packages/SDL
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:2e8dffcf566331f402f563de0cb9d153df4c620c
Branches Tags
packages:main
..
compare: packages:d202afe74633bed68fad7c372c3cd4214be75411
Branches Tags
packages:main

10 Commits
2e8dffcf56 ... d202afe746

Author SHA1 Message Date
openeuler-ci-bot
d202afe746
!28 [sync] PR-27: add loongarch64 and sw_64 support 
From: @openeuler-sync-bot 
Reviewed-by: @Charlie_li 
Signed-off-by: @Charlie_li
 2023-09-21 12:14:37 +00:00
panchenbo
b8f50c7aa9 add support for loongarch64 sw_64 
(cherry picked from commit 8527a262655d07778d655a0a22871f484c190e81)
 2023-09-06 14:52:52 +08:00
openeuler-ci-bot
8530a0b2a5 !16 【openEuler-21.09】Fix CVE-2019-7572 CVE-2019-7574 CVE-2019-7575 
From: @yixiangzhike
Reviewed-by: @orange-snn
Signed-off-by: @orange-snn
 2021-11-05 07:39:07 +00:00
yixiangzhike
fca8797cec Fix CVE-2019-7572 CVE-2019-7574 CVE-2019-7575 2021-11-05 11:17:43 +08:00
openeuler-ci-bot
9ed5560c1e !9 Fix source0 
From: @kkkl12
Reviewed-by: @small_leek
Signed-off-by: @small_leek
 2020-09-11 15:34:35 +08:00
kkkl12
83c86b2549 Fix Source0 
fix changelog
 2020-09-11 14:36:08 +08:00
openeuler-ci-bot
2cb059de7d !7 add yaml file 
Merge pull request !7 from ultra_planet/master
 2020-05-09 16:57:50 +08:00
ultra_planet
4c8e875186 add yaml file 2020-05-09 09:31:51 +08:00
openeuler-ci-bot
c6cba134c2 !6 修复CVE-2019-13616等问题 
Merge pull request !6 from syyhao/next
 2020-03-18 18:13:21 +08:00
lubing6
49b7939ea7 fix CVE-2019-13616 2020-03-18 18:06:22 +08:00
14 changed files with 577 additions and 10 deletions
Show Stats Expand all files Collapse all files

30
CVE-2019-13616.patch Normal file
View File

@ -0,0 +1,30 @@
From 636be06fa7f0cd2ee4d79c8e891b3bcbce331d7b Mon Sep 17 00:00:00 2001
From: Ozkan Sezer <sezeroz@gmail.com>
Date: Tue, 30 Jul 2019 21:30:24 +0300
Subject: [PATCH] Fixed bug 4538 - validate image size when loading BMP files
--HG--
branch : SDL-1.2
---
src/video/SDL_bmp.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
index 758d4bb..6cadc8a 100644
--- a/src/video/SDL_bmp.c
+++ b/src/video/SDL_bmp.c
@@ -143,6 +143,11 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
(void) biYPelsPerMeter;
(void) biClrImportant;
+ if (biWidth <= 0 || biHeight == 0) {
+ SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight);
+ was_error = SDL_TRUE;
+ goto done;
+ }
if (biHeight < 0) {
topDown = SDL_TRUE;
biHeight = -biHeight;
--
1.8.3.1

