Date: Tuesday, August 31, 2021 @ 23:13:02
Author: heftig
Revision: 1010234
import patches into git
Added:
sdl/trunk/0001-SDL-1.2.10-GrabNotViewable.patch
(from rev 1010233, sdl/trunk/SDL-1.2.10-GrabNotViewable.patch)
sdl/trunk/0002-SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch
(from rev 1010233,
sdl/trunk/SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch)
sdl/trunk/0003-SDL-1.2.15-const_XData32.patch
sdl/trunk/0004-SDL-1.2.15-ignore_insane_joystick_axis.patch
sdl/trunk/0005-SDL-1.2.15-no-default-backing-store.patch
(from rev 1010233, sdl/trunk/SDL-1.2.15-no-default-backing-store.patch)
sdl/trunk/0006-x11-Bypass-SetGammaRamp-when-changing-gamma.patch
(from rev 1010233,
sdl/trunk/SDL-1.2.15-x11-Bypass-SetGammaRamp-when-changing-gamma.patch)
sdl/trunk/0007-sdl-1.2.14-fix-mouse-clicking.patch
(from rev 1010233, sdl/trunk/sdl-1.2.14-fix-mouse-clicking.patch)
sdl/trunk/0008-sdl-1.2.14-disable-mmx.patch
sdl/trunk/0009-libsdl-1.2.15-resizing.patch
(from rev 1010233, sdl/trunk/libsdl-1.2.15-resizing.patch)
sdl/trunk/0010-X11_KeyToUnicode.patch
(from rev 1010233, sdl/trunk/X11_KeyToUnicode.patch)
sdl/trunk/0011-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
(from rev 1010233,
sdl/trunk/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch)
sdl/trunk/0012-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
(from rev 1010233,
sdl/trunk/SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch)
sdl/trunk/0013-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
(from rev 1010233,
sdl/trunk/SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch)
sdl/trunk/0014-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
(from rev 1010233,
sdl/trunk/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch)
sdl/trunk/0015-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
(from rev 1010233,
sdl/trunk/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch)
sdl/trunk/0016-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
(from rev 1010233,
sdl/trunk/SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch)
sdl/trunk/0017-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
(from rev 1010233,
sdl/trunk/SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch)
sdl/trunk/0018-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
(from rev 1010233,
sdl/trunk/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch)
sdl/trunk/0019-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
(from rev 1010233,
sdl/trunk/SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch)
sdl/trunk/0020-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
(from rev 1010233,
sdl/trunk/SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch)
sdl/trunk/0021-SDL-1.2.15-CVE-2019-13616-validate_image_size_when_l.patch
sdl/trunk/0022-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
(from rev 1010233,
sdl/trunk/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch)
sdl/trunk/0023-Reject-2-3-5-6-7-bpp-BMP-images.patch
(from rev 1010233,
sdl/trunk/SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch)
Modified:
sdl/trunk/PKGBUILD
Deleted:
sdl/trunk/SDL-1.2.10-GrabNotViewable.patch
sdl/trunk/SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch
sdl/trunk/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
sdl/trunk/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
sdl/trunk/SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
sdl/trunk/SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
sdl/trunk/SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
sdl/trunk/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
sdl/trunk/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
sdl/trunk/SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
sdl/trunk/SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
sdl/trunk/SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
sdl/trunk/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
sdl/trunk/SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch
sdl/trunk/SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch
sdl/trunk/SDL-1.2.15-const_XData32.patch
sdl/trunk/SDL-1.2.15-ignore_insane_joystick_axis.patch
sdl/trunk/SDL-1.2.15-no-default-backing-store.patch
sdl/trunk/SDL-1.2.15-x11-Bypass-SetGammaRamp-when-changing-gamma.patch
sdl/trunk/X11_KeyToUnicode.patch
sdl/trunk/libsdl-1.2.15-resizing.patch
sdl/trunk/sdl-1.2.14-disable-mmx.patch
sdl/trunk/sdl-1.2.14-fix-mouse-clicking.patch
----------------------------------------------------------------------------+
0001-SDL-1.2.10-GrabNotViewable.patch |
32 +
0002-SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch |
86 ++++
0003-SDL-1.2.15-const_XData32.patch |
25 +
0004-SDL-1.2.15-ignore_insane_joystick_axis.patch |
29 +
0005-SDL-1.2.15-no-default-backing-store.patch |
33 +
0006-x11-Bypass-SetGammaRamp-when-changing-gamma.patch |
41 +
0007-sdl-1.2.14-fix-mouse-clicking.patch |
34 +
0008-sdl-1.2.14-disable-mmx.patch |
23 +
0009-libsdl-1.2.15-resizing.patch |
76 +++
0010-X11_KeyToUnicode.patch |
54 ++
0011-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch |
97 ++++
0012-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch |
141 ++++++
0013-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch |
103 ++++
0014-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch |
60 ++
0015-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch |
95 ++++
0016-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch |
83 +++
0017-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch |
65 +++
0018-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch |
53 ++
0019-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch |
206 +++++++++
0020-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch |
67 +++
0021-SDL-1.2.15-CVE-2019-13616-validate_image_size_when_l.patch |
32 +
0022-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch |
54 ++
0023-Reject-2-3-5-6-7-bpp-BMP-images.patch |
39 +
PKGBUILD |
138 +++---
SDL-1.2.10-GrabNotViewable.patch |
22 -
SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch |
23 -
SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch |
59 --
SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch |
64 ---
SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch |
83 ---
SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch |
71 ---
SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch |
84 ----
SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch |
75 ---
SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch |
57 --
SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch |
67 ---
SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch |
67 ---
SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch |
209 ----------
SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch |
56 --
SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch |
42 --
SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch |
73 ---
SDL-1.2.15-const_XData32.patch |
16
SDL-1.2.15-ignore_insane_joystick_axis.patch |
20
SDL-1.2.15-no-default-backing-store.patch |
24 -
SDL-1.2.15-x11-Bypass-SetGammaRamp-when-changing-gamma.patch |
44 --
X11_KeyToUnicode.patch |
52 --
libsdl-1.2.15-resizing.patch |
63 ---
sdl-1.2.14-disable-mmx.patch |
13
sdl-1.2.14-fix-mouse-clicking.patch |
23 -
47 files changed, 1597 insertions(+), 1376 deletions(-)
Copied: sdl/trunk/0001-SDL-1.2.10-GrabNotViewable.patch (from rev 1010233,
sdl/trunk/SDL-1.2.10-GrabNotViewable.patch)
===================================================================
--- 0001-SDL-1.2.10-GrabNotViewable.patch (rev 0)
+++ 0001-SDL-1.2.10-GrabNotViewable.patch 2021-08-31 23:13:02 UTC (rev
1010234)
@@ -0,0 +1,32 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <[email protected]>
+Date: Tue, 31 Aug 2021 22:37:34 +0000
+Subject: [PATCH] SDL-1.2.10-GrabNotViewable
+
+Makes SDL-1.2 SDL_WM_GrabInput() non-blocking in case of SDL window is not
+viewable. Patch provided by <[email protected]>.
+See <http://bugzilla.libsdl.org/show_bug.cgi?id=1155>.
+---
+ src/video/x11/SDL_x11wm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/video/x11/SDL_x11wm.c b/src/video/x11/SDL_x11wm.c
+index 14c816b9..fe0f6a54 100644
+--- a/src/video/x11/SDL_x11wm.c
++++ b/src/video/x11/SDL_x11wm.c
+@@ -352,13 +352,14 @@ SDL_GrabMode X11_GrabInputNoLock(_THIS, SDL_GrabMode
mode)
+ result = XGrabPointer(SDL_Display, SDL_Window, True, 0,
+ GrabModeAsync, GrabModeAsync,
+ SDL_Window, None, CurrentTime);
+- if ( result == GrabSuccess ) {
++ if ( result == GrabSuccess || result == GrabNotViewable
) {
+ break;
+ }
+ SDL_Delay(100);
+ }
+ if ( result != GrabSuccess ) {
+ /* Uh, oh, what do we do here? */ ;
++ return(SDL_GRAB_OFF);
+ }
+ /* Now grab the keyboard */
+ XGrabKeyboard(SDL_Display, WMwindow, True,
Copied: sdl/trunk/0002-SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch
(from rev 1010233,
sdl/trunk/SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch)
===================================================================
--- 0002-SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch
(rev 0)
+++ 0002-SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -0,0 +1,86 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <[email protected]>
+Date: Tue, 31 Aug 2021 22:38:24 +0000
+Subject: [PATCH] SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixed bug 2325 - SDL_EnableUNICODE sometimes drops keyboard events completely
+
+Rafał Mużyło
+
+The most annoying part of this bug is that though I've found it in two
separate apps, I don't have a trivial testcase for it.
+
+The problem seems to be a condition race, as it's triggered quite randomly
(therefore it will be hard to tell whether it really gets fixed, if a probable
fix is found).
+
+While it's specific to SDL 1.2, it seems quite similar to the problem
described and fixed in http://forums.libsdl.org/viewtopic.php?p=40503.
+
+Now, I should start describing the problem.
+
+A game uses Escape to open menu (the exact key might not be important). Upon
opening, it calls SDL_EnableUNICODE(1). Upon closing it calls
SDL_EnableUNICODE(0).
+
+I have an IME running.
+
+Game uses SDL_PollEvent to get the events.
+
+If Escape is pressed repeatedly, menu is opened and closed, till it eventually
freezes in open state.
+"freezes" in this context means "app itself still runs, but no keyboard events
are getting delivered (though - for example - mouse events still are)".
"getting delivered" should mean "SDL_PollEvent is not receiving any".
+If it matters, the last delivered keyboard event is a keypress, the release
never arrives.
+
+It seems (no guarantees, due to random nature of the freeze) that unsetting
XMODIFIERS (which - AFAIU - will disable IME as far as SDL is concerned)
prevents the freeze, therefore the reference to that SDL2 thread.
+---
+ src/video/x11/SDL_x11events.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/src/video/x11/SDL_x11events.c b/src/video/x11/SDL_x11events.c
+index 559a0014..22107577 100644
+--- a/src/video/x11/SDL_x11events.c
++++ b/src/video/x11/SDL_x11events.c
+@@ -395,24 +395,46 @@ static int X11_DispatchEvent(_THIS)
+ {
+ int posted;
+ XEvent xevent;
++ int orig_event_type;
++ KeyCode orig_keycode;
+
+ SDL_memset(&xevent, '\0', sizeof (XEvent)); /* valgrind fix. --ryan. */
+ XNextEvent(SDL_Display, &xevent);
+
+ /* Discard KeyRelease and KeyPress events generated by auto-repeat.
+ We need to do it before passing event to XFilterEvent. Otherwise,
+ KeyRelease aware IMs are confused... */
+ if ( xevent.type == KeyRelease
+ && X11_KeyRepeat(SDL_Display, &xevent) ) {
+ return 0;
+ }
+
+ #ifdef X_HAVE_UTF8_STRING
+ /* If we are translating with IM, we need to pass all events
+ to XFilterEvent, and discard those filtered events immediately. */
++ orig_event_type = xevent.type;
++ if (orig_event_type == KeyPress || orig_event_type == KeyRelease) {
++ orig_keycode = xevent.xkey.keycode;
++ } else {
++ orig_keycode = 0;
++ }
+ if ( SDL_TranslateUNICODE
+ && SDL_IM != NULL
+ && XFilterEvent(&xevent, None) ) {
++ if (orig_keycode) {
++ SDL_keysym keysym;
++ static XComposeStatus state;
++ char keybuf[32];
++
++ keysym.scancode = xevent.xkey.keycode;
++ keysym.sym = X11_TranslateKeycode(SDL_Display,
xevent.xkey.keycode);
++ keysym.mod = KMOD_NONE;
++ keysym.unicode = 0;
++ if (orig_event_type == KeyPress &&
XLookupString(&xevent.xkey, keybuf, sizeof(keybuf), NULL, &state))
++ keysym.unicode = (Uint8)keybuf[0];
++
++ SDL_PrivateKeyboard(orig_event_type == KeyPress ?
SDL_PRESSED : SDL_RELEASED, &keysym);
++ }
+ return 0;
+ }
+ #endif
Added: 0003-SDL-1.2.15-const_XData32.patch
===================================================================
--- 0003-SDL-1.2.15-const_XData32.patch (rev 0)
+++ 0003-SDL-1.2.15-const_XData32.patch 2021-08-31 23:13:02 UTC (rev 1010234)
@@ -0,0 +1,25 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <[email protected]>
+Date: Tue, 31 Aug 2021 22:39:13 +0000
+Subject: [PATCH] SDL-1.2.15-const_XData32
+
+libX11-1.5.99.901 has changed prototype of _XData32
+
+<http://bugzilla.libsdl.org/show_bug.cgi?id=1769>
+---
+ src/video/x11/SDL_x11sym.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/video/x11/SDL_x11sym.h b/src/video/x11/SDL_x11sym.h
+index 4875b989..cc58bd43 100644
+--- a/src/video/x11/SDL_x11sym.h
++++ b/src/video/x11/SDL_x11sym.h
+@@ -165,7 +165,7 @@ SDL_X11_SYM(Bool,XShmQueryExtension,(Display*
a),(a),return)
+ */
+ #ifdef LONG64
+ SDL_X11_MODULE(IO_32BIT)
+-SDL_X11_SYM(int,_XData32,(Display *dpy,register long *data,unsigned
len),(dpy,data,len),return)
++SDL_X11_SYM(int,_XData32,(Display *dpy,register _Xconst long *data,unsigned
len),(dpy,data,len),return)
+ SDL_X11_SYM(void,_XRead32,(Display *dpy,register long *data,long
len),(dpy,data,len),)
+ #endif
+
Added: 0004-SDL-1.2.15-ignore_insane_joystick_axis.patch
===================================================================
--- 0004-SDL-1.2.15-ignore_insane_joystick_axis.patch
(rev 0)
+++ 0004-SDL-1.2.15-ignore_insane_joystick_axis.patch 2021-08-31 23:13:02 UTC
(rev 1010234)
@@ -0,0 +1,29 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <[email protected]>
+Date: Tue, 31 Aug 2021 22:40:09 +0000
+Subject: [PATCH] SDL-1.2.15-ignore_insane_joystick_axis
+
+changeset: 6324:95abff7adcc2
+branch: SDL-1.2
+parent: 6306:2b923729fd01
+user: Ryan C. Gordon <[email protected]>
+date: Sun Jun 03 04:49:25 2012 -0400
+summary: Linux evdev: ignore joystick axis events if they aren't in a sane
range.
+---
+ src/joystick/linux/SDL_sysjoystick.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/joystick/linux/SDL_sysjoystick.c
b/src/joystick/linux/SDL_sysjoystick.c
+index ee439747..2b763139 100644
+--- a/src/joystick/linux/SDL_sysjoystick.c
++++ b/src/joystick/linux/SDL_sysjoystick.c
+@@ -1106,6 +1106,9 @@ static __inline__ void EV_HandleEvents(SDL_Joystick
*joystick)
+ }
+ break;
+ case EV_ABS:
++ if (code > ABS_MISC) {
++ break;
++ }
+ switch (code) {
+ case ABS_HAT0X:
+ case ABS_HAT0Y:
Copied: sdl/trunk/0005-SDL-1.2.15-no-default-backing-store.patch (from rev
1010233, sdl/trunk/SDL-1.2.15-no-default-backing-store.patch)
===================================================================
--- 0005-SDL-1.2.15-no-default-backing-store.patch
(rev 0)
+++ 0005-SDL-1.2.15-no-default-backing-store.patch 2021-08-31 23:13:02 UTC
(rev 1010234)
@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <[email protected]>
+Date: Tue, 31 Aug 2021 22:40:44 +0000
+Subject: [PATCH] SDL-1.2.15-no-default-backing-store
+
+Do not harness backing store by default
+
+xorg-server 1.15 enables backing store if composite extension is enabled
+(default settings). Harnessing backing store through compositor leads to
+tearing effect.
+
+This patch reverts default harnessing backing store to conditional use if
+SDL_VIDEO_X11_BACKINGSTORE environment variable exists.
