pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/devel/SDL



Module Name:    pkgsrc
Committed By:   nia
Date:           Sun Jul 21 11:14:38 UTC 2019

Modified Files:
        pkgsrc/devel/SDL: Makefile distinfo
        pkgsrc/devel/SDL/patches: patch-src_video_x11_SDL_x11video.c
Added Files:
        pkgsrc/devel/SDL/patches: patch-src_audio_SDL__wave.c
            patch-src_video_SDL__bmp.c patch-src_video_SDL__pixels.c
            patch-src_video_nanox_SDL__nxvideo.c

Log Message:
SDL: Backport fixes from upstream's hg for the following CVEs:

CVE-2019-7572 - buffer-overflow
CVE-2019-7573 - heap-overflow
CVE-2019-7574 - heap-overflow
CVE-2019-7575 - heap-overflow
CVE-2019-7576 - heap-overflow
CVE-2019-7577 - buffer-overflow
CVE-2019-7578 - heap-overflow
CVE-2019-7635 - heap-overflow
CVE-2019-7636 - heap-overflow
CVE-2019-7637 - heap-overflow
CVE-2019-7638 - heap-overflow

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.132 -r1.133 pkgsrc/devel/SDL/Makefile
cvs rdiff -u -r1.80 -r1.81 pkgsrc/devel/SDL/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/devel/SDL/patches/patch-src_audio_SDL__wave.c \
    pkgsrc/devel/SDL/patches/patch-src_video_SDL__bmp.c \
    pkgsrc/devel/SDL/patches/patch-src_video_SDL__pixels.c \
    pkgsrc/devel/SDL/patches/patch-src_video_nanox_SDL__nxvideo.c
cvs rdiff -u -r1.1 -r1.2 \
    pkgsrc/devel/SDL/patches/patch-src_video_x11_SDL_x11video.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/devel/SDL/Makefile
diff -u pkgsrc/devel/SDL/Makefile:1.132 pkgsrc/devel/SDL/Makefile:1.133
--- pkgsrc/devel/SDL/Makefile:1.132     Wed Jul 17 21:45:23 2019
+++ pkgsrc/devel/SDL/Makefile   Sun Jul 21 11:14:37 2019
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.132 2019/07/17 21:45:23 wiz Exp $
+# $NetBSD: Makefile,v 1.133 2019/07/21 11:14:37 nia Exp $
 
 DISTNAME=      SDL-1.2.15
-PKGREVISION=   26
+PKGREVISION=   27
 CATEGORIES=    devel games
 MASTER_SITES=  http://www.libsdl.org/release/
 

Index: pkgsrc/devel/SDL/distinfo
diff -u pkgsrc/devel/SDL/distinfo:1.80 pkgsrc/devel/SDL/distinfo:1.81
--- pkgsrc/devel/SDL/distinfo:1.80      Mon Dec 25 00:18:39 2017
+++ pkgsrc/devel/SDL/distinfo   Sun Jul 21 11:14:38 2019
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.80 2017/12/25 00:18:39 ryoon Exp $
+$NetBSD: distinfo,v 1.81 2019/07/21 11:14:38 nia Exp $
 