22
SDL-1.2.10-GrabNotViewable.patch Normal file
View File

@ -0,0 +1,22 @@
Makes SDL-1.2 SDL_WM_GrabInput() non-blocking in case of SDL window is not
viewable. Patch provided by <pbonzini@redhat.com>.
See <http://bugzilla.libsdl.org/show_bug.cgi?id=1155>.
--- ./src/video/x11/SDL_x11wm.c 2007-12-31 04:48:13.000000000 +0000
+++ ./src/video/x11/SDL_x11wm.c 2009-01-15 10:27:14.000000000 +0000
@@ -351,13 +351,14 @@ SDL_GrabMode X11_GrabInputNoLock(_THIS,
result = XGrabPointer(SDL_Display, SDL_Window, True, 0,
GrabModeAsync, GrabModeAsync,
SDL_Window, None, CurrentTime);
- if ( result == GrabSuccess ) {
+ if ( result == GrabSuccess || result == GrabNotViewable ) {
break;
}
SDL_Delay(100);
}
if ( result != GrabSuccess ) {
/* Uh, oh, what do we do here? */ ;
+ return(SDL_GRAB_OFF);
}
/* Now grab the keyboard */
XGrabKeyboard(SDL_Display, WMwindow, True,

73
SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch Normal file
View File

@ -0,0 +1,73 @@
# HG changeset patch
# User Sam Lantinga <slouken@libsdl.org>
# Date 1397799374 25200
# Thu Apr 17 22:36:14 2014 -0700
# Branch SDL-1.2
# Node ID 0aade9c0203f717fe4b823a176c3c040f1a709f8
# Parent 22a7f096bb9d4d596f35a93e33608825693462b0
Fixed bug 2325 - SDL_EnableUNICODE sometimes drops keyboard events completely
Rafał Mużyło
The most annoying part of this bug is that though I've found it in two separate apps, I don't have a trivial testcase for it.
The problem seems to be a condition race, as it's triggered quite randomly (therefore it will be hard to tell whether it really gets fixed, if a probable fix is found).
While it's specific to SDL 1.2, it seems quite similar to the problem described and fixed in http://forums.libsdl.org/viewtopic.php?p=40503.
Now, I should start describing the problem.
A game uses Escape to open menu (the exact key might not be important). Upon opening, it calls SDL_EnableUNICODE(1). Upon closing it calls SDL_EnableUNICODE(0).
I have an IME running.
Game uses SDL_PollEvent to get the events.
If Escape is pressed repeatedly, menu is opened and closed, till it eventually freezes in open state.
"freezes" in this context means "app itself still runs, but no keyboard events are getting delivered (though - for example - mouse events still are)". "getting delivered" should mean "SDL_PollEvent is not receiving any".
If it matters, the last delivered keyboard event is a keypress, the release never arrives.
It seems (no guarantees, due to random nature of the freeze) that unsetting XMODIFIERS (which - AFAIU - will disable IME as far as SDL is concerned) prevents the freeze, therefore the reference to that SDL2 thread.
diff -r 22a7f096bb9d -r 0aade9c0203f src/video/x11/SDL_x11events.c
--- a/src/video/x11/SDL_x11events.c Sun Dec 01 00:00:17 2013 -0500
+++ b/src/video/x11/SDL_x11events.c Thu Apr 17 22:36:14 2014 -0700
@@ -395,6 +395,8 @@
{
int posted;
XEvent xevent;
+ int orig_event_type;
+ KeyCode orig_keycode;
SDL_memset(&xevent, '\0', sizeof (XEvent)); /* valgrind fix. --ryan. */
XNextEvent(SDL_Display, &xevent);
@@ -410,9 +412,29 @@
#ifdef X_HAVE_UTF8_STRING
/* If we are translating with IM, we need to pass all events
to XFilterEvent, and discard those filtered events immediately. */
+ orig_event_type = xevent.type;
+ if (orig_event_type == KeyPress || orig_event_type == KeyRelease) {
+ orig_keycode = xevent.xkey.keycode;
+ } else {
+ orig_keycode = 0;
+ }
if ( SDL_TranslateUNICODE
&& SDL_IM != NULL
&& XFilterEvent(&xevent, None) ) {
+ if (orig_keycode) {
+ SDL_keysym keysym;
+ static XComposeStatus state;
+ char keybuf[32];
+
+ keysym.scancode = xevent.xkey.keycode;
+ keysym.sym = X11_TranslateKeycode(SDL_Display, xevent.xkey.keycode);
+ keysym.mod = KMOD_NONE;
+ keysym.unicode = 0;
+ if (orig_event_type == KeyPress && XLookupString(&xevent.xkey, keybuf, sizeof(keybuf), NULL, &state))
+ keysym.unicode = (Uint8)keybuf[0];
+
+ SDL_PrivateKeyboard(orig_event_type == KeyPress ? SDL_PRESSED : SDL_RELEASED, &keysym);
+ }
return 0;
}
#endif