+
+<https://bugzilla.libsdl.org/show_bug.cgi?id=2383>
+<https://bugzilla.redhat.com/show_bug.cgi?id=1073057>
+---
+ src/video/x11/SDL_x11video.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/video/x11/SDL_x11video.c b/src/video/x11/SDL_x11video.c
+index f7d80732..79e60f97 100644
+--- a/src/video/x11/SDL_x11video.c
++++ b/src/video/x11/SDL_x11video.c
+@@ -1088,7 +1088,7 @@ static int X11_CreateWindow(_THIS, SDL_Surface *screen,
+ }
+ }
+
+-#if 0 /* This is an experiment - are the graphics faster now? - nope. */
++#if 1 /* This is an experiment - are the graphics faster now? - nope. */
+ if ( SDL_getenv("SDL_VIDEO_X11_BACKINGSTORE") )
+ #endif
+ /* Cache the window in the server, when possible */
Copied: sdl/trunk/0006-x11-Bypass-SetGammaRamp-when-changing-gamma.patch (from
rev 1010233,
sdl/trunk/SDL-1.2.15-x11-Bypass-SetGammaRamp-when-changing-gamma.patch)
===================================================================
--- 0006-x11-Bypass-SetGammaRamp-when-changing-gamma.patch
(rev 0)
+++ 0006-x11-Bypass-SetGammaRamp-when-changing-gamma.patch 2021-08-31
23:13:02 UTC (rev 1010234)
@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
+Date: Tue, 1 Jan 2013 21:25:15 +0100
+Subject: [PATCH] x11: Bypass SetGammaRamp when changing gamma
+
+Recent Xorg has broken dynamic colors setting, so calling SDL_SetGamme()
+does not have any effect here. Recent means xorg-server >= 1.7, since 2010.
+See <https://bugs.freedesktop.org/show_bug.cgi?id=27222>.
+---
+ src/video/SDL_gamma.c | 15 ++-------------
+ 1 file changed, 2 insertions(+), 13 deletions(-)
+
+diff --git a/src/video/SDL_gamma.c b/src/video/SDL_gamma.c
+index 4fd03701..464ab882 100644
+--- a/src/video/SDL_gamma.c
++++ b/src/video/SDL_gamma.c
+@@ -92,22 +92,11 @@ static void CalculateGammaFromRamp(float *gamma, Uint16
*ramp)
+
+ int SDL_SetGamma(float red, float green, float blue)
+ {
+- int succeeded;
++ int succeeded = -1;
+ SDL_VideoDevice *video = current_video;
+ SDL_VideoDevice *this = current_video;
+
+- succeeded = -1;
+- /* Prefer using SetGammaRamp(), as it's more flexible */
+- {
+- Uint16 ramp[3][256];
+-
+- CalculateGammaRamp(red, ramp[0]);
+- CalculateGammaRamp(green, ramp[1]);
+- CalculateGammaRamp(blue, ramp[2]);
+- succeeded = SDL_SetGammaRamp(ramp[0], ramp[1], ramp[2]);
+- }
+- if ( (succeeded < 0) && video->SetGamma ) {
+- SDL_ClearError();
++ if ( video->SetGamma ) {
+ succeeded = video->SetGamma(this, red, green, blue);
+ }
+ return succeeded;
Copied: sdl/trunk/0007-sdl-1.2.14-fix-mouse-clicking.patch (from rev 1010233,
sdl/trunk/sdl-1.2.14-fix-mouse-clicking.patch)
===================================================================
--- 0007-sdl-1.2.14-fix-mouse-clicking.patch (rev 0)
+++ 0007-sdl-1.2.14-fix-mouse-clicking.patch 2021-08-31 23:13:02 UTC (rev
1010234)
@@ -0,0 +1,34 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <[email protected]>
+Date: Tue, 31 Aug 2021 22:41:53 +0000
+Subject: [PATCH] sdl-1.2.14-fix-mouse-clicking
+
+---
+ src/video/x11/SDL_x11events.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/src/video/x11/SDL_x11events.c b/src/video/x11/SDL_x11events.c
+index 22107577..be13cc57 100644
+--- a/src/video/x11/SDL_x11events.c
++++ b/src/video/x11/SDL_x11events.c
+@@ -451,12 +451,15 @@ printf("Mode: NotifyGrab\n");
+ if ( xevent.xcrossing.mode == NotifyUngrab )
+ printf("Mode: NotifyUngrab\n");
+ #endif
+- if ( this->input_grab == SDL_GRAB_OFF ) {
+- posted = SDL_PrivateAppActive(1, SDL_APPMOUSEFOCUS);
++ if ( (xevent.xcrossing.mode != NotifyGrab) &&
++ (xevent.xcrossing.mode != NotifyUngrab) ) {
++ if ( this->input_grab == SDL_GRAB_OFF ) {
++ posted = SDL_PrivateAppActive(1,
SDL_APPMOUSEFOCUS);
++ }
++ posted = SDL_PrivateMouseMotion(0, 0,
++ xevent.xcrossing.x,
++ xevent.xcrossing.y);
+ }
+- posted = SDL_PrivateMouseMotion(0, 0,
+- xevent.xcrossing.x,
+- xevent.xcrossing.y);
+ }
+ break;
+
Added: 0008-sdl-1.2.14-disable-mmx.patch
===================================================================
--- 0008-sdl-1.2.14-disable-mmx.patch (rev 0)
+++ 0008-sdl-1.2.14-disable-mmx.patch 2021-08-31 23:13:02 UTC (rev 1010234)
@@ -0,0 +1,23 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <[email protected]>
+Date: Tue, 31 Aug 2021 22:42:24 +0000
+Subject: [PATCH] sdl-1.2.14-disable-mmx
+
+and another one from FS#26020
+---
+ src/video/SDL_yuv_sw.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/video/SDL_yuv_sw.c b/src/video/SDL_yuv_sw.c
+index c555ce06..86f436b1 100644
+--- a/src/video/SDL_yuv_sw.c
++++ b/src/video/SDL_yuv_sw.c
+@@ -89,6 +89,8 @@
+ #include "SDL_yuvfuncs.h"
+ #include "SDL_yuv_sw_c.h"
+
++#undef __OPTIMIZE__
++
+ /* The functions used to manipulate software video overlays */
+ static struct private_yuvhwfuncs sw_yuvfuncs = {
+ SDL_LockYUV_SW,
Copied: sdl/trunk/0009-libsdl-1.2.15-resizing.patch (from rev 1010233,
sdl/trunk/libsdl-1.2.15-resizing.patch)
===================================================================
--- 0009-libsdl-1.2.15-resizing.patch (rev 0)
+++ 0009-libsdl-1.2.15-resizing.patch 2021-08-31 23:13:02 UTC (rev 1010234)
@@ -0,0 +1,76 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <[email protected]>
+Date: Tue, 31 Aug 2021 22:43:11 +0000
+Subject: [PATCH] libsdl-1.2.15-resizing
+
+Description: Revert change that breaks window corner resizing
+ http://bugzilla.libsdl.org/show_bug.cgi?id=1430
+Author: Andrew Caudwell <[email protected]>
+Last-Update: 2012-04-10
+Bug-Debian: http://bugs.debian.org/665779
+---
+ src/video/x11/SDL_x11events.c | 16 ----------------
+ src/video/x11/SDL_x11events_c.h | 5 -----
+ src/video/x11/SDL_x11video.c | 2 --
+ 3 files changed, 23 deletions(-)
+
+diff --git a/src/video/x11/SDL_x11events.c b/src/video/x11/SDL_x11events.c
+index be13cc57..85a71e7a 100644
+--- a/src/video/x11/SDL_x11events.c
++++ b/src/video/x11/SDL_x11events.c
+@@ -57,12 +57,6 @@ static SDLKey ODD_keymap[256];
+ static SDLKey MISC_keymap[256];
+ SDLKey X11_TranslateKeycode(Display *display, KeyCode kc);
+
+-/*
+- Pending resize target for ConfigureNotify (so outdated events don't
+- cause inappropriate resize events)
+-*/
+-int X11_PendingConfigureNotifyWidth = -1;
+-int X11_PendingConfigureNotifyHeight = -1;
+
+ #ifdef X_HAVE_UTF8_STRING
+ Uint32 Utf8ToUcs4(const Uint8 *utf8)
+@@ -850,16 +844,6 @@ printf("MapNotify!\n");
+ #ifdef DEBUG_XEVENTS
+ printf("ConfigureNotify! (resize: %dx%d)\n", xevent.xconfigure.width,
xevent.xconfigure.height);
+ #endif
+- if ((X11_PendingConfigureNotifyWidth != -1) &&
+- (X11_PendingConfigureNotifyHeight != -1)) {
+- if ((xevent.xconfigure.width !=
X11_PendingConfigureNotifyWidth) &&
+- (xevent.xconfigure.height !=
X11_PendingConfigureNotifyHeight)) {
+- /* Event is from before the resize, so ignore. */
+- break;
+- }
+- X11_PendingConfigureNotifyWidth = -1;
+- X11_PendingConfigureNotifyHeight = -1;
+- }
+ if ( SDL_VideoSurface ) {
+ if ((xevent.xconfigure.width != SDL_VideoSurface->w) ||
+ (xevent.xconfigure.height != SDL_VideoSurface->h)) {
+diff --git a/src/video/x11/SDL_x11events_c.h b/src/video/x11/SDL_x11events_c.h
+index fe26d9c2..1177137d 100644
+--- a/src/video/x11/SDL_x11events_c.h
++++ b/src/video/x11/SDL_x11events_c.h
+@@ -27,8 +27,3 @@
+ extern void X11_InitOSKeymap(_THIS);
+ extern void X11_PumpEvents(_THIS);
+ extern void X11_SetKeyboardState(Display *display, const char *key_vec);
+-
+-/* Variables to be exported */
+-extern int X11_PendingConfigureNotifyWidth;
+-extern int X11_PendingConfigureNotifyHeight;
+-
+diff --git a/src/video/x11/SDL_x11video.c b/src/video/x11/SDL_x11video.c
+index 79e60f97..670a2d84 100644
+--- a/src/video/x11/SDL_x11video.c
++++ b/src/video/x11/SDL_x11video.c
+@@ -1177,8 +1177,6 @@ SDL_Surface *X11_SetVideoMode(_THIS, SDL_Surface
*current,
+ current = NULL;
+ goto done;
+ }
+- X11_PendingConfigureNotifyWidth = width;
+- X11_PendingConfigureNotifyHeight = height;
+ } else {
+ if (X11_CreateWindow(this,current,width,height,bpp,flags) < 0) {
+ current = NULL;
Copied: sdl/trunk/0010-X11_KeyToUnicode.patch (from rev 1010233,
sdl/trunk/X11_KeyToUnicode.patch)
===================================================================
--- 0010-X11_KeyToUnicode.patch (rev 0)
+++ 0010-X11_KeyToUnicode.patch 2021-08-31 23:13:02 UTC (rev 1010234)
@@ -0,0 +1,54 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <[email protected]>
+Date: Tue, 31 Aug 2021 22:43:41 +0000
+Subject: [PATCH] X11_KeyToUnicode
+
+Fixed bug 1390 - X11_KeyToUnicode
+
+manuel.montezelo 2012-01-22 08:56:18 PST
+
+We had the following bug report at Debian:
+http://bugs.debian.org/376560
+
+Same one in Ubuntu:
+https://bugs.launchpad.net/ubuntu/+source/libsdl1.2/+bug/66217
+
+We've been including a patch since then (attached) to actually export the
+symbol, since 2006. In the last release the function seems to be there, alive
+and kicking.
+
+It's affecting other people too:
+http://www.garagegames.com/community/forums/viewthread/52287
+---
+ src/video/x11/SDL_x11events.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/video/x11/SDL_x11events.c b/src/video/x11/SDL_x11events.c
+index 85a71e7a..cfdbb157 100644
+--- a/src/video/x11/SDL_x11events.c
++++ b/src/video/x11/SDL_x11events.c
+@@ -1255,15 +1255,24 @@ static void get_modifier_masks(Display *display)
+ * sequences (dead accents, compose key sequences) will not work since the
+ * state has been irrevocably lost.
+ */
++extern DECLSPEC Uint16 SDLCALL X11_KeyToUnicode(SDLKey, SDLMod);
++
+ Uint16 X11_KeyToUnicode(SDLKey keysym, SDLMod modifiers)
+ {
++ static int warning = 0;
+ struct SDL_VideoDevice *this = current_video;
+ char keybuf[32];
+ int i;
+ KeySym xsym = 0;
+ XKeyEvent xkey;
+ Uint16 unicode;
+
++ if ( warning ) {
++ warning = 0;
++ fprintf(stderr, "WARNING: Application is using
X11_KeyToUnicode().\n");
++ fprintf(stderr, "This is not an official SDL function, please
report this as a bug.\n");
++ }
++
+ if ( !this || !SDL_Display ) {
+ return 0;
+ }
Copied:
sdl/trunk/0011-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch (from
rev 1010233,
sdl/trunk/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch)
===================================================================
--- 0011-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
(rev 0)
+++ 0011-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -0,0 +1,97 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
+Date: Thu, 14 Feb 2019 14:12:22 +0100
+Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If RIFF/WAV data chunk length is shorter then expected for an audio
+format defined in preceeding RIFF/WAV format headers, a buffer
+overread can happen.
+
+This patch fixes it by checking a MS ADPCM data to be decoded are not
+past the initialized buffer.
+
+CVE-2019-7577
+Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
+
+Signed-off-by: Petr Písař <[email protected]>
+---
+ src/audio/SDL_wave.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index b4ad6c78..e42d01c9 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -115,32 +115,34 @@ static Sint32 MS_ADPCM_nibble(struct
MS_ADPCM_decodestate *state,
+ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ struct MS_ADPCM_decodestate *state[2];
+- Uint8 *freeable, *encoded, *decoded;
++ Uint8 *freeable, *encoded, *encoded_end, *decoded;
+ Sint32 encoded_len, samplesleft;
+ Sint8 nybble, stereo;
+ Sint16 *coeff[2];
+ Sint32 new_sample;
+
+ /* Allocate the proper sized output buffer */
+ encoded_len = *audio_len;
+ encoded = *audio_buf;
++ encoded_end = encoded + encoded_len;
+ freeable = *audio_buf;
+ *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) *
+ MS_ADPCM_state.wSamplesPerBlock*
+ MS_ADPCM_state.wavefmt.channels*sizeof(Sint16);
+ *audio_buf = (Uint8 *)SDL_malloc(*audio_len);
+ if ( *audio_buf == NULL ) {
+ SDL_Error(SDL_ENOMEM);
+ return(-1);
+ }
+ decoded = *audio_buf;
+
+ /* Get ready... Go! */
+ stereo = (MS_ADPCM_state.wavefmt.channels == 2);
+ state[0] = &MS_ADPCM_state.state[0];
+ state[1] = &MS_ADPCM_state.state[stereo];
+ while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
+ /* Grab the initial information for this block */
++ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto
too_short;
+ state[0]->hPredictor = *encoded++;
+ if ( stereo ) {
+ state[1]->hPredictor = *encoded++;
+@@ -188,27 +190,33 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32
*audio_len)
+ samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
+ MS_ADPCM_state.wavefmt.channels;
+ while ( samplesleft > 0 ) {
++ if (encoded + 1 > encoded_end) goto too_short;
++
+ nybble = (*encoded)>>4;
+ new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
+ decoded[0] = new_sample&0xFF;
+ new_sample >>= 8;
+ decoded[1] = new_sample&0xFF;
+ decoded += 2;
+
+ nybble = (*encoded)&0x0F;
+ new_sample = MS_ADPCM_nibble(state[1],nybble,coeff[1]);
+ decoded[0] = new_sample&0xFF;
+ new_sample >>= 8;
+ decoded[1] = new_sample&0xFF;
+ decoded += 2;
+
+ ++encoded;
+ samplesleft -= 2;
+ }
+ encoded_len -= MS_ADPCM_state.wavefmt.blockalign;
+ }
+ SDL_free(freeable);
+ return(0);
++too_short:
++ SDL_SetError("Too short chunk for a MS ADPCM decoder");
++ SDL_free(freeable);
++ return(-1);
+ }
+
+ struct IMA_ADPCM_decodestate {
Copied:
sdl/trunk/0012-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch (from
rev 1010233,
sdl/trunk/SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch)
===================================================================
--- 0012-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
(rev 0)
+++ 0012-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -0,0 +1,141 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
+Date: Thu, 14 Feb 2019 14:51:52 +0100
+Subject: [PATCH] CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a WAV format defines shorter audio stream and decoded MS ADPCM data chunk
+is longer, decoding continued past the output audio buffer.
+
+This fix is based on a patch from
+<https://bugzilla.libsdl.org/show_bug.cgi?id=4492>.