 SHA1 (SDL-1.2.15.tar.gz) = 0c5f193ced810b0d7ce3ab06d808cbb5eef03a2c
 RMD160 (SDL-1.2.15.tar.gz) = d4802a090cb4a24eeb0c8ce5690802f596d394c3
@@ -6,13 +6,17 @@ SHA512 (SDL-1.2.15.tar.gz) = ac392d916e6
 Size (SDL-1.2.15.tar.gz) = 3920622 bytes
 SHA1 (patch-aa) = 00fb7a85caf8fc9f08298d0a07a4587757fdffb0
 SHA1 (patch-ac) = 8b2dddff9ad449b19b35ef364e2d960e46284563
+SHA1 (patch-src_audio_SDL__wave.c) = ff42d973c9c5a7643ffa5acb248e15e821d2145f
 SHA1 (patch-src_audio_bsd_SDL__bsdaudio.c) = 7f5fbf4d839e52fce028810dc807b404fcd51442
 SHA1 (patch-src_audio_dma_SDL__dmaaudio.c) = cede64d04e8872b11851bfcacbc99059df973881
 SHA1 (patch-src_audio_sun_SDL__sunaudio.c) = 4b492b40d39e6444037dfda55766e4a149cc6c30
 SHA1 (patch-src_joystick_bsd_SDL__sysjoystick.c) = a20608d6a4cc8f2c8f5fb2d77a572f373178151b
+SHA1 (patch-src_video_SDL__bmp.c) = 87b14ee02315703479ce522299ffe8d9e83d7e06
+SHA1 (patch-src_video_SDL__pixels.c) = 4a6522ddfc370b2b7e216b79ea3b16a732ab9603
+SHA1 (patch-src_video_nanox_SDL__nxvideo.c) = 653ff4358d62f7093f646fba5ddae2921876144c
 SHA1 (patch-src_video_quartz_SDL__QuartzVideo.h) = 19d952bade06dbd646e94f42139c38436969b1a8
 SHA1 (patch-src_video_wscons_SDL__wsconsevents.c) = 1c874c46edb325907eda3bfa7580c788294f6d21
 SHA1 (patch-src_video_wscons_SDL__wsconsevents__c.h) = 97206e2aca0b620005217d9d07ad1177516cac92
 SHA1 (patch-src_video_wscons_SDL__wsconsvideo.c) = 741ac9570c4e6e554a191660011b7e3bbe30ce7c
 SHA1 (patch-src_video_wscons_SDL__wsconsvideo.h) = efc75da910cfe370b7361a0b9d2b90837c6b9aa9
-SHA1 (patch-src_video_x11_SDL_x11video.c) = 624fbb7e701d6de6ec93096beea7c085125934aa
+SHA1 (patch-src_video_x11_SDL_x11video.c) = 249d2bcc6194be739e46a7ea2288da61d0c941e4

Index: pkgsrc/devel/SDL/patches/patch-src_video_x11_SDL_x11video.c
diff -u pkgsrc/devel/SDL/patches/patch-src_video_x11_SDL_x11video.c:1.1 pkgsrc/devel/SDL/patches/patch-src_video_x11_SDL_x11video.c:1.2
--- pkgsrc/devel/SDL/patches/patch-src_video_x11_SDL_x11video.c:1.1     Mon Feb 20 14:55:59 2012
+++ pkgsrc/devel/SDL/patches/patch-src_video_x11_SDL_x11video.c Sun Jul 21 11:14:38 2019
@@ -1,7 +1,12 @@
-$NetBSD: patch-src_video_x11_SDL_x11video.c,v 1.1 2012/02/20 14:55:59 jdc Exp $
+$NetBSD: patch-src_video_x11_SDL_x11video.c,v 1.2 2019/07/21 11:14:38 nia Exp $
 
+Hunk 1:
 We need to call XChangeProperty(..., 32, ...) with an object aligned as long.
 
+Hunk 2:
+CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch
+From https://hg.libsdl.org/SDL/rev/9b0e5c555c0f
+
 --- src/video/x11/SDL_x11video.c.orig  2012-02-14 22:26:01.000000000 +0000
 +++ src/video/x11/SDL_x11video.c       2012-02-14 22:53:45.000000000 +0000
 @@ -418,16 +418,21 @@
@@ -29,3 +34,14 @@ We need to call XChangeProperty(..., 32,
                        XChangeProperty(SDL_Display, WMwindow, WM_CLIENT_MACHINE, XA_STRING, 8,
                                        PropModeReplace, (unsigned char *)hostname, SDL_strlen(hostname));
                }
+@@ -1225,6 +1225,10 @@ SDL_Surface *X11_SetVideoMode(_THIS, SDL
+               current->w = width;
+               current->h = height;
+               current->pitch = SDL_CalculatePitch(current);
++              if (!current->pitch) {
++                      current = NULL;
++                      goto done;
++              }
+               if (X11_ResizeImage(this, current, flags) < 0) {
+                       current = NULL;
+                       goto done;

Added files:

Index: pkgsrc/devel/SDL/patches/patch-src_audio_SDL__wave.c
diff -u /dev/null pkgsrc/devel/SDL/patches/patch-src_audio_SDL__wave.c:1.1
--- /dev/null   Sun Jul 21 11:14:38 2019
+++ pkgsrc/devel/SDL/patches/patch-src_audio_SDL__wave.c        Sun Jul 21 11:14:38 2019
@@ -0,0 +1,279 @@
+$NetBSD: patch-src_audio_SDL__wave.c,v 1.1 2019/07/21 11:14:38 nia Exp $
+
+Various CVE fixes from upstream's hg:
+
+CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble
+12800:e52413f52586
+CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode
+12818:a8afedbcaea0
+CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in InitMS_ADPCM
+12819:fcbecae42795
+CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode
+12815:a6e3d2f5183e
+CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode
+12821:a936f9bd3e38
+CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble and MS_ADPCM_decode
+12817:faf9abbcfb5f
+CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
+12816:416136310b88
+CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
+12801:388987dff7bf
+
+--- src/audio/SDL_wave.c.orig  2012-01-19 06:30:06.000000000 +0000
++++ src/audio/SDL_wave.c
+@@ -44,12 +44,13 @@ static struct MS_ADPCM_decoder {
+       struct MS_ADPCM_decodestate state[2];
+ } MS_ADPCM_state;
+ 
+-static int InitMS_ADPCM(WaveFMT *format)
++static int InitMS_ADPCM(WaveFMT *format, int length)
+ {
+-      Uint8 *rogue_feel;
++      Uint8 *rogue_feel, *rogue_feel_end;
+       int i;
+ 
+       /* Set the rogue pointer to the MS_ADPCM specific data */
++      if (length < sizeof(*format)) goto too_short;
+       MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
+       MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
+       MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
+@@ -58,9 +59,11 @@ static int InitMS_ADPCM(WaveFMT *format)
+       MS_ADPCM_state.wavefmt.bitspersample =
+                                        SDL_SwapLE16(format->bitspersample);
+       rogue_feel = (Uint8 *)format+sizeof(*format);
++      rogue_feel_end = (Uint8 *)format + length;
+       if ( sizeof(*format) == 16 ) {
+               rogue_feel += sizeof(Uint16);
+       }
++      if (rogue_feel + 4 > rogue_feel_end) goto too_short;
+       MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
+       rogue_feel += sizeof(Uint16);
+       MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]);
+@@ -70,12 +73,16 @@ static int InitMS_ADPCM(WaveFMT *format)
+               return(-1);
+       }
+       for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) {
++              if (rogue_feel + 4 > rogue_feel_end) goto too_short;
+               MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]);
+               rogue_feel += sizeof(Uint16);
+               MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]);
+               rogue_feel += sizeof(Uint16);
+       }
+       return(0);
++too_short:
++      SDL_SetError("Unexpected length of a chunk with a MS ADPCM format");
++      return(-1);
+ }
+ 
+ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
+@@ -115,7 +122,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_
+ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+       struct MS_ADPCM_decodestate *state[2];
+-      Uint8 *freeable, *encoded, *decoded;
++      Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+       Sint32 encoded_len, samplesleft;
+       Sint8 nybble, stereo;
+       Sint16 *coeff[2];
+@@ -124,6 +131,7 @@ static int MS_ADPCM_decode(Uint8 **audio
+       /* Allocate the proper sized output buffer */
+       encoded_len = *audio_len;
+       encoded = *audio_buf;
++      encoded_end = encoded + encoded_len;
+       freeable = *audio_buf;
+       *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) * 
+                               MS_ADPCM_state.wSamplesPerBlock*
+@@ -134,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio
+               return(-1);
+       }
+       decoded = *audio_buf;
++      decoded_end = decoded + *audio_len;
+ 
+       /* Get ready... Go! */
+       stereo = (MS_ADPCM_state.wavefmt.channels == 2);
+@@ -141,10 +150,14 @@ static int MS_ADPCM_decode(Uint8 **audio
+       state[1] = &MS_ADPCM_state.state[stereo];
+       while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
+               /* Grab the initial information for this block */
++              if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size;
+               state[0]->hPredictor = *encoded++;
+               if ( stereo ) {
+                       state[1]->hPredictor = *encoded++;
+               }
++              if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) {
++                      goto invalid_predictor;
++              }
+               state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