16
SDL-1.2.15-const_XData32.patch Normal file
View File

@ -0,0 +1,16 @@
libX11-1.5.99.901 has changed prototype of _XData32
<http://bugzilla.libsdl.org/show_bug.cgi?id=1769>
diff -r b6b2829cd7ef src/video/x11/SDL_x11sym.h
--- a/src/video/x11/SDL_x11sym.h Wed Feb 27 15:20:31 2013 -0800
+++ b/src/video/x11/SDL_x11sym.h Wed Mar 27 16:07:23 2013 +0100
@@ -165,7 +165,7 @@
*/
#ifdef LONG64
SDL_X11_MODULE(IO_32BIT)
-SDL_X11_SYM(int,_XData32,(Display *dpy,register long *data,unsigned len),(dpy,data,len),return)
+SDL_X11_SYM(int,_XData32,(Display *dpy,register _Xconst long *data,unsigned len),(dpy,data,len),return)
SDL_X11_SYM(void,_XRead32,(Display *dpy,register long *data,long len),(dpy,data,len),)
#endif

20
SDL-1.2.15-ignore_insane_joystick_axis.patch Normal file
View File

@ -0,0 +1,20 @@
changeset: 6324:95abff7adcc2
branch: SDL-1.2
parent: 6306:2b923729fd01
user: Ryan C. Gordon <icculus@icculus.org>
date: Sun Jun 03 04:49:25 2012 -0400
summary: Linux evdev: ignore joystick axis events if they aren't in a sane range.
diff -r 2b923729fd01 -r 95abff7adcc2 src/joystick/linux/SDL_sysjoystick.c
--- a/src/joystick/linux/SDL_sysjoystick.c Sat May 12 23:32:51 2012 -0700
+++ b/src/joystick/linux/SDL_sysjoystick.c Sun Jun 03 04:49:25 2012 -0400
@@ -1106,6 +1106,9 @@
}
break;
case EV_ABS:
+ if (code > ABS_MISC) {
+ break;
+ }
switch (code) {
case ABS_HAT0X:
case ABS_HAT0Y:

24
SDL-1.2.15-no-default-backing-store.patch Normal file
View File

@ -0,0 +1,24 @@
Do not harness backing store by default
xorg-server 1.15 enables backing store if composite extension is enabled
(default settings). Harnessing backing store through compositor leads to
tearing effect.
This patch reverts default harnessing backing store to conditional use if
SDL_VIDEO_X11_BACKINGSTORE environment variable exists.
<https://bugzilla.libsdl.org/show_bug.cgi?id=2383>
<https://bugzilla.redhat.com/show_bug.cgi?id=1073057>
diff -up SDL-1.2.15/src/video/x11/SDL_x11video.c.jx SDL-1.2.15/src/video/x11/SDL_x11video.c
--- SDL-1.2.15/src/video/x11/SDL_x11video.c.jx 2012-01-19 01:30:06.000000000 -0500
+++ SDL-1.2.15/src/video/x11/SDL_x11video.c 2014-03-04 14:39:34.691545549 -0500
@@ -1088,7 +1088,7 @@ static int X11_CreateWindow(_THIS, SDL_S
}
}
-#if 0 /* This is an experiment - are the graphics faster now? - nope. */
+#if 1 /* This is an experiment - are the graphics faster now? - nope. */
if ( SDL_getenv("SDL_VIDEO_X11_BACKINGSTORE") )
#endif
/* Cache the window in the server, when possible */