+
+https://bugzilla.libsdl.org/show_bug.cgi?id=4493
+CVE-2019-7575
+
+Signed-off-by: Petr Písař <[email protected]>
+---
+ src/audio/SDL_wave.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index e42d01c9..b6c49dee 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -115,106 +115,109 @@ static Sint32 MS_ADPCM_nibble(struct
MS_ADPCM_decodestate *state,
+ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ struct MS_ADPCM_decodestate *state[2];
+- Uint8 *freeable, *encoded, *encoded_end, *decoded;
++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+ Sint32 encoded_len, samplesleft;
+ Sint8 nybble, stereo;
+ Sint16 *coeff[2];
+ Sint32 new_sample;
+
+ /* Allocate the proper sized output buffer */
+ encoded_len = *audio_len;
+ encoded = *audio_buf;
+ encoded_end = encoded + encoded_len;
+ freeable = *audio_buf;
+ *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) *
+ MS_ADPCM_state.wSamplesPerBlock*
+ MS_ADPCM_state.wavefmt.channels*sizeof(Sint16);
+ *audio_buf = (Uint8 *)SDL_malloc(*audio_len);
+ if ( *audio_buf == NULL ) {
+ SDL_Error(SDL_ENOMEM);
+ return(-1);
+ }
+ decoded = *audio_buf;
++ decoded_end = decoded + *audio_len;
+
+ /* Get ready... Go! */
+ stereo = (MS_ADPCM_state.wavefmt.channels == 2);
+ state[0] = &MS_ADPCM_state.state[0];
+ state[1] = &MS_ADPCM_state.state[stereo];
+ while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
+ /* Grab the initial information for this block */
+- if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto
too_short;
++ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto
invalid_size;
+ state[0]->hPredictor = *encoded++;
+ if ( stereo ) {
+ state[1]->hPredictor = *encoded++;
+ }
+ state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
+ encoded += sizeof(Sint16);
+ if ( stereo ) {
+ state[1]->iDelta = ((encoded[1]<<8)|encoded[0]);
+ encoded += sizeof(Sint16);
+ }
+ state[0]->iSamp1 = ((encoded[1]<<8)|encoded[0]);
+ encoded += sizeof(Sint16);
+ if ( stereo ) {
+ state[1]->iSamp1 = ((encoded[1]<<8)|encoded[0]);
+ encoded += sizeof(Sint16);
+ }
+ state[0]->iSamp2 = ((encoded[1]<<8)|encoded[0]);
+ encoded += sizeof(Sint16);
+ if ( stereo ) {
+ state[1]->iSamp2 = ((encoded[1]<<8)|encoded[0]);
+ encoded += sizeof(Sint16);
+ }
+ coeff[0] = MS_ADPCM_state.aCoeff[state[0]->hPredictor];
+ coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
+
+ /* Store the two initial samples we start with */
++ if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto
invalid_size;
+ decoded[0] = state[0]->iSamp2&0xFF;
+ decoded[1] = state[0]->iSamp2>>8;
+ decoded += 2;
+ if ( stereo ) {
+ decoded[0] = state[1]->iSamp2&0xFF;
+ decoded[1] = state[1]->iSamp2>>8;
+ decoded += 2;
+ }
+ decoded[0] = state[0]->iSamp1&0xFF;
+ decoded[1] = state[0]->iSamp1>>8;
+ decoded += 2;
+ if ( stereo ) {
+ decoded[0] = state[1]->iSamp1&0xFF;
+ decoded[1] = state[1]->iSamp1>>8;
+ decoded += 2;
+ }
+
+ /* Decode and store the other samples in this block */
+ samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
+ MS_ADPCM_state.wavefmt.channels;
+ while ( samplesleft > 0 ) {
+- if (encoded + 1 > encoded_end) goto too_short;
++ if (encoded + 1 > encoded_end) goto invalid_size;
++ if (decoded + 4 > decoded_end) goto invalid_size;
+
+ nybble = (*encoded)>>4;
+ new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
+ decoded[0] = new_sample&0xFF;
+ new_sample >>= 8;
+ decoded[1] = new_sample&0xFF;
+ decoded += 2;
+
+ nybble = (*encoded)&0x0F;
+ new_sample = MS_ADPCM_nibble(state[1],nybble,coeff[1]);
+ decoded[0] = new_sample&0xFF;
+ new_sample >>= 8;
+ decoded[1] = new_sample&0xFF;
+ decoded += 2;
+
+ ++encoded;
+ samplesleft -= 2;
+ }
+ encoded_len -= MS_ADPCM_state.wavefmt.blockalign;
+ }
+ SDL_free(freeable);
+ return(0);
+-too_short:
+- SDL_SetError("Too short chunk for a MS ADPCM decoder");
++invalid_size:
++ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
+ SDL_free(freeable);
+ return(-1);
+ }
Copied:
sdl/trunk/0013-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch (from
rev 1010233,
sdl/trunk/SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch)
===================================================================
--- 0013-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
(rev 0)
+++ 0013-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -0,0 +1,103 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
+Date: Thu, 14 Feb 2019 15:41:47 +0100
+Subject: [PATCH] CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If data chunk was shorter than expected based on a WAV format
+definition, IMA_ADPCM_decode() tried to read past the data chunk
+buffer. This patch fixes it.
+
+CVE-2019-7574
+https://bugzilla.libsdl.org/show_bug.cgi?id=4496
+
+Signed-off-by: Petr Písař <[email protected]>
+---
+ src/audio/SDL_wave.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index b6c49dee..2968b3d1 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -334,70 +334,77 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8
*encoded,
+ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ struct IMA_ADPCM_decodestate *state;
+- Uint8 *freeable, *encoded, *decoded;
++ Uint8 *freeable, *encoded, *encoded_end, *decoded;
+ Sint32 encoded_len, samplesleft;
+ unsigned int c, channels;
+
+ /* Check to make sure we have enough variables in the state array */
+ channels = IMA_ADPCM_state.wavefmt.channels;
+ if ( channels > SDL_arraysize(IMA_ADPCM_state.state) ) {
+ SDL_SetError("IMA ADPCM decoder can only handle %d channels",
+ SDL_arraysize(IMA_ADPCM_state.state));
+ return(-1);
+ }
+ state = IMA_ADPCM_state.state;
+
+ /* Allocate the proper sized output buffer */
+ encoded_len = *audio_len;
+ encoded = *audio_buf;
++ encoded_end = encoded + encoded_len;
+ freeable = *audio_buf;
+ *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) *
+ IMA_ADPCM_state.wSamplesPerBlock*
+ IMA_ADPCM_state.wavefmt.channels*sizeof(Sint16);
+ *audio_buf = (Uint8 *)SDL_malloc(*audio_len);
+ if ( *audio_buf == NULL ) {
+ SDL_Error(SDL_ENOMEM);
+ return(-1);
+ }
+ decoded = *audio_buf;
+
+ /* Get ready... Go! */
+ while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
+ /* Grab the initial information for this block */
+ for ( c=0; c<channels; ++c ) {
++ if (encoded + 4 > encoded_end) goto invalid_size;
+ /* Fill the state information for this block */
+ state[c].sample = ((encoded[1]<<8)|encoded[0]);
+ encoded += 2;
+ if ( state[c].sample & 0x8000 ) {
+ state[c].sample -= 0x10000;
+ }
+ state[c].index = *encoded++;
+ /* Reserved byte in buffer header, should be 0 */
+ if ( *encoded++ != 0 ) {
+ /* Uh oh, corrupt data? Buggy code? */;
+ }
+
+ /* Store the initial sample we start with */
+ decoded[0] = (Uint8)(state[c].sample&0xFF);
+ decoded[1] = (Uint8)(state[c].sample>>8);
+ decoded += 2;
+ }
+
+ /* Decode and store the other samples in this block */
+ samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
+ while ( samplesleft > 0 ) {
+ for ( c=0; c<channels; ++c ) {
++ if (encoded + 4 > encoded_end) goto
invalid_size;
+ Fill_IMA_ADPCM_block(decoded, encoded,
+ c, channels, &state[c]);
+ encoded += 4;
+ samplesleft -= 8;
+ }
+ decoded += (channels * 8 * 2);
+ }
+ encoded_len -= IMA_ADPCM_state.wavefmt.blockalign;
+ }
+ SDL_free(freeable);
+ return(0);
++invalid_size:
++ SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder");
++ SDL_free(freeable);
++ return(-1);
+ }
+
+ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
Copied:
sdl/trunk/0014-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch (from
rev 1010233,
sdl/trunk/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch)
===================================================================
--- 0014-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
(rev 0)
+++ 0014-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -0,0 +1,60 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
+Date: Thu, 14 Feb 2019 16:51:54 +0100
+Subject: [PATCH] CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If an IMA ADPCM block contained an initial index out of step table
+range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used
+this bogus value and that lead to a buffer overread.
+
+This patch fixes it by moving clamping the index value at the
+beginning of IMA_ADPCM_nibble() function instead of the end after
+an update.
+
+CVE-2019-7572
+https://bugzilla.libsdl.org/show_bug.cgi?id=4495
+
+Signed-off-by: Petr Písař <[email protected]>
+---
+ src/audio/SDL_wave.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 2968b3d1..69d62dc6 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -275,23 +275,25 @@ static Sint32 IMA_ADPCM_nibble(struct
IMA_ADPCM_decodestate *state,Uint8 nybble)
+ };
+ Sint32 delta, step;
+
++ /* Clamp index value. The inital value can be invalid. */
++ if ( state->index > 88 ) {
++ state->index = 88;
++ } else
++ if ( state->index < 0 ) {
++ state->index = 0;
++ }
++
+ /* Compute difference and new sample value */
+ step = step_table[state->index];
+ delta = step >> 3;
+ if ( nybble & 0x04 ) delta += step;
+ if ( nybble & 0x02 ) delta += (step >> 1);
+ if ( nybble & 0x01 ) delta += (step >> 2);
+ if ( nybble & 0x08 ) delta = -delta;
+ state->sample += delta;
+
+ /* Update index value */
+ state->index += index_table[nybble];
+- if ( state->index > 88 ) {
+- state->index = 88;
+- } else
+- if ( state->index < 0 ) {
+- state->index = 0;
+- }
+
+ /* Clamp output sample */
+ if ( state->sample > max_audioval ) {
Copied:
sdl/trunk/0015-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch (from
rev 1010233,
sdl/trunk/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch)
===================================================================
--- 0015-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
(rev 0)
+++ 0015-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -0,0 +1,95 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
+Date: Fri, 15 Feb 2019 09:21:45 +0100
+Subject: [PATCH] CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If data chunk was longer than expected based on a WAV format
+definition, IMA_ADPCM_decode() tried to write past the output
+buffer. This patch fixes it.
+
+Based on patch from
+<https://bugzilla.libsdl.org/show_bug.cgi?id=4496>.
+
+CVE-2019-7572
+https://bugzilla.libsdl.org/show_bug.cgi?id=4495
+
+Signed-off-by: Petr Písař <[email protected]>
+---
+ src/audio/SDL_wave.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 69d62dc6..91e89e84 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -336,62 +336,66 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8
*encoded,
+ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ struct IMA_ADPCM_decodestate *state;
+- Uint8 *freeable, *encoded, *encoded_end, *decoded;
++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+ Sint32 encoded_len, samplesleft;
+ unsigned int c, channels;
+
+ /* Check to make sure we have enough variables in the state array */
+ channels = IMA_ADPCM_state.wavefmt.channels;
+ if ( channels > SDL_arraysize(IMA_ADPCM_state.state) ) {
+ SDL_SetError("IMA ADPCM decoder can only handle %d channels",
+ SDL_arraysize(IMA_ADPCM_state.state));
+ return(-1);
+ }
+ state = IMA_ADPCM_state.state;
+
+ /* Allocate the proper sized output buffer */
+ encoded_len = *audio_len;
+ encoded = *audio_buf;
+ encoded_end = encoded + encoded_len;
+ freeable = *audio_buf;
+ *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) *
+ IMA_ADPCM_state.wSamplesPerBlock*
+ IMA_ADPCM_state.wavefmt.channels*sizeof(Sint16);
+ *audio_buf = (Uint8 *)SDL_malloc(*audio_len);
+ if ( *audio_buf == NULL ) {
+ SDL_Error(SDL_ENOMEM);
+ return(-1);
+ }
+ decoded = *audio_buf;
++ decoded_end = decoded + *audio_len;
+
+ /* Get ready... Go! */
+ while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
+ /* Grab the initial information for this block */
+ for ( c=0; c<channels; ++c ) {
+ if (encoded + 4 > encoded_end) goto invalid_size;
+ /* Fill the state information for this block */
+ state[c].sample = ((encoded[1]<<8)|encoded[0]);
+ encoded += 2;
+ if ( state[c].sample & 0x8000 ) {
+ state[c].sample -= 0x10000;
+ }
+ state[c].index = *encoded++;
+ /* Reserved byte in buffer header, should be 0 */
+ if ( *encoded++ != 0 ) {
+ /* Uh oh, corrupt data? Buggy code? */;
+ }
+
+ /* Store the initial sample we start with */
++ if (decoded + 2 > decoded_end) goto invalid_size;
+ decoded[0] = (Uint8)(state[c].sample&0xFF);
+ decoded[1] = (Uint8)(state[c].sample>>8);
+ decoded += 2;
+ }
+
+ /* Decode and store the other samples in this block */
+ samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
+ while ( samplesleft > 0 ) {
+ for ( c=0; c<channels; ++c ) {
+ if (encoded + 4 > encoded_end) goto
invalid_size;
++ if (decoded + 4 * 4 * channels > decoded_end)
++ goto invalid_size;
+ Fill_IMA_ADPCM_block(decoded, encoded,
+ c, channels, &state[c]);
+ encoded += 4;
Copied:
sdl/trunk/0016-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch (from
rev 1010233,
sdl/trunk/SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch)
===================================================================
--- 0016-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
(rev 0)
+++ 0016-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -0,0 +1,83 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
+Date: Fri, 15 Feb 2019 10:36:13 +0100
+Subject: [PATCH] CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in
+ InitMS_ADPCM
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it
+could read past the end of chunk data. This patch fixes it.
+
+CVE-2019-7573
+https://bugzilla.libsdl.org/show_bug.cgi?id=4491
+CVE-2019-7576
+https://bugzilla.libsdl.org/show_bug.cgi?id=4490
+
+Signed-off-by: Petr Písař <[email protected]>
+---
+ src/audio/SDL_wave.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 91e89e84..1d446edb 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -44,38 +44,45 @@ static struct MS_ADPCM_decoder {
+ struct MS_ADPCM_decodestate state[2];
+ } MS_ADPCM_state;
+
+-static int InitMS_ADPCM(WaveFMT *format)
++static int InitMS_ADPCM(WaveFMT *format, int length)
+ {
+- Uint8 *rogue_feel;
++ Uint8 *rogue_feel, *rogue_feel_end;
+ int i;
+
+ /* Set the rogue pointer to the MS_ADPCM specific data */
++ if (length < sizeof(*format)) goto too_short;
+ MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
+ MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
+ MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
+ MS_ADPCM_state.wavefmt.byterate = SDL_SwapLE32(format->byterate);
+ MS_ADPCM_state.wavefmt.blockalign = SDL_SwapLE16(format->blockalign);
+ MS_ADPCM_state.wavefmt.bitspersample =
+ SDL_SwapLE16(format->bitspersample);
+ rogue_feel = (Uint8 *)format+sizeof(*format);
++ rogue_feel_end = (Uint8 *)format + length;
+ if ( sizeof(*format) == 16 ) {
+ rogue_feel += sizeof(Uint16);
+ }
++ if (rogue_feel + 4 > rogue_feel_end) goto too_short;
+ MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ rogue_feel += sizeof(Uint16);
+ MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ rogue_feel += sizeof(Uint16);
+ if ( MS_ADPCM_state.wNumCoef != 7 ) {
+ SDL_SetError("Unknown set of MS_ADPCM coefficients");
+ return(-1);
+ }
+ for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) {
++ if (rogue_feel + 4 > rogue_feel_end) goto too_short;
+ MS_ADPCM_state.aCoeff[i][0] =
((rogue_feel[1]<<8)|rogue_feel[0]);
+ rogue_feel += sizeof(Uint16);
+ MS_ADPCM_state.aCoeff[i][1] =
((rogue_feel[1]<<8)|rogue_feel[0]);
+ rogue_feel += sizeof(Uint16);
+ }
+ return(0);
++too_short:
++ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format");
++ return(-1);
+ }
+
+ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
+@@ -485,7 +492,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int
freesrc,
+ break;
+ case MS_ADPCM_CODE:
+ /* Try to understand this */
+- if ( InitMS_ADPCM(format) < 0 ) {
++ if ( InitMS_ADPCM(format, lenread) < 0 ) {
+ was_error = 1;
+ goto done;
+ }
Copied:
sdl/trunk/0017-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch (from
rev 1010233,
sdl/trunk/SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch)
===================================================================
--- 0017-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
(rev 0)
+++ 0017-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -0,0 +1,65 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
+Date: Fri, 15 Feb 2019 10:56:59 +0100
+Subject: [PATCH] CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it
+could read past the end of chunk data. This patch fixes it.
