uint8 **audio
+               coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
+ 
+               /* Store the two initial samples we start with */
++              if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size;
+               decoded[0] = state[0]->iSamp2&0xFF;
+               decoded[1] = state[0]->iSamp2>>8;
+               decoded += 2;
+@@ -188,6 +202,9 @@ static int MS_ADPCM_decode(Uint8 **audio
+               samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
+                                       MS_ADPCM_state.wavefmt.channels;
+               while ( samplesleft > 0 ) {
++                      if (encoded + 1 > encoded_end) goto invalid_size;
++                      if (decoded + 4 > decoded_end) goto invalid_size;
++
+                       nybble = (*encoded)>>4;
+                       new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
+                       decoded[0] = new_sample&0xFF;
+@@ -209,6 +226,14 @@ static int MS_ADPCM_decode(Uint8 **audio
+       }
+       SDL_free(freeable);
+       return(0);
++invalid_size:
++      SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
++      SDL_free(freeable);
++      return(-1);
++invalid_predictor:
++      SDL_SetError("Invalid predictor value for a MS ADPCM decoder");
++      SDL_free(freeable);
++      return(-1);
+ }
+ 
+ struct IMA_ADPCM_decodestate {
+@@ -222,11 +247,12 @@ static struct IMA_ADPCM_decoder {
+       struct IMA_ADPCM_decodestate state[2];
+ } IMA_ADPCM_state;
+ 
+-static int InitIMA_ADPCM(WaveFMT *format)
++static int InitIMA_ADPCM(WaveFMT *format, int length)
+ {
+-      Uint8 *rogue_feel;
++      Uint8 *rogue_feel, *rogue_feel_end;
+ 
+       /* Set the rogue pointer to the IMA_ADPCM specific data */
++      if (length < sizeof(*format)) goto too_short;
+       IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
+       IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
+       IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
+@@ -235,11 +261,16 @@ static int InitIMA_ADPCM(WaveFMT *format
+       IMA_ADPCM_state.wavefmt.bitspersample =
+                                        SDL_SwapLE16(format->bitspersample);
+       rogue_feel = (Uint8 *)format+sizeof(*format);
++      rogue_feel_end = (Uint8 *)format + length;
+       if ( sizeof(*format) == 16 ) {
+               rogue_feel += sizeof(Uint16);
+       }
++      if (rogue_feel + 2 > rogue_feel_end) goto too_short;
+       IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
+       return(0);
++too_short:
++      SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format");
++      return(-1);
+ }
+ 
+ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
+@@ -264,6 +295,14 @@ static Sint32 IMA_ADPCM_nibble(struct IM
+       };
+       Sint32 delta, step;
+ 
++      /* Clamp index value. The inital value can be invalid. */
++      if ( state->index > 88 ) {
++              state->index = 88;
++      } else
++      if ( state->index < 0 ) {
++              state->index = 0;
++      }
++
+       /* Compute difference and new sample value */
+       step = step_table[state->index];
+       delta = step >> 3;
+@@ -275,12 +314,6 @@ static Sint32 IMA_ADPCM_nibble(struct IM
+ 
+       /* Update index value */
+       state->index += index_table[nybble];
+-      if ( state->index > 88 ) {
+-              state->index = 88;
+-      } else
+-      if ( state->index < 0 ) {
+-              state->index = 0;
+-      }
+ 
+       /* Clamp output sample */
+       if ( state->sample > max_audioval ) {
+@@ -323,7 +356,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *
+ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+       struct IMA_ADPCM_decodestate *state;
+-      Uint8 *freeable, *encoded, *decoded;
++      Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+       Sint32 encoded_len, samplesleft;
+       unsigned int c, channels;
+ 
+@@ -339,6 +372,7 @@ static int IMA_ADPCM_decode(Uint8 **audi
+       /* Allocate the proper sized output buffer */
+       encoded_len = *audio_len;
+       encoded = *audio_buf;
++      encoded_end = encoded + encoded_len;
+       freeable = *audio_buf;
+       *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) * 
+                               IMA_ADPCM_state.wSamplesPerBlock*
+@@ -349,11 +383,13 @@ static int IMA_ADPCM_decode(Uint8 **audi
+               return(-1);
+       }
+       decoded = *audio_buf;
++      decoded_end = decoded + *audio_len;
+ 
+       /* Get ready... Go! */
+       while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
+               /* Grab the initial information for this block */
+               for ( c=0; c<channels; ++c ) {
++                      if (encoded + 4 > encoded_end) goto invalid_size;
+                       /* Fill the state information for this block */
+                       state[c].sample = ((encoded[1]<<8)|encoded[0]);
+                       encoded += 2;
+@@ -367,6 +403,7 @@ static int IMA_ADPCM_decode(Uint8 **audi
+                       }
+ 
+                       /* Store the initial sample we start with */
++                      if (decoded + 2 > decoded_end) goto invalid_size;
+                       decoded[0] = (Uint8)(state[c].sample&0xFF);
+                       decoded[1] = (Uint8)(state[c].sample>>8);
+                       decoded += 2;
+@@ -376,6 +413,9 @@ static int IMA_ADPCM_decode(Uint8 **audi
+               samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
+               while ( samplesleft > 0 ) {
+                       for ( c=0; c<channels; ++c ) {
++                              if (encoded + 4 > encoded_end) goto invalid_size;
++                              if (decoded + 4 * 4 * channels > decoded_end)
++                                      goto invalid_size;
+                               Fill_IMA_ADPCM_block(decoded, encoded,
+                                               c, channels, &state[c]);
+                               encoded += 4;
+@@ -387,6 +427,10 @@ static int IMA_ADPCM_decode(Uint8 **audi
+       }
+       SDL_free(freeable);
+       return(0);
++invalid_size:



Home | Main Index | Thread Index | Old Index