87
SDL-1.2.15-vec_perm-ppc64le.patch Normal file
View File

@ -0,0 +1,87 @@
Correct vec_perm() application on little-endian 64-bit PowerPC
The LE transformation for vec_perm has an implicit assumption that the
permutation is being used to reorder vector elements (in this case 4-byte
integer word elements), not to reorder bytes within those elements. Although
this is legal behavior, it is not anticipated by the transformation performed
by the compilers.
This causes pygame-1.9.1 test failure on PPC64LE because blitted pixmaps are
corrupted there due to how SDL uses vec_perm().
<https://bugzilla.redhat.com/show_bug.cgi?id=1392465>
--- SDL-1.2.15/src/video/SDL_blit_N.c.ori 2017-09-04 05:56:17.759347525 -0400
+++ SDL-1.2.15/src/video/SDL_blit_N.c 2017-09-06 05:36:20.570789610 -0400
@@ -146,6 +146,32 @@ static vector unsigned char calc_swizzle
return(vswiz);
}
+/* reorder bytes for PowerPC little endian */
+static vector unsigned char reorder_ppc64le_vec(vector unsigned char vpermute)
+{
+ /* The result vector of calc_swizzle32 reorder bytes using vec_perm.
+ The LE transformation for vec_perm has an implicit assumption
+ that the permutation is being used to reorder vector elements,
+ not to reorder bytes within those elements.
+ Unfortunatly the result order is not the expected one for powerpc
+ little endian when the two first vector parameters of vec_perm are
+ not of type 'vector char'. This is because the numbering from the
+ left for BE, and numbering from the right for LE, produces a
+ different interpretation of what the odd and even lanes are.
+ Refer to fedora bug 1392465
+ */
+
+ const vector unsigned char ppc64le_reorder = VECUINT8_LITERAL(
+ 0x01, 0x00, 0x03, 0x02,
+ 0x05, 0x04, 0x07, 0x06,
+ 0x09, 0x08, 0x0B, 0x0A,
+ 0x0D, 0x0C, 0x0F, 0x0E );
+
+ vector unsigned char vswiz_ppc64le;
+ vswiz_ppc64le = vec_perm(vpermute, vpermute, ppc64le_reorder);
+ return(vswiz_ppc64le);
+}
+
static void Blit_RGB888_RGB565(SDL_BlitInfo *info);
static void Blit_RGB888_RGB565Altivec(SDL_BlitInfo *info) {
int height = info->d_height;
@@ -631,6 +657,12 @@ static void Blit32to32KeyAltivec(SDL_Bli
vsel = (vector unsigned char)vec_and(vs, vrgbmask);
vsel = (vector unsigned char)vec_cmpeq(vs, vckey);
/* permute the src vec to the dest format */
+
+#if defined(__powerpc__) && (SDL_BYTEORDER == SDL_LIL_ENDIAN)
+ /* reorder bytes for PowerPC little endian */
+ vpermute = reorder_ppc64le_vec(vpermute);
+#endif
+
vs = vec_perm(vs, valpha, vpermute);
/* load the destination vec */
vd = vec_ld(0, dstp);
@@ -704,6 +736,12 @@ static void ConvertAltivec32to32_noprefe
src += 4;
width -= 4;
vbits = vec_perm(vbits, voverflow, valigner); /* src is ready. */
+
+#if defined(__powerpc__) && (SDL_BYTEORDER == SDL_LIL_ENDIAN)
+ /* reorder bytes for PowerPC little endian */
+ vpermute = reorder_ppc64le_vec(vpermute);
+#endif
+
vbits = vec_perm(vbits, vzero, vpermute); /* swizzle it. */
vec_st(vbits, 0, dst); /* store it back out. */
dst += 4;
@@ -786,6 +824,12 @@ static void ConvertAltivec32to32_prefetc
src += 4;
width -= 4;
vbits = vec_perm(vbits, voverflow, valigner); /* src is ready. */
+
+#if defined(__powerpc__) && (SDL_BYTEORDER == SDL_LIL_ENDIAN)
+ /* reorder bytes for PowerPC little endian */
+ vpermute = reorder_ppc64le_vec(vpermute);
+#endif
+
vbits = vec_perm(vbits, vzero, vpermute); /* swizzle it. */
vec_st(vbits, 0, dst); /* store it back out. */
dst += 4;