+
+CVE-2019-7578
+https://bugzilla.libsdl.org/show_bug.cgi?id=4494
+
+Signed-off-by: Petr Písař <[email protected]>
+---
+ src/audio/SDL_wave.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 1d446edb..08f65cbc 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -240,24 +240,30 @@ static struct IMA_ADPCM_decoder {
+ struct IMA_ADPCM_decodestate state[2];
+ } IMA_ADPCM_state;
+
+-static int InitIMA_ADPCM(WaveFMT *format)
++static int InitIMA_ADPCM(WaveFMT *format, int length)
+ {
+- Uint8 *rogue_feel;
++ Uint8 *rogue_feel, *rogue_feel_end;
+
+ /* Set the rogue pointer to the IMA_ADPCM specific data */
++ if (length < sizeof(*format)) goto too_short;
+ IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
+ IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
+ IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
+ IMA_ADPCM_state.wavefmt.byterate = SDL_SwapLE32(format->byterate);
+ IMA_ADPCM_state.wavefmt.blockalign = SDL_SwapLE16(format->blockalign);
+ IMA_ADPCM_state.wavefmt.bitspersample =
+ SDL_SwapLE16(format->bitspersample);
+ rogue_feel = (Uint8 *)format+sizeof(*format);
++ rogue_feel_end = (Uint8 *)format + length;
+ if ( sizeof(*format) == 16 ) {
+ rogue_feel += sizeof(Uint16);
+ }
++ if (rogue_feel + 2 > rogue_feel_end) goto too_short;
+ IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ return(0);
++too_short:
++ SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format");
++ return(-1);
+ }
+
+ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8
nybble)
+@@ -500,7 +506,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int
freesrc,
+ break;
+ case IMA_ADPCM_CODE:
+ /* Try to understand this */
+- if ( InitIMA_ADPCM(format) < 0 ) {
++ if ( InitIMA_ADPCM(format, lenread) < 0 ) {
+ was_error = 1;
+ goto done;
+ }
Copied:
sdl/trunk/0018-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch (from
rev 1010233,
sdl/trunk/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch)
===================================================================
--- 0018-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
(rev 0)
+++ 0018-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -0,0 +1,53 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
+Date: Fri, 15 Feb 2019 16:52:27 +0100
+Subject: [PATCH] CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images with
+ too high number of colors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a BMP file that defines more colors than can fit into
+a palette of color depth defined in the same BMP file is loaded by
+SDL_LoadBMP_RW() function, invalid number of colors is set into
+resulting SDL surface.
+
+Then if the SDL surface is passed to SDL_DisplayFormat() function to
+convert the surface format into a native video format, a buffer
+overread will happen in Map1to1() or Map1toN() function
+(CVE-2019-7638). (The choice of the mapping function depends on
+a actual video hardware.)
+
+In addition SDL_GetRGB() called indirectly from SDL_DisplayFormat()
+performs the same buffer overread (CVE-2019-7636).
+
+There is also probably a buffer overwrite when the SDL_LoadBMP_RW()
+loads colors from a file.
+
+This patch fixes it by refusing loading such badly damaged BMP files.
+
+CVE-2019-7638
+https://bugzilla.libsdl.org/show_bug.cgi?id=4500
+CVE-2019-7636
+https://bugzilla.libsdl.org/show_bug.cgi?id=4499
+
+Signed-off-by: Petr Písař <[email protected]>
+---
+ src/video/SDL_bmp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
+index d56cfd83..3accded2 100644
+--- a/src/video/SDL_bmp.c
++++ b/src/video/SDL_bmp.c
+@@ -233,6 +233,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
+ if ( palette ) {
+ if ( biClrUsed == 0 ) {
+ biClrUsed = 1 << biBitCount;
++ } else if ( biClrUsed > (1 << biBitCount) ) {
++ SDL_SetError("BMP file has an invalid number of
colors");
++ was_error = SDL_TRUE;
++ goto done;
+ }
+ if ( biSize == 12 ) {
+ for ( i = 0; i < (int)biClrUsed; ++i ) {
Copied:
sdl/trunk/0019-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch (from
rev 1010233,
sdl/trunk/SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch)
===================================================================
--- 0019-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
(rev 0)
+++ 0019-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -0,0 +1,206 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
+Date: Mon, 18 Feb 2019 13:53:16 +0100
+Subject: [PATCH] CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a too large width is passed to SDL_SetVideoMode() the width travels
+to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by
+BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch
+variable. During this arithmetics an integer overflow can happen (e.g.
+the value is clamped as 65532). As a result SDL_Surface with a pitch
+smaller than width * BytesPerPixel is created, too small pixel buffer
+is allocated and when the SDL_Surface is processed in SDL_FillRect()
+a buffer overflow occurs.
+
+This can be reproduced with "./graywin -width 21312312313123213213213"
+command.
+
+This patch fixes is by using a very careful arithmetics in
+SDL_CalculatePitch(). If an overflow is detected, an error is reported
+back as a special 0 value. We assume that 0-width surfaces do not
+occur in the wild. Since SDL_CalculatePitch() is a private function,
+we can change the semantics.
+
+CVE-2019-7637
+https://bugzilla.libsdl.org/show_bug.cgi?id=4497
+
+Signed-off-by: Petr Písař <[email protected]>
+---
+ src/video/SDL_pixels.c | 41 +++++++++++++++++++++++++++------
+ src/video/gapi/SDL_gapivideo.c | 3 +++
+ src/video/nanox/SDL_nxvideo.c | 4 ++++
+ src/video/ps2gs/SDL_gsvideo.c | 3 +++
+ src/video/ps3/SDL_ps3video.c | 3 +++
+ src/video/windib/SDL_dibvideo.c | 3 +++
+ src/video/windx5/SDL_dx5video.c | 3 +++
+ src/video/x11/SDL_x11video.c | 4 ++++
+ 8 files changed, 57 insertions(+), 7 deletions(-)
+
+diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c
+index 1a7fd518..44626b74 100644
+--- a/src/video/SDL_pixels.c
++++ b/src/video/SDL_pixels.c
+@@ -286,26 +286,53 @@ void SDL_DitherColors(SDL_Color *colors, int bpp)
+ }
+ }
+ /*
+- * Calculate the pad-aligned scanline width of a surface
++ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of
++ * an error.
+ */
+ Uint16 SDL_CalculatePitch(SDL_Surface *surface)
+ {
+- Uint16 pitch;
++ unsigned int pitch = 0;
+
+ /* Surface should be 4-byte aligned for speed */
+- pitch = surface->w*surface->format->BytesPerPixel;
++ /* The code tries to prevent from an Uint16 overflow. */;
++ for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) {
++ pitch += (unsigned int)surface->w;
++ if (pitch < surface->w) {
++ SDL_SetError("A scanline is too wide");
++ return(0);
++ }
++ }
+ switch (surface->format->BitsPerPixel) {
+ case 1:
+- pitch = (pitch+7)/8;
++ if (pitch % 8) {
++ pitch = pitch / 8 + 1;
++ } else {
++ pitch = pitch / 8;
++ }
+ break;
+ case 4:
+- pitch = (pitch+1)/2;
++ if (pitch % 2) {
++ pitch = pitch / 2 + 1;
++ } else {
++ pitch = pitch / 2;
++ }
+ break;
+ default:
+ break;
+ }
+- pitch = (pitch + 3) & ~3; /* 4-byte aligning */
+- return(pitch);
++ /* 4-byte aligning */
++ if (pitch & 3) {
++ if (pitch + 3 < pitch) {
++ SDL_SetError("A scanline is too wide");
++ return(0);
++ }
++ pitch = (pitch + 3) & ~3;
++ }
++ if (pitch > 0xFFFF) {
++ SDL_SetError("A scanline is too wide");
++ return(0);
++ }
++ return((Uint16)pitch);
+ }
+ /*
+ * Match an RGB value to a particular palette index
+diff --git a/src/video/gapi/SDL_gapivideo.c b/src/video/gapi/SDL_gapivideo.c
+index 86deadc7..8a064853 100644
+--- a/src/video/gapi/SDL_gapivideo.c
++++ b/src/video/gapi/SDL_gapivideo.c
+@@ -733,6 +733,9 @@ SDL_Surface *GAPI_SetVideoMode(_THIS, SDL_Surface *current,
+ video->w = gapi->w = width;
+ video->h = gapi->h = height;
+ video->pitch = SDL_CalculatePitch(video);
++ if (!current->pitch) {
++ return(NULL);
++ }
+
+ /* Small fix for WinCE/Win32 - when activating window
+ SDL_VideoSurface is equal to zero, so activating code
+diff --git a/src/video/nanox/SDL_nxvideo.c b/src/video/nanox/SDL_nxvideo.c
+index b188e095..cbdd09a0 100644
+--- a/src/video/nanox/SDL_nxvideo.c
++++ b/src/video/nanox/SDL_nxvideo.c
+@@ -378,6 +378,10 @@ SDL_Surface * NX_SetVideoMode (_THIS, SDL_Surface *
current,
+ current -> w = width ;
+ current -> h = height ;
+ current -> pitch = SDL_CalculatePitch (current) ;
++ if (!current->pitch) {
++ current = NULL;
++ goto done;
++ }
+ NX_ResizeImage (this, current, flags) ;
+ }
+
+diff --git a/src/video/ps2gs/SDL_gsvideo.c b/src/video/ps2gs/SDL_gsvideo.c
+index e172c60d..32908668 100644
+--- a/src/video/ps2gs/SDL_gsvideo.c
++++ b/src/video/ps2gs/SDL_gsvideo.c
+@@ -479,6 +479,9 @@ static SDL_Surface *GS_SetVideoMode(_THIS, SDL_Surface
*current,
+ current->w = width;
+ current->h = height;
+ current->pitch = SDL_CalculatePitch(current);
++ if (!current->pitch) {
++ return(NULL);
++ }
+
+ /* Memory map the DMA area for block memory transfer */
+ if ( ! mapped_mem ) {
+diff --git a/src/video/ps3/SDL_ps3video.c b/src/video/ps3/SDL_ps3video.c
+index d5519e05..17848e33 100644
+--- a/src/video/ps3/SDL_ps3video.c
++++ b/src/video/ps3/SDL_ps3video.c
+@@ -339,6 +339,9 @@ static SDL_Surface *PS3_SetVideoMode(_THIS, SDL_Surface *
current, int width, in
+ current->w = width;
+ current->h = height;
+ current->pitch = SDL_CalculatePitch(current);
++ if (!current->pitch) {
++ return(NULL);
++ }
+
+ /* Alloc aligned mem for current->pixels */
+ s_pixels = memalign(16, current->h * current->pitch);
+diff --git a/src/video/windib/SDL_dibvideo.c b/src/video/windib/SDL_dibvideo.c
+index 6187bfcf..86ebb12a 100644
+--- a/src/video/windib/SDL_dibvideo.c
++++ b/src/video/windib/SDL_dibvideo.c
+@@ -675,6 +675,9 @@ SDL_Surface *DIB_SetVideoMode(_THIS, SDL_Surface *current,
+ video->w = width;
+ video->h = height;
+ video->pitch = SDL_CalculatePitch(video);
++ if (!current->pitch) {
++ return(NULL);
++ }
+
+ /* Small fix for WinCE/Win32 - when activating window
+ SDL_VideoSurface is equal to zero, so activating code
+diff --git a/src/video/windx5/SDL_dx5video.c b/src/video/windx5/SDL_dx5video.c
+index f80ca97b..39fc4fc3 100644
+--- a/src/video/windx5/SDL_dx5video.c
++++ b/src/video/windx5/SDL_dx5video.c
+@@ -1127,6 +1127,9 @@ SDL_Surface *DX5_SetVideoMode(_THIS, SDL_Surface
*current,
+ video->w = width;
+ video->h = height;
+ video->pitch = SDL_CalculatePitch(video);
++ if (!current->pitch) {
++ return(NULL);
++ }
+
+ #ifndef NO_CHANGEDISPLAYSETTINGS
+ /* Set fullscreen mode if appropriate.
+diff --git a/src/video/x11/SDL_x11video.c b/src/video/x11/SDL_x11video.c
+index 670a2d84..9521b497 100644
+--- a/src/video/x11/SDL_x11video.c
++++ b/src/video/x11/SDL_x11video.c
+@@ -1218,6 +1218,10 @@ SDL_Surface *X11_SetVideoMode(_THIS, SDL_Surface
*current,
+ current->w = width;
+ current->h = height;
+ current->pitch = SDL_CalculatePitch(current);
++ if (!current->pitch) {
++ current = NULL;
++ goto done;
++ }
+ if (X11_ResizeImage(this, current, flags) < 0) {
+ current = NULL;
+ goto done;
Copied:
sdl/trunk/0020-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch (from
rev 1010233,
sdl/trunk/SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch)
===================================================================
--- 0020-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
(rev 0)
+++ 0020-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -0,0 +1,67 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
+Date: Tue, 19 Feb 2019 14:52:52 +0100
+Subject: [PATCH] CVE-2019-7635: Reject BMP images with pixel colors out the
+ palette
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a 1-, 4-, or 8-bit per pixel BMP image declares less used colors
+than the palette offers an SDL_Surface with a palette of the indicated
+number of used colors is created. If some of the image's pixel
+refer to a color number higher then the maximal used colors, a subsequent
+bliting operation on the surface will look up a color past a blit map
+(that is based on the palette) memory. I.e. passing such SDL_Surface
+to e.g. an SDL_DisplayFormat() function will result in a buffer overread in
+a blit function.
+
+This patch fixes it by validing each pixel's color to be less than the
+maximal color number in the palette. A validation failure raises an
+error from a SDL_LoadBMP_RW() function.
+
+CVE-2019-7635
+https://bugzilla.libsdl.org/show_bug.cgi?id=4498
+
+Signed-off-by: Petr Písař <[email protected]>
+---
+ src/video/SDL_bmp.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
+index 3accded2..8eadc5f6 100644
+--- a/src/video/SDL_bmp.c
++++ b/src/video/SDL_bmp.c
+@@ -300,16 +300,32 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int
freesrc)
+ }
+ *(bits+i) = (pixel>>shift);
+ pixel <<= ExpandBMP;
++ if ( bits[i] >= biClrUsed ) {
++ SDL_SetError(
++ "A BMP image contains a pixel
with a color out of the palette");
++ was_error = SDL_TRUE;
++ goto done;
++ }
+ } }
+ break;
+
+ default:
+ if ( SDL_RWread(src, bits, 1, surface->pitch)
+ != surface->pitch ) {
+ SDL_Error(SDL_EFREAD);
+ was_error = SDL_TRUE;
+ goto done;
+ }
++ if ( 8 == biBitCount && palette && biClrUsed < (1 <<
biBitCount ) ) {
++ for ( i=0; i<surface->w; ++i ) {
++ if ( bits[i] >= biClrUsed ) {
++ SDL_SetError(
++ "A BMP image contains a
pixel with a color out of the palette");
++ was_error = SDL_TRUE;
++ goto done;
++ }
++ }
++ }
+ #if SDL_BYTEORDER == SDL_BIG_ENDIAN
+ /* Byte-swap the pixels if needed. Note that the 24bpp
+ case has already been taken care of above. */
Added: 0021-SDL-1.2.15-CVE-2019-13616-validate_image_size_when_l.patch
===================================================================
--- 0021-SDL-1.2.15-CVE-2019-13616-validate_image_size_when_l.patch
(rev 0)
+++ 0021-SDL-1.2.15-CVE-2019-13616-validate_image_size_when_l.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -0,0 +1,32 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <[email protected]>
+Date: Tue, 31 Aug 2021 22:46:23 +0000
+Subject: [PATCH]
+ SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files
+
+changeset: 12960:ad1bbfbca760
+branch: SDL-1.2
+parent: 12914:87d60cae0273
+user: Ozkan Sezer <[email protected]>
+date: Tue Jul 30 21:30:24 2019 +0300
+summary: Fixed bug 4538 - validate image size when loading BMP files
+---
+ src/video/SDL_bmp.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
+index 8eadc5f6..118181b5 100644
+--- a/src/video/SDL_bmp.c
++++ b/src/video/SDL_bmp.c
+@@ -143,6 +143,11 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
+ (void) biYPelsPerMeter;
+ (void) biClrImportant;
+
++ if (biWidth <= 0 || biHeight == 0) {
++ SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth,
biHeight);
++ was_error = SDL_TRUE;
++ goto done;
++ }
+ if (biHeight < 0) {
+ topDown = SDL_TRUE;
+ biHeight = -biHeight;
Copied:
sdl/trunk/0022-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch (from
rev 1010233,
sdl/trunk/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch)
===================================================================
--- 0022-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
(rev 0)
+++ 0022-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -0,0 +1,54 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
+Date: Tue, 12 Mar 2019 16:21:41 +0100
+Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble and
+ MS_ADPCM_decode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a chunk of RIFF/WAV file with MS ADPCM encoding contains an invalid
+predictor (a valid predictor's value is between 0 and 6 inclusive),
+a buffer overread can happen when the predictor is used as an index
+into an array of MS ADPCM coefficients.
+
+The overead happens when indexing MS_ADPCM_state.aCoeff[] array in
+MS_ADPCM_decode() and later when dereferencing a coef pointer in
+MS_ADPCM_nibble().
+
+This patch fixes it by checking the MS ADPCM predictor values fit
+into the valid range.