+               encoded += sizeof(Sint16);
+               if ( stereo ) {
+@@ -167,6 +180,7 @@ static int MS_ADPCM_decode(Uint8 **audio
+               coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
+ 
+               /* Store the two initial samples we start with */
++              if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size;
+               decoded[0] = state[0]->iSamp2&0xFF;
+               decoded[1] = state[0]->iSamp2>>8;
+               decoded += 2;
+@@ -188,6 +202,9 @@ static int MS_ADPCM_decode(Uint8 **audio
+               samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
+                                       MS_ADPCM_state.wavefmt.channels;
+               while ( samplesleft > 0 ) {
++                      if (encoded + 1 > encoded_end) goto invalid_size;
++                      if (decoded + 4 > decoded_end) goto invalid_size;
++
+                       nybble = (*encoded)>>4;
+                       new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
+                       decoded[0] = new_sample&0xFF;
+@@ -209,6 +226,14 @@ static int MS_ADPCM_decode(Uint8 **audio
+       }
+       SDL_free(freeable);
+       return(0);
++invalid_size:
++      SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
++      SDL_free(freeable);
++      return(-1);
++invalid_predictor:
++      SDL_SetError("Invalid predictor value for a MS ADPCM decoder");
++      SDL_free(freeable);
++      return(-1);
+ }
+ 
+ struct IMA_ADPCM_decodestate {
+@@ -222,11 +247,12 @@ static struct IMA_ADPCM_decoder {
+       struct IMA_ADPCM_decodestate state[2];
+ } IMA_ADPCM_state;
+ 
+-static int InitIMA_ADPCM(WaveFMT *format)
++static int InitIMA_ADPCM(WaveFMT *format, int length)
+ {
+-      Uint8 *rogue_feel;
++      Uint8 *rogue_feel, *rogue_feel_end;
+ 
+       /* Set the rogue pointer to the IMA_ADPCM specific data */
++      if (length < sizeof(*format)) goto too_short;
+       IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
+       IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
+       IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
+@@ -235,11 +261,16 @@ static int InitIMA_ADPCM(WaveFMT *format
+       IMA_ADPCM_state.wavefmt.bitspersample =
+                                        SDL_SwapLE16(format->bitspersample);
+       rogue_feel = (Uint8 *)format+sizeof(*format);
++      rogue_feel_end = (Uint8 *)format + length;
+       if ( sizeof(*format) == 16 ) {
+               rogue_feel += sizeof(Uint16);
+       }
++      if (rogue_feel + 2 > rogue_feel_end) goto too_short;
+       IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
+       return(0);
++too_short:
++      SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format");
++      return(-1);
+ }
+ 
+ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
+@@ -264,6 +295,14 @@ static Sint32 IMA_ADPCM_nibble(struct IM
+       };
+       Sint32 delta, step;
+ 
++      /* Clamp index value. The inital value can be invalid. */
++      if ( state->index > 88 ) {
++              state->index = 88;
++      } else
++      if ( state->index < 0 ) {
++              state->index = 0;
++      }
++
+       /* Compute difference and new sample value */
+       step = step_table[state->index];
+       delta = step >> 3;
+@@ -275,12 +314,6 @@ static Sint32 IMA_ADPCM_nibble(struct IM
+ 
+       /* Update index value */
+       state->index += index_table[nybble];
+-      if ( state->index > 88 ) {
+-              state->index = 88;
+-      } else
+-      if ( state->index < 0 ) {
+-              state->index = 0;
+-      }
+ 
+       /* Clamp output sample */
+       if ( state->sample > max_audioval ) {
+@@ -323,7 +356,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *
+ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+       struct IMA_ADPCM_decodestate *state;
+-      Uint8 *freeable, *encoded, *decoded;
++      Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+       Sint32 encoded_len, samplesleft;
+       unsigned int c, channels;
+ 
+@@ -339,6 +372,7 @@ static int IMA_ADPCM_decode(Uint8 **audi
+       /* Allocate the proper sized output buffer */
+       encoded_len = *audio_len;
+       encoded = *audio_buf;
++      encoded_end = encoded + encoded_len;
+       freeable = *audio_buf;
+       *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) * 
+                               IMA_ADPCM_state.wSamplesPerBlock*
+@@ -349,11 +383,13 @@ static int IMA_ADPCM_decode(Uint8 **audi
+               return(-1);
+       }
+       decoded = *audio_buf;
++      decoded_end = decoded + *audio_len;
+ 
+       /* Get ready... Go! */
+       while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
+               /* Grab the initial information for this block */
+               for ( c=0; c<channels; ++c ) {