45
SDL.spec
View File

@ -1,21 +1,31 @@
Name: SDL
Summary: A cross-platform multimedia library
Version: 1.2.15
Release: 35
Release: 39
License: LGPLv2+
URL: http://www.libsdl.org/
Source0: %{name}-%{version}.tar.gz
Source0: http://www.libsdl.org/release/%{name}-%{version}.tar.gz
Source1: SDL_config.h
Patch0: SDL-1.2.15-add_sdl_config_man.patch
Patch9000: CVE-2019-7637.patch
Patch9001: CVE-2019-7636.patch
Patch9002: CVE-2019-7635_1.patch
Patch9003: CVE-2019-7635_2.patch
Patch9004: CVE-2019-7573_CVE-2019-7576.patch
Patch9005: CVE-2019-7578.patch
Patch9006: CVE-2019-7577.patch
Patch1: CVE-2019-7637.patch
Patch2: CVE-2019-7636.patch
Patch3: CVE-2019-7635_1.patch
Patch4: CVE-2019-7635_2.patch
Patch5: CVE-2019-7573_CVE-2019-7576.patch
Patch6: CVE-2019-7578.patch
Patch7: CVE-2019-7577.patch
Patch8: SDL-1.2.10-GrabNotViewable.patch
Patch9: SDL-1.2.15-const_XData32.patch
Patch10: SDL-1.2.15-ignore_insane_joystick_axis.patch
Patch11: SDL-1.2.15-no-default-backing-store.patch
Patch12: SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch
Patch13: SDL-1.2.15-vec_perm-ppc64le.patch
Patch14: CVE-2019-13616.patch
Patch15: backport-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nibble.patch
Patch16: backport-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_decode.patch
Patch17: backport-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_decode.patch
Patch18: backport-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_decode.patch
BuildRequires: git alsa-lib-devel gdb-headless libtool
@ -97,6 +107,21 @@ rm -f %{buildroot}%{_libdir}/*.la
%{_mandir}/man3/SDL*.3*
%changelog
* Mon Aug 7 2023 panchenbo <panchenbo@kylinsec.com.cn> - 1.2.15-39
- add support for loongarch64 sw_64
* Fri Nov 5 2021 yixiangzhike <yixiangzhike007@163.com> - 1.2.15-38
- DESC: fix CVE-2019-7572 CVE-2019-7574 CVE-2019-7575
* Fri Sep 11 2020 liuweibo <liuweibo10@huawei.com> - 1.2.15-37
- Fix Source0
* Wed Mar 18 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.2.15-36
- Type:CVE
- ID:NA
- SUG:NA
- DESC:Fix CVE-2019-13616
* Thu Jan 16 2020 shijian <shijian16@huawei.com> - 1.2.15-35
- Modify Spec

4
SDL.yaml Normal file
View File

@ -0,0 +1,4 @@
version_control: hg
src_repo: http://hg.libsdl.org/SDL
tag_prefix: "release-"
seperator: "."

4
SDL_config.h
View File

@ -73,6 +73,10 @@
#include "SDL_config-mips.h"
#elif defined(__riscv) && defined(__riscv_xlen) && __riscv_xlen == 64
#include "SDL_config-riscv64.h"
#elif defined(__loongarch64)
#include "SDL_config-loongarch64.h"
#elif defined(__sw_64)
#include "SDL_config-sw_64.h"
#else
#error "The SDL-devel package is not usable with the architecture."
#endif

55
backport-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nibble.patch Normal file
View File