+
+CVE-2019-7577
+Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
+
+Signed-off-by: Petr Písař <[email protected]>
+---
+ src/audio/SDL_wave.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 08f65cbc..5f936514 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -155,6 +155,9 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32
*audio_len)
+ if ( stereo ) {
+ state[1]->hPredictor = *encoded++;
+ }
++ if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) {
++ goto invalid_predictor;
++ }
+ state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
+ encoded += sizeof(Sint16);
+ if ( stereo ) {
+@@ -227,6 +230,10 @@ invalid_size:
+ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
+ SDL_free(freeable);
+ return(-1);
++invalid_predictor:
++ SDL_SetError("Invalid predictor value for a MS ADPCM decoder");
++ SDL_free(freeable);
++ return(-1);
+ }
+
+ struct IMA_ADPCM_decodestate {
Copied: sdl/trunk/0023-Reject-2-3-5-6-7-bpp-BMP-images.patch (from rev 1010233,
sdl/trunk/SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch)
===================================================================
--- 0023-Reject-2-3-5-6-7-bpp-BMP-images.patch (rev 0)
+++ 0023-Reject-2-3-5-6-7-bpp-BMP-images.patch 2021-08-31 23:13:02 UTC (rev
1010234)
@@ -0,0 +1,39 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
+Date: Thu, 21 Feb 2019 10:57:41 +0100
+Subject: [PATCH] Reject 2, 3, 5, 6, 7-bpp BMP images
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BMP decoder assumes less than 8 bit depth images have 1 or 4 bits
+per pixel. No other depths are correctly translated to an 8bpp
+surface.
+
+This patch rejects loading these images.
+
+https://bugzilla.libsdl.org/show_bug.cgi?id=4498
+Signed-off-by: Petr Písař <[email protected]>
+---
+ src/video/SDL_bmp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
+index 118181b5..6cadc8a5 100644
+--- a/src/video/SDL_bmp.c
++++ b/src/video/SDL_bmp.c
+@@ -168,6 +168,14 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
+ ExpandBMP = biBitCount;
+ biBitCount = 8;
+ break;
++ case 2:
++ case 3:
++ case 5:
++ case 6:
++ case 7:
++ SDL_SetError("%d-bpp BMP images are not supported",
biBitCount);
++ was_error = SDL_TRUE;
++ goto done;
+ default:
+ ExpandBMP = 0;
+ break;
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2021-08-31 23:07:38 UTC (rev 1010233)
+++ PKGBUILD 2021-08-31 23:13:02 UTC (rev 1010234)
@@ -16,53 +16,53 @@
options=('staticlibs')
_commit=457d4e55ffe1b6ad4c4fa4559dbda8360bf8253d # tags/release-1.2.15
source=("git+https://github.com/libsdl-org/SDL-1.2#commit=$_commit";
- SDL-1.2.10-GrabNotViewable.patch
- SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch
- SDL-1.2.15-const_XData32.patch
- SDL-1.2.15-ignore_insane_joystick_axis.patch
- SDL-1.2.15-no-default-backing-store.patch
- SDL-1.2.15-x11-Bypass-SetGammaRamp-when-changing-gamma.patch
- sdl-1.2.14-fix-mouse-clicking.patch
- sdl-1.2.14-disable-mmx.patch
- libsdl-1.2.15-resizing.patch
- X11_KeyToUnicode.patch
-
SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch
- SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
- SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
- SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
- SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
- SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
- SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
- SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
- SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
- SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
- SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
- SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
- SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch)
+ 0001-SDL-1.2.10-GrabNotViewable.patch
+ 0002-SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch
+ 0003-SDL-1.2.15-const_XData32.patch
+ 0004-SDL-1.2.15-ignore_insane_joystick_axis.patch
+ 0005-SDL-1.2.15-no-default-backing-store.patch
+ 0006-x11-Bypass-SetGammaRamp-when-changing-gamma.patch
+ 0007-sdl-1.2.14-fix-mouse-clicking.patch
+ 0008-sdl-1.2.14-disable-mmx.patch
+ 0009-libsdl-1.2.15-resizing.patch
+ 0010-X11_KeyToUnicode.patch
+ 0011-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
+ 0012-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
+ 0013-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
+ 0014-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
+ 0015-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
+ 0016-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
+ 0017-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
+ 0018-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
+ 0019-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
+ 0020-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
+ 0021-SDL-1.2.15-CVE-2019-13616-validate_image_size_when_l.patch
+ 0022-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
+ 0023-Reject-2-3-5-6-7-bpp-BMP-images.patch)
sha256sums=('SKIP'
- 'ea2042b8a45a083b1447d5c56e52b23b79f2ddb0d717ec7b287b34ef71bd2d1a'
- '292046466d52a2ebe995a0121404864e4ee0de2b6024203acb95bbd600844da0'
- 'bab60b515a74b71650ee71d5a0075c77046a7bad48b061673c3798dbdd35446d'
- '7586d6124d5452ad721ca6aa10eae09946d94854748e22f9c9c6fdca3d0aeb12'
- '3941c44a5580df95c6868936cfc57ba3e7b6952fb8a3eb14f963d54d9d8ca8a4'
- 'd296af5bb0d9856d049b4e5adb9dd995d2a1e51d76a6adf63457e65101a50620'
- '8d178f13eb707e81f5f9d86bf7b609ae8f0bac937fb4a37ebcbf4bbc9b89e21b'
- '17bb880dd2cb4922d4e3771d146660b9da8be8f1629a5cdaae7523d4a9d2bd7c'
- '5160fb1c07b04480d98d45b89a0aa6e577f2ac4c3bace0c80b251e6aca1fb4a1'
- 'b1ad9c60829b166e6b647006d6549ea657155e755cf574fcfc4b91b658654769'
- '95ddeff25c9f5ea4f828c90073852218a3c8ecfcd4da4f3a7f6ea54e3e5c2086'
- '3f05fcccfa7f3474572955d0cbcfc931da57e3da450fc5c5803c837c38fd6e17'
- 'a9bd66c75e443f7875d044518b5960386c549aa1c0592364aee1240a6e0867a5'
- 'f4cd391a5df211a5d3558f5ec03b9f413533398f44feca86a30a8acc90e63402'
- '0293e56873929d817950e272ebfd6735c8d5b896d0a59b2d7be09107dac7e85b'
- 'be4cadd1b028e8b14ee4e4413aeffd98ff2ad1e66a7c75c8bdb04bfd08b9372a'
- '335b5b1c44229ac90318dae36a98731332f417c2d71d449385e6ab013f25efdb'
- '0371bcdba4e89055be62a76421052d7bd5fbf40c0f0e3d9c29fc5d21686f5afd'
- '0f3691d6fc7381a4dd23216041b341102aa858b105534541dfa2843b0eccace6'
- '358028a9d6523377c1757a58faed741e10a0a9863f9df33f21cd32668d257fed'
- '3624f0dbe8d9bd3d553a25806237edcae5fafe714e5c4da3c5e3b281a3fbc8ae'
- '7db8112826318de5705b54cf493060cec34e2822df2b1cd9f55891672beed64d'
- 'da87eb71c7af042bc8379f9f7cd63e57d99429774bb43524dde103718b99c533')
+ 'f53a87ecd52913be7b1e2699d9d609725f6f857e98a68f55ed249e371673e7be'
+ '1e76d0c064a50b67f8f4406b995fd2f583be9959f1242fc01449be953e53f18d'
+ '42f53733e919b91e4f9b299732b5ef8a68cc23ee5c0cdd77c70f904461fb54a2'
+ '35c07231ff40b11f07cb022bd86b5dc31f322d66ba51c518b068890ab099eb27'
+ '5dbe8cbf81a021a01e2ec587330fd322ed4fdcdbf11f457bdda69fe56620d85a'
+ '0a5d00c1f75158b1838706a0733a51c8c1014983528bafb4a477327f7595e135'
+ '06761b7eb56d199477c25502d53504878580f15c30bd56726d46d8337ffad35a'
+ 'a99bb91981e091bb01bbedf5138008ef16155c9a6b24349a771555c9bb57fdcd'
+ 'd3be01d55f5d5dd7e9993ce1490831b0b2eea83833d0164a7242f59290514bb7'
+ '22f723f3db3de9e02727f0976c3a402e1a7d3656b6bba1e1909bbfc7a24f35c2'
+ '06fe75c9b15f3132019822f4670d93263fa2a0399b5f09afb4e11e2a7e0d30cb'
+ 'df0cac62bc99385cc595602368baa31c7a5616dbddc749ab8bebbc8e190ea52e'
+ '8ed73a71eee6c73e4839fe8030159a34d90f41b2b5d568beb8befb23226787ba'
+ '547fa0c3cdeae373c664d17ac1501392d6bdc2982edcebb4934cd7a73a2f8e53'
+ 'db325da88544fa6841dfec2d53fe629100786ba0fadac3b34538859d6ab82dbd'
+ '9b020883d15ab65b7645c1c0f87af68cb6b9b85ee4450dbcd94f7b9049d976c7'
+ '4c30311656c32c1a0655e22457a214d9900efe64a9241da835dc25488a355914'
+ 'c2c92fc40c55fcf628f943eb9509199f8c3968f6be13bf71ab1e12524c16cabf'
+ 'de2fce5f6803a08a2c55f3ce2ddf92394ad7366f5eff3cead4d7ec0035cee254'
+ 'd14dc355da691c41bf938c04e0111063a755719f41bbd047f4dbfaa8f2ff25bb'
+ 'd1f8f699d5e7ee933875380951fe0a756c1ad327fc376dd60511bd462e0781b0'
+ 'e4159c35b6814cfe2df23811179670ecd58f0276ebb23fa8251dcf3611cd9f2f'
+ '3439ba01895df428ad0fd00e49a131db35e6841ca41f5d30c455f583ec18075e')
validpgpkeys=('1528635D8053A57F77D1E08630A59377A7763BE6') # Sam Lantinga
<[email protected]>
pkgver() {
@@ -73,34 +73,34 @@
prepare() {
cd SDL-1.2
- patch -Np1 -i ../SDL-1.2.10-GrabNotViewable.patch
- patch -Np1 -i ../SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch
- patch -Np1 -i ../SDL-1.2.15-const_XData32.patch
- patch -Np1 -i ../SDL-1.2.15-ignore_insane_joystick_axis.patch
- patch -Np1 -i ../SDL-1.2.15-no-default-backing-store.patch
+ git apply -3 ../0001-SDL-1.2.10-GrabNotViewable.patch
+ git apply -3 ../0002-SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch
+ git apply -3 ../0003-SDL-1.2.15-const_XData32.patch
+ git apply -3 ../0004-SDL-1.2.15-ignore_insane_joystick_axis.patch
+ git apply -3 ../0005-SDL-1.2.15-no-default-backing-store.patch
# https://bugs.freedesktop.org/show_bug.cgi?id=27222
- patch -Np1 -i ../SDL-1.2.15-x11-Bypass-SetGammaRamp-when-changing-gamma.patch
+ git apply -3 ../0006-x11-Bypass-SetGammaRamp-when-changing-gamma.patch
- patch -Np1 -i ../sdl-1.2.14-fix-mouse-clicking.patch
- patch -Np1 -i ../sdl-1.2.14-disable-mmx.patch
- patch -Np1 -i ../libsdl-1.2.15-resizing.patch
- patch -Np1 -i ../X11_KeyToUnicode.patch
+ git apply -3 ../0007-sdl-1.2.14-fix-mouse-clicking.patch
+ git apply -3 ../0008-sdl-1.2.14-disable-mmx.patch
+ git apply -3 ../0009-libsdl-1.2.15-resizing.patch
+ git apply -3 ../0010-X11_KeyToUnicode.patch
# bunch of CVE fixes from Fedora - Thanks!
- patch -Np1 -i
../SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
- patch -Np1 -i
../SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
- patch -Np1 -i
../SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
- patch -Np1 -i
../SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
- patch -Np1 -i
../SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
- patch -Np1 -i
../SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
- patch -Np1 -i
../SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
- patch -Np1 -i
../SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
- patch -Np1 -i
../SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
- patch -Np1 -i
../SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
- patch -Np1 -i
../SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch
- patch -Np1 -i
../SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
- patch -Np1 -i ../SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch
+ git apply -3
../0011-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
+ git apply -3
../0012-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
+ git apply -3
../0013-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
+ git apply -3
../0014-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
+ git apply -3
../0015-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
+ git apply -3
../0016-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
+ git apply -3
../0017-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
+ git apply -3
../0018-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
+ git apply -3
../0019-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
+ git apply -3
../0020-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
+ git apply -3
../0021-SDL-1.2.15-CVE-2019-13616-validate_image_size_when_l.patch
+ git apply -3
../0022-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
+ git apply -3 ../0023-Reject-2-3-5-6-7-bpp-BMP-images.patch
./autogen.sh
}
Deleted: SDL-1.2.10-GrabNotViewable.patch
===================================================================
--- SDL-1.2.10-GrabNotViewable.patch 2021-08-31 23:07:38 UTC (rev 1010233)
+++ SDL-1.2.10-GrabNotViewable.patch 2021-08-31 23:13:02 UTC (rev 1010234)
@@ -1,22 +0,0 @@
-Makes SDL-1.2 SDL_WM_GrabInput() non-blocking in case of SDL window is not
-viewable. Patch provided by <[email protected]>.
-See <http://bugzilla.libsdl.org/show_bug.cgi?id=1155>.
-
---- ./src/video/x11/SDL_x11wm.c 2007-12-31 04:48:13.000000000 +0000
-+++ ./src/video/x11/SDL_x11wm.c 2009-01-15 10:27:14.000000000 +0000
-@@ -351,13 +351,14 @@ SDL_GrabMode X11_GrabInputNoLock(_THIS,
- result = XGrabPointer(SDL_Display, SDL_Window, True, 0,
- GrabModeAsync, GrabModeAsync,
- SDL_Window, None, CurrentTime);
-- if ( result == GrabSuccess ) {
-+ if ( result == GrabSuccess || result == GrabNotViewable
) {
- break;
- }
- SDL_Delay(100);
- }
- if ( result != GrabSuccess ) {
- /* Uh, oh, what do we do here? */ ;
-+ return(SDL_GRAB_OFF);
- }
- /* Now grab the keyboard */
- XGrabKeyboard(SDL_Display, WMwindow, True,
Deleted:
SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch
===================================================================
--- SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch
2021-08-31 23:07:38 UTC (rev 1010233)
+++ SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -1,23 +0,0 @@
-changeset: 12960:ad1bbfbca760
-branch: SDL-1.2
-parent: 12914:87d60cae0273
-user: Ozkan Sezer <[email protected]>
-date: Tue Jul 30 21:30:24 2019 +0300
-summary: Fixed bug 4538 - validate image size when loading BMP files
-
-diff -r 87d60cae0273 -r ad1bbfbca760 src/video/SDL_bmp.c
---- a/src/video/SDL_bmp.c Tue Jun 18 23:31:40 2019 +0100
-+++ b/src/video/SDL_bmp.c Tue Jul 30 21:30:24 2019 +0300
-@@ -143,6 +143,11 @@
- (void) biYPelsPerMeter;
- (void) biClrImportant;
-
-+ if (biWidth <= 0 || biHeight == 0) {
-+ SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth,
biHeight);
-+ was_error = SDL_TRUE;
-+ goto done;
-+ }
- if (biHeight < 0) {
- topDown = SDL_TRUE;
- biHeight = -biHeight;
-
Deleted: SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
===================================================================
--- SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
2021-08-31 23:07:38 UTC (rev 1010233)
+++ SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -1,59 +0,0 @@
-From bb11ffcff5ae2f25bead921c2a299e7e63d8a759 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
-Date: Thu, 14 Feb 2019 16:51:54 +0100
-Subject: [PATCH] CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If an IMA ADPCM block contained an initial index out of step table
-range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used
-this bogus value and that lead to a buffer overread.
-
-This patch fixes it by moving clamping the index value at the
-beginning of IMA_ADPCM_nibble() function instead of the end after
-an update.
-
-CVE-2019-7572
-https://bugzilla.libsdl.org/show_bug.cgi?id=4495
-
-Signed-off-by: Petr Písař <[email protected]>
----
- src/audio/SDL_wave.c | 14 ++++++++------
- 1 file changed, 8 insertions(+), 6 deletions(-)
-
-diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
-index 2968b3d..69d62dc 100644
---- a/src/audio/SDL_wave.c
-+++ b/src/audio/SDL_wave.c
-@@ -275,6 +275,14 @@ static Sint32 IMA_ADPCM_nibble(struct
IMA_ADPCM_decodestate *state,Uint8 nybble)
- };
- Sint32 delta, step;
-
-+ /* Clamp index value. The inital value can be invalid. */
-+ if ( state->index > 88 ) {
-+ state->index = 88;
-+ } else
-+ if ( state->index < 0 ) {
-+ state->index = 0;
-+ }
-+
- /* Compute difference and new sample value */
- step = step_table[state->index];
- delta = step >> 3;
-@@ -286,12 +294,6 @@ static Sint32 IMA_ADPCM_nibble(struct
IMA_ADPCM_decodestate *state,Uint8 nybble)
-
- /* Update index value */
- state->index += index_table[nybble];
-- if ( state->index > 88 ) {
-- state->index = 88;
-- } else
-- if ( state->index < 0 ) {
-- state->index = 0;
-- }
-
- /* Clamp output sample */
- if ( state->sample > max_audioval ) {
---
-2.20.1
-
Deleted: SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
===================================================================
--- SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
2021-08-31 23:07:38 UTC (rev 1010233)
+++ SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -1,64 +0,0 @@
-From 6086741bda4d43cc227500bc7645a829380e6326 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
-Date: Fri, 15 Feb 2019 09:21:45 +0100
-Subject: [PATCH] CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If data chunk was longer than expected based on a WAV format
-definition, IMA_ADPCM_decode() tried to write past the output
-buffer. This patch fixes it.