++                      if (encoded + 4 > encoded_end) goto invalid_size;
+                       /* Fill the state information for this block */
+                       state[c].sample = ((encoded[1]<<8)|encoded[0]);
+                       encoded += 2;
+@@ -367,6 +403,7 @@ static int IMA_ADPCM_decode(Uint8 **audi
+                       }
+ 
+                       /* Store the initial sample we start with */
++                      if (decoded + 2 > decoded_end) goto invalid_size;
+                       decoded[0] = (Uint8)(state[c].sample&0xFF);
+                       decoded[1] = (Uint8)(state[c].sample>>8);
+                       decoded += 2;
+@@ -376,6 +413,9 @@ static int IMA_ADPCM_decode(Uint8 **audi
+               samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
+               while ( samplesleft > 0 ) {
+                       for ( c=0; c<channels; ++c ) {
++                              if (encoded + 4 > encoded_end) goto invalid_size;
++                              if (decoded + 4 * 4 * channels > decoded_end)
++                                      goto invalid_size;
+                               Fill_IMA_ADPCM_block(decoded, encoded,
+                                               c, channels, &state[c]);
+                               encoded += 4;
+@@ -387,6 +427,10 @@ static int IMA_ADPCM_decode(Uint8 **audi
+       }
+       SDL_free(freeable);
+       return(0);
++invalid_size:
++      SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder");
++      SDL_free(freeable);
++      return(-1);
+ }
+ 
+ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
+@@ -461,7 +505,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWop
+                       break;
+               case MS_ADPCM_CODE:
+                       /* Try to understand this */
+-                      if ( InitMS_ADPCM(format) < 0 ) {
++                      if ( InitMS_ADPCM(format, lenread) < 0 ) {
+                               was_error = 1;
+                               goto done;
+                       }
+@@ -469,7 +513,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWop
+                       break;
+               case IMA_ADPCM_CODE:
+                       /* Try to understand this */
+-                      if ( InitIMA_ADPCM(format) < 0 ) {
++                      if ( InitIMA_ADPCM(format, lenread) < 0 ) {
+                               was_error = 1;
+                               goto done;
+                       }
Index: pkgsrc/devel/SDL/patches/patch-src_video_SDL__bmp.c
diff -u /dev/null pkgsrc/devel/SDL/patches/patch-src_video_SDL__bmp.c:1.1
--- /dev/null   Sun Jul 21 11:14:38 2019
+++ pkgsrc/devel/SDL/patches/patch-src_video_SDL__bmp.c Sun Jul 21 11:14:38 2019
@@ -0,0 +1,69 @@
+$NetBSD: patch-src_video_SDL__bmp.c,v 1.1 2019/07/21 11:14:38 nia Exp $
+
+CVE-2019-7635: Reject BMP images with pixel colors out the palette
+From upstream hg 12831:f1f5878be5db
+
+CVE-2019-7636, CVE-2019-7638
+From upstream hg 12612:07c39cbbeacf
+
+Reject 2, 3, 5, 6, 7-bpp BMP images
+From upstreah hg 12646:4646533663ae
+
+--- src/video/SDL_bmp.c.orig   2012-01-19 06:30:06.000000000 +0000
++++ src/video/SDL_bmp.c
+@@ -163,6 +163,14 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops 
+                       ExpandBMP = biBitCount;
+                       biBitCount = 8;
+                       break;
++              case 2:
++              case 3:
++              case 5:
++              case 6:
++              case 7:
++                      SDL_SetError("%d-bpp BMP images are not supported", biBitCount);
++                      was_error = SDL_TRUE;
++                      goto done;
+               default:
+                       ExpandBMP = 0;
+                       break;
+@@ -233,6 +241,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops 
+       if ( palette ) {
+               if ( biClrUsed == 0 ) {
+                       biClrUsed = 1 << biBitCount;
++              } else if (biClrUsed > (1 << biBitCount)) {
++                      SDL_SetError("BMP file has an invalid number of colors");
++                      was_error = SDL_TRUE;
++                      goto done;
+               }
+               if ( biSize == 12 ) {
+                       for ( i = 0; i < (int)biClrUsed; ++i ) {
+@@ -296,6 +308,12 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops 
+                               }
+                               *(bits+i) = (pixel>>shift);
+                               pixel <<= ExpandBMP;
++                              if ( bits[i] >= biClrUsed ) {
++                                      SDL_SetError(
++                                              "A BMP image contains a pixel with a color out of the palette");
++                                      was_error = SDL_TRUE;
++                                      goto done;