@ -0,0 +1,55 @@
From 1ead4913fc2314a0ce5de06f29a20a8b0b0a5557 Mon Sep 17 00:00:00 2001
From: Petr P?sa? <ppisar@redhat.com>
Date: Sat, 8 Jun 2019 17:57:43 -0700
Subject: [PATCH] CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble If
an IMA ADPCM block contained an initial index out of step table range (loaded
in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used this bogus value and
that lead to a buffer overread.
This patch fixes it by moving clamping the index value at the
beginning of IMA_ADPCM_nibble() function instead of the end after
an update.
CVE-2019-7572
https://bugzilla.libsdl.org/show_bug.cgi?id=4495
Signed-off-by: Petr P?sa? <ppisar@redhat.com>
---
src/audio/SDL_wave.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index b4ad6c7..ba1fb52 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -264,6 +264,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
};
Sint32 delta, step;
+ /* Clamp index value. The inital value can be invalid. */
+ if ( state->index > 88 ) {
+ state->index = 88;
+ } else
+ if ( state->index < 0 ) {
+ state->index = 0;
+ }
+
/* Compute difference and new sample value */
step = step_table[state->index];
delta = step >> 3;
@@ -275,12 +283,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
/* Update index value */
state->index += index_table[nybble];
- if ( state->index > 88 ) {
- state->index = 88;
- } else
- if ( state->index < 0 ) {
- state->index = 0;
- }
/* Clamp output sample */
if ( state->sample > max_audioval ) {
--
1.8.3.1

60
backport-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_decode.patch Normal file
View File

@ -0,0 +1,60 @@
From f22cbe4a3a2cd87392eec69bdcf2b4bd68b4507b Mon Sep 17 00:00:00 2001
From: Petr P?sa? <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 08:57:11 -0700
Subject: [PATCH] CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode If
data chunk was longer than expected based on a WAV format definition,
IMA_ADPCM_decode() tried to write past the output buffer. This patch fixes
it.
Based on patch from
<https://bugzilla.libsdl.org/show_bug.cgi?id=4496>.
CVE-2019-7572
https://bugzilla.libsdl.org/show_bug.cgi?id=4495
Signed-off-by: Petr P?sa? <ppisar@redhat.com>
---
src/audio/SDL_wave.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 3eedd20..4159eb7 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -346,7 +346,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
{
struct IMA_ADPCM_decodestate *state;
- Uint8 *freeable, *encoded, *encoded_end, *decoded;
+ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
Sint32 encoded_len, samplesleft;
unsigned int c, channels;
@@ -373,6 +373,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
return(-1);
}
decoded = *audio_buf;
+ decoded_end = decoded + *audio_len;
/* Get ready... Go! */
while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
@@ -392,6 +393,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
}
/* Store the initial sample we start with */
+ if (decoded + 2 > decoded_end) goto invalid_size;
decoded[0] = (Uint8)(state[c].sample&0xFF);
decoded[1] = (Uint8)(state[c].sample>>8);
decoded += 2;
@@ -402,6 +404,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
while ( samplesleft > 0 ) {
for ( c=0; c<channels; ++c ) {
if (encoded + 4 > encoded_end) goto invalid_size;
+ if (decoded + 4 * 4 * channels > decoded_end)
+ goto invalid_size;
Fill_IMA_ADPCM_block(decoded, encoded,
c, channels, &state[c]);
encoded += 4;
--
1.8.3.1

67
backport-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_decode.patch Normal file
View File