-
-Based on patch from
-<https://bugzilla.libsdl.org/show_bug.cgi?id=4496>.
-
-CVE-2019-7572
-https://bugzilla.libsdl.org/show_bug.cgi?id=4495
-
-Signed-off-by: Petr Písař <[email protected]>
----
- src/audio/SDL_wave.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
-index 69d62dc..91e89e8 100644
---- a/src/audio/SDL_wave.c
-+++ b/src/audio/SDL_wave.c
-@@ -336,7 +336,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8
*encoded,
- static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
- {
- struct IMA_ADPCM_decodestate *state;
-- Uint8 *freeable, *encoded, *encoded_end, *decoded;
-+ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
- Sint32 encoded_len, samplesleft;
- unsigned int c, channels;
-
-@@ -363,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32
*audio_len)
- return(-1);
- }
- decoded = *audio_buf;
-+ decoded_end = decoded + *audio_len;
-
- /* Get ready... Go! */
- while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
-@@ -382,6 +383,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32
*audio_len)
- }
-
- /* Store the initial sample we start with */
-+ if (decoded + 2 > decoded_end) goto invalid_size;
- decoded[0] = (Uint8)(state[c].sample&0xFF);
- decoded[1] = (Uint8)(state[c].sample>>8);
- decoded += 2;
-@@ -392,6 +394,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32
*audio_len)
- while ( samplesleft > 0 ) {
- for ( c=0; c<channels; ++c ) {
- if (encoded + 4 > encoded_end) goto
invalid_size;
-+ if (decoded + 4 * 4 * channels > decoded_end)
-+ goto invalid_size;
- Fill_IMA_ADPCM_block(decoded, encoded,
- c, channels, &state[c]);
- encoded += 4;
---
-2.20.1
-
Deleted: SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
===================================================================
--- SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
2021-08-31 23:07:38 UTC (rev 1010233)
+++ SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -1,83 +0,0 @@
-From 3e2c89e516701f3586dfeadec13932f665371d2a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
-Date: Fri, 15 Feb 2019 10:36:13 +0100
-Subject: [PATCH] CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in
- InitMS_ADPCM
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it
-could read past the end of chunk data. This patch fixes it.
-
-CVE-2019-7573
-https://bugzilla.libsdl.org/show_bug.cgi?id=4491
-CVE-2019-7576
-https://bugzilla.libsdl.org/show_bug.cgi?id=4490
-
-Signed-off-by: Petr Písař <[email protected]>
----
- src/audio/SDL_wave.c | 13 ++++++++++---
- 1 file changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
-index 91e89e8..1d446ed 100644
---- a/src/audio/SDL_wave.c
-+++ b/src/audio/SDL_wave.c
-@@ -44,12 +44,13 @@ static struct MS_ADPCM_decoder {
- struct MS_ADPCM_decodestate state[2];
- } MS_ADPCM_state;
-
--static int InitMS_ADPCM(WaveFMT *format)
-+static int InitMS_ADPCM(WaveFMT *format, int length)
- {
-- Uint8 *rogue_feel;
-+ Uint8 *rogue_feel, *rogue_feel_end;
- int i;
-
- /* Set the rogue pointer to the MS_ADPCM specific data */
-+ if (length < sizeof(*format)) goto too_short;
- MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
- MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
- MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
-@@ -58,9 +59,11 @@ static int InitMS_ADPCM(WaveFMT *format)
- MS_ADPCM_state.wavefmt.bitspersample =
- SDL_SwapLE16(format->bitspersample);
- rogue_feel = (Uint8 *)format+sizeof(*format);
-+ rogue_feel_end = (Uint8 *)format + length;
- if ( sizeof(*format) == 16 ) {
- rogue_feel += sizeof(Uint16);
- }
-+ if (rogue_feel + 4 > rogue_feel_end) goto too_short;
- MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
- rogue_feel += sizeof(Uint16);
- MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]);
-@@ -70,12 +73,16 @@ static int InitMS_ADPCM(WaveFMT *format)
- return(-1);
- }
- for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) {
-+ if (rogue_feel + 4 > rogue_feel_end) goto too_short;
- MS_ADPCM_state.aCoeff[i][0] =
((rogue_feel[1]<<8)|rogue_feel[0]);
- rogue_feel += sizeof(Uint16);
- MS_ADPCM_state.aCoeff[i][1] =
((rogue_feel[1]<<8)|rogue_feel[0]);
- rogue_feel += sizeof(Uint16);
- }
- return(0);
-+too_short:
-+ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format");
-+ return(-1);
- }
-
- static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
-@@ -485,7 +492,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int
freesrc,
- break;
- case MS_ADPCM_CODE:
- /* Try to understand this */
-- if ( InitMS_ADPCM(format) < 0 ) {
-+ if ( InitMS_ADPCM(format, lenread) < 0 ) {
- was_error = 1;
- goto done;
- }
---
-2.20.1
-
Deleted: SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
===================================================================
--- SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
2021-08-31 23:07:38 UTC (rev 1010233)
+++ SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -1,71 +0,0 @@
-From 9b2eee24768889378032077423cb6a3221a8ad18 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
-Date: Thu, 14 Feb 2019 15:41:47 +0100
-Subject: [PATCH] CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If data chunk was shorter than expected based on a WAV format
-definition, IMA_ADPCM_decode() tried to read past the data chunk
-buffer. This patch fixes it.
-
-CVE-2019-7574
-https://bugzilla.libsdl.org/show_bug.cgi?id=4496
-
-Signed-off-by: Petr Písař <[email protected]>
----
- src/audio/SDL_wave.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
-index b6c49de..2968b3d 100644
---- a/src/audio/SDL_wave.c
-+++ b/src/audio/SDL_wave.c
-@@ -334,7 +334,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8
*encoded,
- static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
- {
- struct IMA_ADPCM_decodestate *state;
-- Uint8 *freeable, *encoded, *decoded;
-+ Uint8 *freeable, *encoded, *encoded_end, *decoded;
- Sint32 encoded_len, samplesleft;
- unsigned int c, channels;
-
-@@ -350,6 +350,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32
*audio_len)
- /* Allocate the proper sized output buffer */
- encoded_len = *audio_len;
- encoded = *audio_buf;
-+ encoded_end = encoded + encoded_len;
- freeable = *audio_buf;
- *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) *
- IMA_ADPCM_state.wSamplesPerBlock*
-@@ -365,6 +366,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32
*audio_len)
- while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
- /* Grab the initial information for this block */
- for ( c=0; c<channels; ++c ) {
-+ if (encoded + 4 > encoded_end) goto invalid_size;
- /* Fill the state information for this block */
- state[c].sample = ((encoded[1]<<8)|encoded[0]);
- encoded += 2;
-@@ -387,6 +389,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32
*audio_len)
- samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
- while ( samplesleft > 0 ) {
- for ( c=0; c<channels; ++c ) {
-+ if (encoded + 4 > encoded_end) goto
invalid_size;
- Fill_IMA_ADPCM_block(decoded, encoded,
- c, channels, &state[c]);
- encoded += 4;
-@@ -398,6 +401,10 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32
*audio_len)
- }
- SDL_free(freeable);
- return(0);
-+invalid_size:
-+ SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder");
-+ SDL_free(freeable);
-+ return(-1);
- }
-
- SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
---
-2.20.1
-
Deleted: SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
===================================================================
--- SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
2021-08-31 23:07:38 UTC (rev 1010233)
+++ SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -1,84 +0,0 @@
-From e1f80cadb079e35103e6eebf160a818815c823df Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
-Date: Thu, 14 Feb 2019 14:51:52 +0100
-Subject: [PATCH] CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If a WAV format defines shorter audio stream and decoded MS ADPCM data chunk
-is longer, decoding continued past the output audio buffer.
-
-This fix is based on a patch from
-<https://bugzilla.libsdl.org/show_bug.cgi?id=4492>.
-
-https://bugzilla.libsdl.org/show_bug.cgi?id=4493
-CVE-2019-7575
-
-Signed-off-by: Petr Písař <[email protected]>
----
- src/audio/SDL_wave.c | 13 ++++++++-----
- 1 file changed, 8 insertions(+), 5 deletions(-)
-
-diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
-index e42d01c..b6c49de 100644
---- a/src/audio/SDL_wave.c
-+++ b/src/audio/SDL_wave.c
-@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate
*state,
- static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
- {
- struct MS_ADPCM_decodestate *state[2];
-- Uint8 *freeable, *encoded, *encoded_end, *decoded;
-+ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
- Sint32 encoded_len, samplesleft;
- Sint8 nybble, stereo;
- Sint16 *coeff[2];
-@@ -135,6 +135,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32
*audio_len)
- return(-1);
- }
- decoded = *audio_buf;
-+ decoded_end = decoded + *audio_len;
-
- /* Get ready... Go! */
- stereo = (MS_ADPCM_state.wavefmt.channels == 2);
-@@ -142,7 +143,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32
*audio_len)
- state[1] = &MS_ADPCM_state.state[stereo];
- while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
- /* Grab the initial information for this block */
-- if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto
too_short;
-+ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto
invalid_size;
- state[0]->hPredictor = *encoded++;
- if ( stereo ) {
- state[1]->hPredictor = *encoded++;
-@@ -169,6 +170,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32
*audio_len)
- coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
-
- /* Store the two initial samples we start with */
-+ if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto
invalid_size;
- decoded[0] = state[0]->iSamp2&0xFF;
- decoded[1] = state[0]->iSamp2>>8;
- decoded += 2;
-@@ -190,7 +192,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32
*audio_len)
- samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
- MS_ADPCM_state.wavefmt.channels;
- while ( samplesleft > 0 ) {
-- if (encoded + 1 > encoded_end) goto too_short;
-+ if (encoded + 1 > encoded_end) goto invalid_size;
-+ if (decoded + 4 > decoded_end) goto invalid_size;
-
- nybble = (*encoded)>>4;
- new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
-@@ -213,8 +216,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32
*audio_len)
- }
- SDL_free(freeable);
- return(0);
--too_short:
-- SDL_SetError("Too short chunk for a MS ADPCM decoder");
-+invalid_size:
-+ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
- SDL_free(freeable);
- return(-1);
- }
---
-2.20.1
-
Deleted: SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
===================================================================
--- SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
2021-08-31 23:07:38 UTC (rev 1010233)
+++ SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -1,75 +0,0 @@
-From ac3d0d365b1f01a6782565feda0c7432a5795671 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
-Date: Thu, 14 Feb 2019 14:12:22 +0100
-Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If RIFF/WAV data chunk length is shorter then expected for an audio
-format defined in preceeding RIFF/WAV format headers, a buffer
-overread can happen.
-
-This patch fixes it by checking a MS ADPCM data to be decoded are not
-past the initialized buffer.
-
-CVE-2019-7577
-Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
-
-Signed-off-by: Petr Písař <[email protected]>
----
- src/audio/SDL_wave.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
-index b4ad6c7..e42d01c 100644
---- a/src/audio/SDL_wave.c
-+++ b/src/audio/SDL_wave.c
-@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate
*state,
- static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
- {
- struct MS_ADPCM_decodestate *state[2];
-- Uint8 *freeable, *encoded, *decoded;
-+ Uint8 *freeable, *encoded, *encoded_end, *decoded;
- Sint32 encoded_len, samplesleft;
- Sint8 nybble, stereo;
- Sint16 *coeff[2];
-@@ -124,6 +124,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32
*audio_len)
- /* Allocate the proper sized output buffer */
- encoded_len = *audio_len;
- encoded = *audio_buf;
-+ encoded_end = encoded + encoded_len;
- freeable = *audio_buf;
- *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) *
- MS_ADPCM_state.wSamplesPerBlock*
-@@ -141,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32
*audio_len)
- state[1] = &MS_ADPCM_state.state[stereo];
- while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
- /* Grab the initial information for this block */
-+ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto
too_short;
- state[0]->hPredictor = *encoded++;
- if ( stereo ) {
- state[1]->hPredictor = *encoded++;
-@@ -188,6 +190,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32
*audio_len)
- samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
- MS_ADPCM_state.wavefmt.channels;
- while ( samplesleft > 0 ) {
-+ if (encoded + 1 > encoded_end) goto too_short;
-+
- nybble = (*encoded)>>4;
- new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
- decoded[0] = new_sample&0xFF;
-@@ -209,6 +213,10 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32
*audio_len)
- }
- SDL_free(freeable);
- return(0);
-+too_short:
-+ SDL_SetError("Too short chunk for a MS ADPCM decoder");
-+ SDL_free(freeable);
-+ return(-1);
- }
-
- struct IMA_ADPCM_decodestate {
---
-2.20.1
-
Deleted: SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
===================================================================
--- SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
2021-08-31 23:07:38 UTC (rev 1010233)
+++ SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -1,57 +0,0 @@
-From 69cd6157644cb0a5c9edd7b5920232c2ca31c151 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
-Date: Tue, 12 Mar 2019 16:21:41 +0100
-Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble and
- MS_ADPCM_decode
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If a chunk of RIFF/WAV file with MS ADPCM encoding contains an invalid
-predictor (a valid predictor's value is between 0 and 6 inclusive),
-a buffer overread can happen when the predictor is used as an index
-into an array of MS ADPCM coefficients.
-
-The overead happens when indexing MS_ADPCM_state.aCoeff[] array in
-MS_ADPCM_decode() and later when dereferencing a coef pointer in
-MS_ADPCM_nibble().
-
-This patch fixes it by checking the MS ADPCM predictor values fit
-into the valid range.
-
-CVE-2019-7577
-Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
-
-Signed-off-by: Petr Písař <[email protected]>
----
- src/audio/SDL_wave.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
-index 08f65cb..5f93651 100644
---- a/src/audio/SDL_wave.c
-+++ b/src/audio/SDL_wave.c
-@@ -155,6 +155,9 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32
*audio_len)
- if ( stereo ) {
- state[1]->hPredictor = *encoded++;
- }
-+ if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) {
-+ goto invalid_predictor;
-+ }
- state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
- encoded += sizeof(Sint16);
- if ( stereo ) {
-@@ -227,6 +230,10 @@ invalid_size:
- SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
- SDL_free(freeable);
- return(-1);
-+invalid_predictor:
-+ SDL_SetError("Invalid predictor value for a MS ADPCM decoder");
-+ SDL_free(freeable);
-+ return(-1);
- }
-
- struct IMA_ADPCM_decodestate {
---
-2.20.1
-
Deleted: SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
===================================================================
--- SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
2021-08-31 23:07:38 UTC (rev 1010233)
+++ SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -1,67 +0,0 @@
-From 0eb76f6cabcffa2104e34c26e0f41e6de95356ff Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
-Date: Fri, 15 Feb 2019 10:56:59 +0100
-Subject: [PATCH] CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it
-could read past the end of chunk data. This patch fixes it.
-
-CVE-2019-7578
-https://bugzilla.libsdl.org/show_bug.cgi?id=4494
-
-Signed-off-by: Petr Písař <[email protected]>
----
- src/audio/SDL_wave.c | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
-index 1d446ed..08f65cb 100644
---- a/src/audio/SDL_wave.c
-+++ b/src/audio/SDL_wave.c
-@@ -240,11 +240,12 @@ static struct IMA_ADPCM_decoder {
- struct IMA_ADPCM_decodestate state[2];
- } IMA_ADPCM_state;
-
--static int InitIMA_ADPCM(WaveFMT *format)
-+static int InitIMA_ADPCM(WaveFMT *format, int length)
- {
-- Uint8 *rogue_feel;
-+ Uint8 *rogue_feel, *rogue_feel_end;
-
- /* Set the rogue pointer to the IMA_ADPCM specific data */
-+ if (length < sizeof(*format)) goto too_short;
- IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
- IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
- IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
-@@ -253,11 +254,16 @@ static int InitIMA_ADPCM(WaveFMT *format)
- IMA_ADPCM_state.wavefmt.bitspersample =
- SDL_SwapLE16(format->bitspersample);
- rogue_feel = (Uint8 *)format+sizeof(*format);
-+ rogue_feel_end = (Uint8 *)format + length;
- if ( sizeof(*format) == 16 ) {
- rogue_feel += sizeof(Uint16);
- }
-+ if (rogue_feel + 2 > rogue_feel_end) goto too_short;
- IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
- return(0);
-+too_short:
-+ SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format");
-+ return(-1);
- }
-
- static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8
nybble)
-@@ -500,7 +506,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int
freesrc,
- break;
- case IMA_ADPCM_CODE:
- /* Try to understand this */
-- if ( InitIMA_ADPCM(format) < 0 ) {
-+ if ( InitIMA_ADPCM(format, lenread) < 0 ) {
- was_error = 1;
- goto done;
- }
---
-2.20.1
-
Deleted: SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
===================================================================
--- SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
2021-08-31 23:07:38 UTC (rev 1010233)
+++ SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -1,67 +0,0 @@
-From beef32b0e510371f3c968d22a1e3d48abbf366c6 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
-Date: Tue, 19 Feb 2019 14:52:52 +0100
-Subject: [PATCH] CVE-2019-7635: Reject BMP images with pixel colors out the
- palette
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If a 1-, 4-, or 8-bit per pixel BMP image declares less used colors
-than the palette offers an SDL_Surface with a palette of the indicated
-number of used colors is created. If some of the image's pixel
-refer to a color number higher then the maximal used colors, a subsequent
-bliting operation on the surface will look up a color past a blit map
-(that is based on the palette) memory. I.e. passing such SDL_Surface
-to e.g. an SDL_DisplayFormat() function will result in a buffer overread in
-a blit function.