++                              }
+                       } }
+                       break;
+ 
+@@ -306,6 +324,16 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops 
+                               was_error = SDL_TRUE;
+                               goto done;
+                       }
++                      if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) {
++                              for ( i=0; i<surface->w; ++i ) {
++                                      if ( bits[i] >= biClrUsed ) {
++                                              SDL_SetError(
++                                                      "A BMP image contains a pixel with a color out of the palette");
++                                              was_error = SDL_TRUE;
++                                              goto done;
++                                      }
++                              }
++                      }
+ #if SDL_BYTEORDER == SDL_BIG_ENDIAN
+                       /* Byte-swap the pixels if needed. Note that the 24bpp
+                          case has already been taken care of above. */
Index: pkgsrc/devel/SDL/patches/patch-src_video_SDL__pixels.c
diff -u /dev/null pkgsrc/devel/SDL/patches/patch-src_video_SDL__pixels.c:1.1
--- /dev/null   Sun Jul 21 11:14:38 2019
+++ pkgsrc/devel/SDL/patches/patch-src_video_SDL__pixels.c      Sun Jul 21 11:14:38 2019
@@ -0,0 +1,68 @@
+$NetBSD: patch-src_video_SDL__pixels.c,v 1.1 2019/07/21 11:14:38 nia Exp $
+
+CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch
+From https://hg.libsdl.org/SDL/rev/9b0e5c555c0f
+
+--- src/video/SDL_pixels.c.orig        2012-01-19 06:30:06.000000000 +0000
++++ src/video/SDL_pixels.c
+@@ -286,26 +286,53 @@ void SDL_DitherColors(SDL_Color *colors,
+       }
+ }
+ /* 
+- * Calculate the pad-aligned scanline width of a surface
++ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of
++ * an error.
+  */
+ Uint16 SDL_CalculatePitch(SDL_Surface *surface)
+ {
+-      Uint16 pitch;
++      unsigned int pitch = 0;
+ 
+       /* Surface should be 4-byte aligned for speed */
+-      pitch = surface->w*surface->format->BytesPerPixel;
++      /* The code tries to prevent from an Uint16 overflow. */;
++      for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) {
++              pitch += (unsigned int)surface->w;
++              if (pitch < surface->w) {
++                      SDL_SetError("A scanline is too wide");
++                      return(0);
++              }
++      }
+       switch (surface->format->BitsPerPixel) {
+               case 1:
+-                      pitch = (pitch+7)/8;
++                      if (pitch % 8) {
++                              pitch = pitch / 8 + 1;
++                      } else {
++                              pitch = pitch / 8;
++                      }
+                       break;
+               case 4:
+-                      pitch = (pitch+1)/2;
++                      if (pitch % 2) {
++                              pitch = pitch / 2 + 1;
++                      } else {
++                              pitch = pitch / 2;
++                      }
+                       break;
+               default:
+                       break;
+       }
+-      pitch = (pitch + 3) & ~3;       /* 4-byte aligning */
+-      return(pitch);
++      /* 4-byte aligning */
++      if (pitch & 3) {
++              if (pitch + 3 < pitch) {
++                      SDL_SetError("A scanline is too wide");
++                      return(0);
++              }
++              pitch = (pitch + 3) & ~3;
++      }
++      if (pitch > 0xFFFF) {
++              SDL_SetError("A scanline is too wide");
++              return(0);
++      }
++      return((Uint16)pitch);
+ }
+ /*
+  * Match an RGB value to a particular palette index
Index: pkgsrc/devel/SDL/patches/patch-src_video_nanox_SDL__nxvideo.c
diff -u /dev/null pkgsrc/devel/SDL/patches/patch-src_video_nanox_SDL__nxvideo.c:1.1
--- /dev/null   Sun Jul 21 11:14:38 2019
+++ pkgsrc/devel/SDL/patches/patch-src_video_nanox_SDL__nxvideo.c       Sun Jul 21 11:14:38 2019
@@ -0,0 +1,18 @@
+$NetBSD: patch-src_video_nanox_SDL__nxvideo.c,v 1.1 2019/07/21 11:14:38 nia Exp $
+
+CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch
+From https://hg.libsdl.org/SDL/rev/9b0e5c555c0f
+
+--- src/video/nanox/SDL_nxvideo.c.orig 2012-01-19 06:30:06.000000000 +0000
++++ src/video/nanox/SDL_nxvideo.c
+@@ -378,6 +378,10 @@ SDL_Surface * NX_SetVideoMode (_THIS, SD
+         current -> w = width ;
+         current -> h = height ;
+         current -> pitch = SDL_CalculatePitch (current) ;
++        if (!current->pitch) {
++            current = NULL;
++            goto done;
++        }
+         NX_ResizeImage (this, current, flags) ;
+     }
+ 



Home | Main Index | Thread Index | Old Index