@ -0,0 +1,67 @@
From 76871a1c52dc74b8ba2357b9d68c34d765ea9db3 Mon Sep 17 00:00:00 2001
From: Petr P?sa? <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 08:50:59 -0700
Subject: [PATCH] CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode If
data chunk was shorter than expected based on a WAV format definition,
IMA_ADPCM_decode() tried to read past the data chunk buffer. This patch fixes
it.
CVE-2019-7574
https://bugzilla.libsdl.org/show_bug.cgi?id=4496
Signed-off-by: Petr P?sa? <ppisar@redhat.com>
---
src/audio/SDL_wave.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 21ee4dc..66f8044 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -331,7 +331,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
{
struct IMA_ADPCM_decodestate *state;
- Uint8 *freeable, *encoded, *decoded;
+ Uint8 *freeable, *encoded, *encoded_end, *decoded;
Sint32 encoded_len, samplesleft;
unsigned int c, channels;
@@ -347,6 +347,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
/* Allocate the proper sized output buffer */
encoded_len = *audio_len;
encoded = *audio_buf;
+ encoded_end = encoded + encoded_len;
freeable = *audio_buf;
*audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) *
IMA_ADPCM_state.wSamplesPerBlock*
@@ -362,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
/* Grab the initial information for this block */
for ( c=0; c<channels; ++c ) {
+ if (encoded + 4 > encoded_end) goto invalid_size;
/* Fill the state information for this block */
state[c].sample = ((encoded[1]<<8)|encoded[0]);
encoded += 2;
@@ -384,6 +386,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
while ( samplesleft > 0 ) {
for ( c=0; c<channels; ++c ) {
+ if (encoded + 4 > encoded_end) goto invalid_size;
Fill_IMA_ADPCM_block(decoded, encoded,
c, channels, &state[c]);
encoded += 4;
@@ -395,6 +398,10 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
}
SDL_free(freeable);
return(0);
+invalid_size:
+ SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder");
+ SDL_free(freeable);
+ return(-1);
}
SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
--
1.8.3.1

80
backport-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_decode.patch Normal file
View File

@ -0,0 +1,80 @@
From c68e0003d2f2b4e50bb1c4412af40c32f0b6396e Mon Sep 17 00:00:00 2001
From: Petr P?sa? <ppisar@redhat.com>
Date: Mon, 10 Jun 2019 09:25:05 -0700
Subject: [PATCH] CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode If a
WAV format defines shorter audio stream and decoded MS ADPCM data chunk is
longer, decoding continued past the output audio buffer.
This fix is based on a patch from
<https://bugzilla.libsdl.org/show_bug.cgi?id=4492>.
https://bugzilla.libsdl.org/show_bug.cgi?id=4493
CVE-2019-7575
Signed-off-by: Petr P?sa? <ppisar@redhat.com>
---
src/audio/SDL_wave.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 88ac2cc..5f93651 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -122,7 +122,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
{
struct MS_ADPCM_decodestate *state[2];
- Uint8 *freeable, *encoded, *encoded_end, *decoded;
+ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
Sint32 encoded_len, samplesleft;
Sint8 nybble, stereo;
Sint16 *coeff[2];
@@ -142,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
return(-1);
}
decoded = *audio_buf;
+ decoded_end = decoded + *audio_len;
/* Get ready... Go! */
stereo = (MS_ADPCM_state.wavefmt.channels == 2);
@@ -149,7 +150,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
state[1] = &MS_ADPCM_state.state[stereo];
while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
/* Grab the initial information for this block */
- if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
+ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size;
state[0]->hPredictor = *encoded++;
if ( stereo ) {
state[1]->hPredictor = *encoded++;
@@ -179,6 +180,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
/* Store the two initial samples we start with */
+ if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size;
decoded[0] = state[0]->iSamp2&0xFF;
decoded[1] = state[0]->iSamp2>>8;
decoded += 2;
@@ -200,7 +202,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
MS_ADPCM_state.wavefmt.channels;
while ( samplesleft > 0 ) {
- if (encoded + 1 > encoded_end) goto too_short;
+ if (encoded + 1 > encoded_end) goto invalid_size;
+ if (decoded + 4 > decoded_end) goto invalid_size;
nybble = (*encoded)>>4;
new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
@@ -223,8 +226,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
}
SDL_free(freeable);
return(0);
-too_short:
- SDL_SetError("Too short chunk for a MS ADPCM decoder");
+invalid_size:
+ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
SDL_free(freeable);
return(-1);
invalid_predictor:
--
1.8.3.1