-
-This patch fixes it by validing each pixel's color to be less than the
-maximal color number in the palette. A validation failure raises an
-error from a SDL_LoadBMP_RW() function.
-
-CVE-2019-7635
-https://bugzilla.libsdl.org/show_bug.cgi?id=4498
-
-Signed-off-by: Petr Písař <[email protected]>
----
- src/video/SDL_bmp.c | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
-index 3accded..8eadc5f 100644
---- a/src/video/SDL_bmp.c
-+++ b/src/video/SDL_bmp.c
-@@ -300,6 +300,12 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
- }
- *(bits+i) = (pixel>>shift);
- pixel <<= ExpandBMP;
-+ if ( bits[i] >= biClrUsed ) {
-+ SDL_SetError(
-+ "A BMP image contains a pixel
with a color out of the palette");
-+ was_error = SDL_TRUE;
-+ goto done;
-+ }
- } }
- break;
-
-@@ -310,6 +316,16 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
- was_error = SDL_TRUE;
- goto done;
- }
-+ if ( 8 == biBitCount && palette && biClrUsed < (1 <<
biBitCount ) ) {
-+ for ( i=0; i<surface->w; ++i ) {
-+ if ( bits[i] >= biClrUsed ) {
-+ SDL_SetError(
-+ "A BMP image contains a
pixel with a color out of the palette");
-+ was_error = SDL_TRUE;
-+ goto done;
-+ }
-+ }
-+ }
- #if SDL_BYTEORDER == SDL_BIG_ENDIAN
- /* Byte-swap the pixels if needed. Note that the 24bpp
- case has already been taken care of above. */
---
-2.20.1
-
Deleted: SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
===================================================================
--- SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
2021-08-31 23:07:38 UTC (rev 1010233)
+++ SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -1,209 +0,0 @@
-From cc50d843089c8cf386c3e0f9cb2fae0b258a9b7b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
-Date: Mon, 18 Feb 2019 13:53:16 +0100
-Subject: [PATCH] CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If a too large width is passed to SDL_SetVideoMode() the width travels
-to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by
-BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch
-variable. During this arithmetics an integer overflow can happen (e.g.
-the value is clamped as 65532). As a result SDL_Surface with a pitch
-smaller than width * BytesPerPixel is created, too small pixel buffer
-is allocated and when the SDL_Surface is processed in SDL_FillRect()
-a buffer overflow occurs.
-
-This can be reproduced with "./graywin -width 21312312313123213213213"
-command.
-
-This patch fixes is by using a very careful arithmetics in
-SDL_CalculatePitch(). If an overflow is detected, an error is reported
-back as a special 0 value. We assume that 0-width surfaces do not
-occur in the wild. Since SDL_CalculatePitch() is a private function,
-we can change the semantics.
-
-CVE-2019-7637
-https://bugzilla.libsdl.org/show_bug.cgi?id=4497
-
-Signed-off-by: Petr Písař <[email protected]>
----
- src/video/SDL_pixels.c | 41 +++++++++++++++++++++++++++------
- src/video/gapi/SDL_gapivideo.c | 3 +++
- src/video/nanox/SDL_nxvideo.c | 4 ++++
- src/video/ps2gs/SDL_gsvideo.c | 3 +++
- src/video/ps3/SDL_ps3video.c | 3 +++
- src/video/windib/SDL_dibvideo.c | 3 +++
- src/video/windx5/SDL_dx5video.c | 3 +++
- src/video/x11/SDL_x11video.c | 4 ++++
- 8 files changed, 57 insertions(+), 7 deletions(-)
-
-diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c
-index 1a7fd51..44626b7 100644
---- a/src/video/SDL_pixels.c
-+++ b/src/video/SDL_pixels.c
-@@ -286,26 +286,53 @@ void SDL_DitherColors(SDL_Color *colors, int bpp)
- }
- }
- /*
-- * Calculate the pad-aligned scanline width of a surface
-+ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of
-+ * an error.
- */
- Uint16 SDL_CalculatePitch(SDL_Surface *surface)
- {
-- Uint16 pitch;
-+ unsigned int pitch = 0;
-
- /* Surface should be 4-byte aligned for speed */
-- pitch = surface->w*surface->format->BytesPerPixel;
-+ /* The code tries to prevent from an Uint16 overflow. */;
-+ for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) {
-+ pitch += (unsigned int)surface->w;
-+ if (pitch < surface->w) {
-+ SDL_SetError("A scanline is too wide");
-+ return(0);
-+ }
-+ }
- switch (surface->format->BitsPerPixel) {
- case 1:
-- pitch = (pitch+7)/8;
-+ if (pitch % 8) {
-+ pitch = pitch / 8 + 1;
-+ } else {
-+ pitch = pitch / 8;
-+ }
- break;
- case 4:
-- pitch = (pitch+1)/2;
-+ if (pitch % 2) {
-+ pitch = pitch / 2 + 1;
-+ } else {
-+ pitch = pitch / 2;
-+ }
- break;
- default:
- break;
- }
-- pitch = (pitch + 3) & ~3; /* 4-byte aligning */
-- return(pitch);
-+ /* 4-byte aligning */
-+ if (pitch & 3) {
-+ if (pitch + 3 < pitch) {
-+ SDL_SetError("A scanline is too wide");
-+ return(0);
-+ }
-+ pitch = (pitch + 3) & ~3;
-+ }
-+ if (pitch > 0xFFFF) {
-+ SDL_SetError("A scanline is too wide");
-+ return(0);
-+ }
-+ return((Uint16)pitch);
- }
- /*
- * Match an RGB value to a particular palette index
-diff --git a/src/video/gapi/SDL_gapivideo.c b/src/video/gapi/SDL_gapivideo.c
-index 86deadc..8a06485 100644
---- a/src/video/gapi/SDL_gapivideo.c
-+++ b/src/video/gapi/SDL_gapivideo.c
-@@ -733,6 +733,9 @@ SDL_Surface *GAPI_SetVideoMode(_THIS, SDL_Surface *current,
- video->w = gapi->w = width;
- video->h = gapi->h = height;
- video->pitch = SDL_CalculatePitch(video);
-+ if (!current->pitch) {
-+ return(NULL);
-+ }
-
- /* Small fix for WinCE/Win32 - when activating window
- SDL_VideoSurface is equal to zero, so activating code
-diff --git a/src/video/nanox/SDL_nxvideo.c b/src/video/nanox/SDL_nxvideo.c
-index b188e09..cbdd09a 100644
---- a/src/video/nanox/SDL_nxvideo.c
-+++ b/src/video/nanox/SDL_nxvideo.c
-@@ -378,6 +378,10 @@ SDL_Surface * NX_SetVideoMode (_THIS, SDL_Surface *
current,
- current -> w = width ;
- current -> h = height ;
- current -> pitch = SDL_CalculatePitch (current) ;
-+ if (!current->pitch) {
-+ current = NULL;
-+ goto done;
-+ }
- NX_ResizeImage (this, current, flags) ;
- }
-
-diff --git a/src/video/ps2gs/SDL_gsvideo.c b/src/video/ps2gs/SDL_gsvideo.c
-index e172c60..3290866 100644
---- a/src/video/ps2gs/SDL_gsvideo.c
-+++ b/src/video/ps2gs/SDL_gsvideo.c
-@@ -479,6 +479,9 @@ static SDL_Surface *GS_SetVideoMode(_THIS, SDL_Surface
*current,
- current->w = width;
- current->h = height;
- current->pitch = SDL_CalculatePitch(current);
-+ if (!current->pitch) {
-+ return(NULL);
-+ }
-
- /* Memory map the DMA area for block memory transfer */
- if ( ! mapped_mem ) {
-diff --git a/src/video/ps3/SDL_ps3video.c b/src/video/ps3/SDL_ps3video.c
-index d5519e0..17848e3 100644
---- a/src/video/ps3/SDL_ps3video.c
-+++ b/src/video/ps3/SDL_ps3video.c
-@@ -339,6 +339,9 @@ static SDL_Surface *PS3_SetVideoMode(_THIS, SDL_Surface *
current, int width, in
- current->w = width;
- current->h = height;
- current->pitch = SDL_CalculatePitch(current);
-+ if (!current->pitch) {
-+ return(NULL);
-+ }
-
- /* Alloc aligned mem for current->pixels */
- s_pixels = memalign(16, current->h * current->pitch);
-diff --git a/src/video/windib/SDL_dibvideo.c b/src/video/windib/SDL_dibvideo.c
-index 6187bfc..86ebb12 100644
---- a/src/video/windib/SDL_dibvideo.c
-+++ b/src/video/windib/SDL_dibvideo.c
-@@ -675,6 +675,9 @@ SDL_Surface *DIB_SetVideoMode(_THIS, SDL_Surface *current,
- video->w = width;
- video->h = height;
- video->pitch = SDL_CalculatePitch(video);
-+ if (!current->pitch) {
-+ return(NULL);
-+ }
-
- /* Small fix for WinCE/Win32 - when activating window
- SDL_VideoSurface is equal to zero, so activating code
-diff --git a/src/video/windx5/SDL_dx5video.c b/src/video/windx5/SDL_dx5video.c
-index f80ca97..39fc4fc 100644
---- a/src/video/windx5/SDL_dx5video.c
-+++ b/src/video/windx5/SDL_dx5video.c
-@@ -1127,6 +1127,9 @@ SDL_Surface *DX5_SetVideoMode(_THIS, SDL_Surface
*current,
- video->w = width;
- video->h = height;
- video->pitch = SDL_CalculatePitch(video);
-+ if (!current->pitch) {
-+ return(NULL);
-+ }
-
- #ifndef NO_CHANGEDISPLAYSETTINGS
- /* Set fullscreen mode if appropriate.
-diff --git a/src/video/x11/SDL_x11video.c b/src/video/x11/SDL_x11video.c
-index 79e60f9..45d1f79 100644
---- a/src/video/x11/SDL_x11video.c
-+++ b/src/video/x11/SDL_x11video.c
-@@ -1220,6 +1220,10 @@ SDL_Surface *X11_SetVideoMode(_THIS, SDL_Surface
*current,
- current->w = width;
- current->h = height;
- current->pitch = SDL_CalculatePitch(current);
-+ if (!current->pitch) {
-+ current = NULL;
-+ goto done;
-+ }
- if (X11_ResizeImage(this, current, flags) < 0) {
- current = NULL;
- goto done;
---
-2.20.1
-
Deleted: SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
===================================================================
--- SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
2021-08-31 23:07:38 UTC (rev 1010233)
+++ SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -1,56 +0,0 @@
-From 28b1433b4bd7982524f2418420e8cc01786df5c4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
-Date: Fri, 15 Feb 2019 16:52:27 +0100
-Subject: [PATCH] CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images with
- too high number of colors
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If a BMP file that defines more colors than can fit into
-a palette of color depth defined in the same BMP file is loaded by
-SDL_LoadBMP_RW() function, invalid number of colors is set into
-resulting SDL surface.
-
-Then if the SDL surface is passed to SDL_DisplayFormat() function to
-convert the surface format into a native video format, a buffer
-overread will happen in Map1to1() or Map1toN() function
-(CVE-2019-7638). (The choice of the mapping function depends on
-a actual video hardware.)
-
-In addition SDL_GetRGB() called indirectly from SDL_DisplayFormat()
-performs the same buffer overread (CVE-2019-7636).
-
-There is also probably a buffer overwrite when the SDL_LoadBMP_RW()
-loads colors from a file.
-
-This patch fixes it by refusing loading such badly damaged BMP files.
-
-CVE-2019-7638
-https://bugzilla.libsdl.org/show_bug.cgi?id=4500
-CVE-2019-7636
-https://bugzilla.libsdl.org/show_bug.cgi?id=4499
-
-Signed-off-by: Petr Písař <[email protected]>
----
- src/video/SDL_bmp.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
-index d56cfd8..3accded 100644
---- a/src/video/SDL_bmp.c
-+++ b/src/video/SDL_bmp.c
-@@ -233,6 +233,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
- if ( palette ) {
- if ( biClrUsed == 0 ) {
- biClrUsed = 1 << biBitCount;
-+ } else if ( biClrUsed > (1 << biBitCount) ) {
-+ SDL_SetError("BMP file has an invalid number of
colors");
-+ was_error = SDL_TRUE;
-+ goto done;
- }
- if ( biSize == 12 ) {
- for ( i = 0; i < (int)biClrUsed; ++i ) {
---
-2.20.1
-
Deleted: SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch
===================================================================
--- SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch 2021-08-31 23:07:38 UTC
(rev 1010233)
+++ SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch 2021-08-31 23:13:02 UTC
(rev 1010234)
@@ -1,42 +0,0 @@
-From 70c3d0e97755e1b208ceba2ae012877797f15627 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
-Date: Thu, 21 Feb 2019 10:57:41 +0100
-Subject: [PATCH] Reject 2, 3, 5, 6, 7-bpp BMP images
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BMP decoder assumes less than 8 bit depth images have 1 or 4 bits
-per pixel. No other depths are correctly translated to an 8bpp
-surface.
-
-This patch rejects loading these images.
-
-https://bugzilla.libsdl.org/show_bug.cgi?id=4498
-Signed-off-by: Petr Písař <[email protected]>
----
- src/video/SDL_bmp.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
-index 8eadc5f..758d4bb 100644
---- a/src/video/SDL_bmp.c
-+++ b/src/video/SDL_bmp.c
-@@ -163,6 +163,14 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
- ExpandBMP = biBitCount;
- biBitCount = 8;
- break;
-+ case 2:
-+ case 3:
-+ case 5:
-+ case 6:
-+ case 7:
-+ SDL_SetError("%d-bpp BMP images are not supported",
biBitCount);
-+ was_error = SDL_TRUE;
-+ goto done;
- default:
- ExpandBMP = 0;
- break;
---
-2.20.1
-
Deleted: SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch
===================================================================
--- SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch 2021-08-31
23:07:38 UTC (rev 1010233)
+++ SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch 2021-08-31
23:13:02 UTC (rev 1010234)
@@ -1,73 +0,0 @@
-# HG changeset patch
-# User Sam Lantinga <[email protected]>
-# Date 1397799374 25200
-# Thu Apr 17 22:36:14 2014 -0700
-# Branch SDL-1.2
-# Node ID 0aade9c0203f717fe4b823a176c3c040f1a709f8
-# Parent 22a7f096bb9d4d596f35a93e33608825693462b0
-Fixed bug 2325 - SDL_EnableUNICODE sometimes drops keyboard events completely
-
-Rafał Mużyło
-
-The most annoying part of this bug is that though I've found it in two
separate apps, I don't have a trivial testcase for it.
-
-The problem seems to be a condition race, as it's triggered quite randomly
(therefore it will be hard to tell whether it really gets fixed, if a probable
fix is found).
-
-While it's specific to SDL 1.2, it seems quite similar to the problem
described and fixed in http://forums.libsdl.org/viewtopic.php?p=40503.
-
-Now, I should start describing the problem.
-
-A game uses Escape to open menu (the exact key might not be important). Upon
opening, it calls SDL_EnableUNICODE(1). Upon closing it calls
SDL_EnableUNICODE(0).
-
-I have an IME running.
-
-Game uses SDL_PollEvent to get the events.
-
-If Escape is pressed repeatedly, menu is opened and closed, till it eventually
freezes in open state.
-"freezes" in this context means "app itself still runs, but no keyboard events
are getting delivered (though - for example - mouse events still are)".
"getting delivered" should mean "SDL_PollEvent is not receiving any".
-If it matters, the last delivered keyboard event is a keypress, the release
never arrives.
-
-It seems (no guarantees, due to random nature of the freeze) that unsetting
XMODIFIERS (which - AFAIU - will disable IME as far as SDL is concerned)
prevents the freeze, therefore the reference to that SDL2 thread.
-
-diff -r 22a7f096bb9d -r 0aade9c0203f src/video/x11/SDL_x11events.c
---- a/src/video/x11/SDL_x11events.c Sun Dec 01 00:00:17 2013 -0500
-+++ b/src/video/x11/SDL_x11events.c Thu Apr 17 22:36:14 2014 -0700
-@@ -395,6 +395,8 @@
- {
- int posted;
- XEvent xevent;
-+ int orig_event_type;
-+ KeyCode orig_keycode;
-
- SDL_memset(&xevent, '\0', sizeof (XEvent)); /* valgrind fix. --ryan. */
- XNextEvent(SDL_Display, &xevent);
-@@ -410,9 +412,29 @@
- #ifdef X_HAVE_UTF8_STRING
- /* If we are translating with IM, we need to pass all events
- to XFilterEvent, and discard those filtered events immediately. */
-+ orig_event_type = xevent.type;
-+ if (orig_event_type == KeyPress || orig_event_type == KeyRelease) {
-+ orig_keycode = xevent.xkey.keycode;
-+ } else {
-+ orig_keycode = 0;
-+ }
- if ( SDL_TranslateUNICODE
- && SDL_IM != NULL
- && XFilterEvent(&xevent, None) ) {
-+ if (orig_keycode) {
-+ SDL_keysym keysym;
-+ static XComposeStatus state;
-+ char keybuf[32];
-+
-+ keysym.scancode = xevent.xkey.keycode;
-+ keysym.sym = X11_TranslateKeycode(SDL_Display,
xevent.xkey.keycode);
-+ keysym.mod = KMOD_NONE;
-+ keysym.unicode = 0;
-+ if (orig_event_type == KeyPress &&
XLookupString(&xevent.xkey, keybuf, sizeof(keybuf), NULL, &state))
-+ keysym.unicode = (Uint8)keybuf[0];
-+
-+ SDL_PrivateKeyboard(orig_event_type == KeyPress ?
SDL_PRESSED : SDL_RELEASED, &keysym);
-+ }
- return 0;
- }
- #endif
Deleted: SDL-1.2.15-const_XData32.patch
===================================================================
--- SDL-1.2.15-const_XData32.patch 2021-08-31 23:07:38 UTC (rev 1010233)
+++ SDL-1.2.15-const_XData32.patch 2021-08-31 23:13:02 UTC (rev 1010234)
@@ -1,16 +0,0 @@
-libX11-1.5.99.901 has changed prototype of _XData32
-
-<http://bugzilla.libsdl.org/show_bug.cgi?id=1769>
-
-diff -r b6b2829cd7ef src/video/x11/SDL_x11sym.h
---- a/src/video/x11/SDL_x11sym.h Wed Feb 27 15:20:31 2013 -0800
-+++ b/src/video/x11/SDL_x11sym.h Wed Mar 27 16:07:23 2013 +0100
-@@ -165,7 +165,7 @@
- */
- #ifdef LONG64
- SDL_X11_MODULE(IO_32BIT)
--SDL_X11_SYM(int,_XData32,(Display *dpy,register long *data,unsigned
len),(dpy,data,len),return)
-+SDL_X11_SYM(int,_XData32,(Display *dpy,register _Xconst long *data,unsigned
len),(dpy,data,len),return)
- SDL_X11_SYM(void,_XRead32,(Display *dpy,register long *data,long
len),(dpy,data,len),)
- #endif
-
Deleted: SDL-1.2.15-ignore_insane_joystick_axis.patch
===================================================================
--- SDL-1.2.15-ignore_insane_joystick_axis.patch 2021-08-31 23:07:38 UTC
(rev 1010233)
+++ SDL-1.2.15-ignore_insane_joystick_axis.patch 2021-08-31 23:13:02 UTC
(rev 1010234)
@@ -1,20 +0,0 @@
-changeset: 6324:95abff7adcc2
-branch: SDL-1.2
-parent: 6306:2b923729fd01
-user: Ryan C. Gordon <[email protected]>
-date: Sun Jun 03 04:49:25 2012 -0400
-summary: Linux evdev: ignore joystick axis events if they aren't in a sane
range.
-
-diff -r 2b923729fd01 -r 95abff7adcc2 src/joystick/linux/SDL_sysjoystick.c
---- a/src/joystick/linux/SDL_sysjoystick.c Sat May 12 23:32:51 2012 -0700
-+++ b/src/joystick/linux/SDL_sysjoystick.c Sun Jun 03 04:49:25 2012 -0400
-@@ -1106,6 +1106,9 @@
- }
- break;
- case EV_ABS:
-+ if (code > ABS_MISC) {
-+ break;
-+ }
- switch (code) {
- case ABS_HAT0X:
- case ABS_HAT0Y:
Deleted: SDL-1.2.15-no-default-backing-store.patch
===================================================================
--- SDL-1.2.15-no-default-backing-store.patch 2021-08-31 23:07:38 UTC (rev
1010233)
+++ SDL-1.2.15-no-default-backing-store.patch 2021-08-31 23:13:02 UTC (rev
1010234)
@@ -1,24 +0,0 @@
-Do not harness backing store by default
-
-xorg-server 1.15 enables backing store if composite extension is enabled
-(default settings). Harnessing backing store through compositor leads to
-tearing effect.
-
-This patch reverts default harnessing backing store to conditional use if
-SDL_VIDEO_X11_BACKINGSTORE environment variable exists.
-
-<https://bugzilla.libsdl.org/show_bug.cgi?id=2383>
-<https://bugzilla.redhat.com/show_bug.cgi?id=1073057>
-
-diff -up SDL-1.2.15/src/video/x11/SDL_x11video.c.jx
SDL-1.2.15/src/video/x11/SDL_x11video.c
---- SDL-1.2.15/src/video/x11/SDL_x11video.c.jx 2012-01-19 01:30:06.000000000
-0500
-+++ SDL-1.2.15/src/video/x11/SDL_x11video.c 2014-03-04 14:39:34.691545549
-0500
-@@ -1088,7 +1088,7 @@ static int X11_CreateWindow(_THIS, SDL_S
- }
- }
-
--#if 0 /* This is an experiment - are the graphics faster now? - nope. */
-+#if 1 /* This is an experiment - are the graphics faster now? - nope. */
- if ( SDL_getenv("SDL_VIDEO_X11_BACKINGSTORE") )
- #endif
- /* Cache the window in the server, when possible */
Deleted: SDL-1.2.15-x11-Bypass-SetGammaRamp-when-changing-gamma.patch
===================================================================
--- SDL-1.2.15-x11-Bypass-SetGammaRamp-when-changing-gamma.patch
2021-08-31 23:07:38 UTC (rev 1010233)
+++ SDL-1.2.15-x11-Bypass-SetGammaRamp-when-changing-gamma.patch
2021-08-31 23:13:02 UTC (rev 1010234)
@@ -1,44 +0,0 @@
-From 4b56fa058a45b7c804d1a5fcaf7a70db0bd0581c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
-Date: Tue, 1 Jan 2013 21:25:15 +0100
-Subject: [PATCH] x11: Bypass SetGammaRamp when changing gamma
-
-Recent Xorg has broken dynamic colors setting, so calling SDL_SetGamme()
-does not have any effect here. Recent means xorg-server >= 1.7, since 2010.
-See <https://bugs.freedesktop.org/show_bug.cgi?id=27222>.
----
- src/video/SDL_gamma.c | 15 ++-------------
- 1 files changed, 2 insertions(+), 13 deletions(-)
-
-diff --git a/src/video/SDL_gamma.c b/src/video/SDL_gamma.c
-index 4fd0370..464ab88 100644
---- a/src/video/SDL_gamma.c
-+++ b/src/video/SDL_gamma.c
-@@ -92,22 +92,11 @@ static void CalculateGammaFromRamp(float *gamma, Uint16
*ramp)
-
- int SDL_SetGamma(float red, float green, float blue)
- {
-- int succeeded;
-+ int succeeded = -1;
- SDL_VideoDevice *video = current_video;
- SDL_VideoDevice *this = current_video;
-
-- succeeded = -1;
-- /* Prefer using SetGammaRamp(), as it's more flexible */
-- {
-- Uint16 ramp[3][256];
--
-- CalculateGammaRamp(red, ramp[0]);
-- CalculateGammaRamp(green, ramp[1]);
-- CalculateGammaRamp(blue, ramp[2]);
-- succeeded = SDL_SetGammaRamp(ramp[0], ramp[1], ramp[2]);
-- }
-- if ( (succeeded < 0) && video->SetGamma ) {
-- SDL_ClearError();
-+ if ( video->SetGamma ) {
- succeeded = video->SetGamma(this, red, green, blue);
- }
- return succeeded;
---
-1.7.8.6
-
Deleted: X11_KeyToUnicode.patch
===================================================================
--- X11_KeyToUnicode.patch 2021-08-31 23:07:38 UTC (rev 1010233)
+++ X11_KeyToUnicode.patch 2021-08-31 23:13:02 UTC (rev 1010234)
@@ -1,52 +0,0 @@
-
-# HG changeset patch
-# User Sam Lantinga <[email protected]>
-# Date 1327258041 18000
-# Node ID 900a0fae90ca65cff55a70a17b9ec39d2ddccbcf
-# Parent 5273dfd19a5e8c5736a0d417bd441f704c5355f8
-Fixed bug 1390 - X11_KeyToUnicode
-
-manuel.montezelo 2012-01-22 08:56:18 PST
-
-We had the following bug report at Debian:
-http://bugs.debian.org/376560
-
-Same one in Ubuntu:
-https://bugs.launchpad.net/ubuntu/+source/libsdl1.2/+bug/66217
-
-We've been including a patch since then (attached) to actually export the
-symbol, since 2006. In the last release the function seems to be there, alive
-and kicking.
-
-It's affecting other people too:
-http://www.garagegames.com/community/forums/viewthread/52287
-
-diff -r 5273dfd19a5e -r 900a0fae90ca src/video/x11/SDL_x11events.c
---- a/src/video/x11/SDL_x11events.c Sat Jan 21 12:06:51 2012 -0500
-+++ b/src/video/x11/SDL_x11events.c Sun Jan 22 13:47:21 2012 -0500
-@@ -1246,8 +1246,11 @@
- * sequences (dead accents, compose key sequences) will not work since the
- * state has been irrevocably lost.
- */
-+extern DECLSPEC Uint16 SDLCALL X11_KeyToUnicode(SDLKey, SDLMod);
-+
- Uint16 X11_KeyToUnicode(SDLKey keysym, SDLMod modifiers)
- {
-+ static int warning = 0;
- struct SDL_VideoDevice *this = current_video;
- char keybuf[32];
- int i;
-@@ -1255,6 +1258,12 @@
- XKeyEvent xkey;
- Uint16 unicode;
-
-+ if ( warning ) {
-+ warning = 0;
-+ fprintf(stderr, "WARNING: Application is using
X11_KeyToUnicode().\n");
-+ fprintf(stderr, "This is not an official SDL function, please
report this as a bug.\n");
-+ }
-+
- if ( !this || !SDL_Display ) {
- return 0;
- }
-
Deleted: libsdl-1.2.15-resizing.patch
===================================================================
--- libsdl-1.2.15-resizing.patch 2021-08-31 23:07:38 UTC (rev 1010233)
+++ libsdl-1.2.15-resizing.patch 2021-08-31 23:13:02 UTC (rev 1010234)
@@ -1,63 +0,0 @@
-Description: Revert change that breaks window corner resizing
- http://bugzilla.libsdl.org/show_bug.cgi?id=1430
-Author: Andrew Caudwell <[email protected]>
-Last-Update: 2012-04-10
-Bug-Debian: http://bugs.debian.org/665779
-
-diff -r c787fb1b5699 src/video/x11/SDL_x11events.c
---- a/src/video/x11/SDL_x11events.c Mon Feb 20 23:51:08 2012 -0500
-+++ b/src/video/x11/SDL_x11events.c Mon Mar 26 12:26:52 2012 +1300
-@@ -57,12 +57,6 @@
- static SDLKey MISC_keymap[256];
- SDLKey X11_TranslateKeycode(Display *display, KeyCode kc);
-
--/*
-- Pending resize target for ConfigureNotify (so outdated events don't
-- cause inappropriate resize events)
--*/
--int X11_PendingConfigureNotifyWidth = -1;
--int X11_PendingConfigureNotifyHeight = -1;
-
- #ifdef X_HAVE_UTF8_STRING
- Uint32 Utf8ToUcs4(const Uint8 *utf8)
-@@ -825,16 +819,6 @@
- #ifdef DEBUG_XEVENTS
- printf("ConfigureNotify! (resize: %dx%d)\n", xevent.xconfigure.width,
xevent.xconfigure.height);
- #endif
-- if ((X11_PendingConfigureNotifyWidth != -1) &&
-- (X11_PendingConfigureNotifyHeight != -1)) {
-- if ((xevent.xconfigure.width !=
X11_PendingConfigureNotifyWidth) &&
-- (xevent.xconfigure.height !=
X11_PendingConfigureNotifyHeight)) {
-- /* Event is from before the resize, so ignore. */
-- break;
-- }
-- X11_PendingConfigureNotifyWidth = -1;
-- X11_PendingConfigureNotifyHeight = -1;
-- }
- if ( SDL_VideoSurface ) {
- if ((xevent.xconfigure.width != SDL_VideoSurface->w) ||
- (xevent.xconfigure.height != SDL_VideoSurface->h)) {
-diff -r c787fb1b5699 src/video/x11/SDL_x11events_c.h
---- a/src/video/x11/SDL_x11events_c.h Mon Feb 20 23:51:08 2012 -0500
-+++ b/src/video/x11/SDL_x11events_c.h Mon Mar 26 12:26:52 2012 +1300
-@@ -27,8 +27,3 @@
- extern void X11_InitOSKeymap(_THIS);
- extern void X11_PumpEvents(_THIS);
- extern void X11_SetKeyboardState(Display *display, const char *key_vec);
--
--/* Variables to be exported */
--extern int X11_PendingConfigureNotifyWidth;
--extern int X11_PendingConfigureNotifyHeight;
--
-diff -r c787fb1b5699 src/video/x11/SDL_x11video.c
---- a/src/video/x11/SDL_x11video.c Mon Feb 20 23:51:08 2012 -0500
-+++ b/src/video/x11/SDL_x11video.c Mon Mar 26 12:26:52 2012 +1300
-@@ -1182,8 +1182,6 @@
- current = NULL;
- goto done;
- }
-- X11_PendingConfigureNotifyWidth = width;
-- X11_PendingConfigureNotifyHeight = height;
- } else {
- if (X11_CreateWindow(this,current,width,height,bpp,flags) < 0) {
- current = NULL;
Deleted: sdl-1.2.14-disable-mmx.patch
===================================================================
--- sdl-1.2.14-disable-mmx.patch 2021-08-31 23:07:38 UTC (rev 1010233)
+++ sdl-1.2.14-disable-mmx.patch 2021-08-31 23:13:02 UTC (rev 1010234)
@@ -1,13 +0,0 @@
-# and another one from FS#26020
-
---- a/src/video/SDL_yuv_sw.c 2009-10-13 06:07:15.000000000 +0700
-+++ b/src/video/SDL_yuv_sw.c 2011-09-20 19:26:30.247742620 +0700
-@@ -89,6 +89,8 @@
- #include "SDL_yuvfuncs.h"
- #include "SDL_yuv_sw_c.h"
-
-+#undef __OPTIMIZE__
-+
- /* The functions used to manipulate software video overlays */
- static struct private_yuvhwfuncs sw_yuvfuncs = {
- SDL_LockYUV_SW,
Deleted: sdl-1.2.14-fix-mouse-clicking.patch
===================================================================
--- sdl-1.2.14-fix-mouse-clicking.patch 2021-08-31 23:07:38 UTC (rev 1010233)
+++ sdl-1.2.14-fix-mouse-clicking.patch 2021-08-31 23:13:02 UTC (rev 1010234)
@@ -1,23 +0,0 @@
---- SDL-1.2.14/src/video/x11/SDL_x11events.c.orig 2010-04-08
11:57:05.003169834 -0700
-+++ SDL-1.2.14/src/video/x11/SDL_x11events.c 2010-04-08 12:33:51.690926340
-0700
-@@ -423,12 +423,15 @@
- if ( xevent.xcrossing.mode == NotifyUngrab )
- printf("Mode: NotifyUngrab\n");
- #endif
-- if ( this->input_grab == SDL_GRAB_OFF ) {
-- posted = SDL_PrivateAppActive(1, SDL_APPMOUSEFOCUS);
-+ if ( (xevent.xcrossing.mode != NotifyGrab) &&
-+ (xevent.xcrossing.mode != NotifyUngrab) ) {
-+ if ( this->input_grab == SDL_GRAB_OFF ) {
-+ posted = SDL_PrivateAppActive(1,
SDL_APPMOUSEFOCUS);
-+ }
-+ posted = SDL_PrivateMouseMotion(0, 0,
-+ xevent.xcrossing.x,
-+ xevent.xcrossing.y);
- }
-- posted = SDL_PrivateMouseMotion(0, 0,
-- xevent.xcrossing.x,
-- xevent.xcrossing.y);
- }
- break;
-
