Date: Monday, March 1, 2021 @ 13:25:43 Author: heftig Revision: 876395
extra2community: Moving sdl from extra to community Added: sdl/ sdl/repos/ sdl/trunk/ sdl/trunk/PKGBUILD sdl/trunk/SDL-1.2.10-GrabNotViewable.patch sdl/trunk/SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch sdl/trunk/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch sdl/trunk/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch sdl/trunk/SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch sdl/trunk/SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch sdl/trunk/SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch sdl/trunk/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch sdl/trunk/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch sdl/trunk/SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch sdl/trunk/SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch sdl/trunk/SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch sdl/trunk/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch sdl/trunk/SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch sdl/trunk/SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch sdl/trunk/SDL-1.2.15-const_XData32.patch sdl/trunk/SDL-1.2.15-ignore_insane_joystick_axis.patch sdl/trunk/SDL-1.2.15-no-default-backing-store.patch sdl/trunk/SDL-1.2.15-x11-Bypass-SetGammaRamp-when-changing-gamma.patch sdl/trunk/X11_KeyToUnicode.patch sdl/trunk/libsdl-1.2.15-resizing.patch sdl/trunk/sdl-1.2.14-disable-mmx.patch sdl/trunk/sdl-1.2.14-fix-mouse-clicking.patch ----------------------------------------------------------------------------+ PKGBUILD | 110 +++++ SDL-1.2.10-GrabNotViewable.patch | 22 + SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch | 23 + SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch | 59 ++ SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch | 64 +++ SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch | 83 +++ SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch | 71 +++ SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch | 84 ++++ SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch | 75 +++ SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch | 57 ++ SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch | 67 +++ SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch | 67 +++ SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch | 209 ++++++++++ SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch | 56 ++ SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch | 42 ++ SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch | 73 +++ SDL-1.2.15-const_XData32.patch | 16 SDL-1.2.15-ignore_insane_joystick_axis.patch | 20 SDL-1.2.15-no-default-backing-store.patch | 24 + SDL-1.2.15-x11-Bypass-SetGammaRamp-when-changing-gamma.patch | 44 ++ X11_KeyToUnicode.patch | 52 ++ libsdl-1.2.15-resizing.patch | 63 +++ sdl-1.2.14-disable-mmx.patch | 13 sdl-1.2.14-fix-mouse-clicking.patch | 23 + 24 files changed, 1417 insertions(+) Added: sdl/trunk/PKGBUILD =================================================================== --- sdl/trunk/PKGBUILD (rev 0) +++ sdl/trunk/PKGBUILD 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,110 @@ +# Maintainer: Jan Alexander Steffens (heftig) <[email protected]> +# Contributor: Allan McRae <[email protected]> +# Contributor: dorphell <[email protected]> + +pkgname=sdl +pkgver=1.2.15 +pkgrel=14 +pkgdesc="A library for portable low-level access to a video framebuffer, audio output, mouse, and keyboard" +arch=('x86_64') +url="https://www.libsdl.org"; +license=('LGPL') +depends=('glibc' 'libxext' 'libxrender' 'libx11') +makedepends=('alsa-lib' 'mesa' 'libpulse' 'glu') +optdepends=('alsa-lib: ALSA audio driver' + 'libpulse: PulseAudio audio driver') +options=('staticlibs') +source=(https://www.libsdl.org/release/SDL-${pkgver}.tar.gz{,.sig} + SDL-1.2.10-GrabNotViewable.patch + SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch + SDL-1.2.15-const_XData32.patch + SDL-1.2.15-ignore_insane_joystick_axis.patch + SDL-1.2.15-no-default-backing-store.patch + SDL-1.2.15-x11-Bypass-SetGammaRamp-when-changing-gamma.patch + sdl-1.2.14-fix-mouse-clicking.patch + sdl-1.2.14-disable-mmx.patch + libsdl-1.2.15-resizing.patch + X11_KeyToUnicode.patch + SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch + SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch + SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch + SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch + SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch + SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch + SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch + SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch + SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch + SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch + SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch + SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch + SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch) +sha256sums=('d6d316a793e5e348155f0dd93b979798933fb98aa1edebcc108829d6474aad00' + 'SKIP' + 'ea2042b8a45a083b1447d5c56e52b23b79f2ddb0d717ec7b287b34ef71bd2d1a' + '292046466d52a2ebe995a0121404864e4ee0de2b6024203acb95bbd600844da0' + 'bab60b515a74b71650ee71d5a0075c77046a7bad48b061673c3798dbdd35446d' + '7586d6124d5452ad721ca6aa10eae09946d94854748e22f9c9c6fdca3d0aeb12' + '3941c44a5580df95c6868936cfc57ba3e7b6952fb8a3eb14f963d54d9d8ca8a4' + 'd296af5bb0d9856d049b4e5adb9dd995d2a1e51d76a6adf63457e65101a50620' + '8d178f13eb707e81f5f9d86bf7b609ae8f0bac937fb4a37ebcbf4bbc9b89e21b' + '17bb880dd2cb4922d4e3771d146660b9da8be8f1629a5cdaae7523d4a9d2bd7c' + '5160fb1c07b04480d98d45b89a0aa6e577f2ac4c3bace0c80b251e6aca1fb4a1' + 'b1ad9c60829b166e6b647006d6549ea657155e755cf574fcfc4b91b658654769' + '95ddeff25c9f5ea4f828c90073852218a3c8ecfcd4da4f3a7f6ea54e3e5c2086' + '3f05fcccfa7f3474572955d0cbcfc931da57e3da450fc5c5803c837c38fd6e17' + 'a9bd66c75e443f7875d044518b5960386c549aa1c0592364aee1240a6e0867a5' + 'f4cd391a5df211a5d3558f5ec03b9f413533398f44feca86a30a8acc90e63402' + '0293e56873929d817950e272ebfd6735c8d5b896d0a59b2d7be09107dac7e85b' + 'be4cadd1b028e8b14ee4e4413aeffd98ff2ad1e66a7c75c8bdb04bfd08b9372a' + '335b5b1c44229ac90318dae36a98731332f417c2d71d449385e6ab013f25efdb' + '0371bcdba4e89055be62a76421052d7bd5fbf40c0f0e3d9c29fc5d21686f5afd' + '0f3691d6fc7381a4dd23216041b341102aa858b105534541dfa2843b0eccace6' + '358028a9d6523377c1757a58faed741e10a0a9863f9df33f21cd32668d257fed' + '3624f0dbe8d9bd3d553a25806237edcae5fafe714e5c4da3c5e3b281a3fbc8ae' + '7db8112826318de5705b54cf493060cec34e2822df2b1cd9f55891672beed64d' + 'da87eb71c7af042bc8379f9f7cd63e57d99429774bb43524dde103718b99c533') +validpgpkeys=('1528635D8053A57F77D1E08630A59377A7763BE6') # Sam Lantinga <[email protected]> + +prepare() { + cd SDL-$pkgver + patch -Np1 -i ../SDL-1.2.10-GrabNotViewable.patch + patch -Np1 -i ../SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch + patch -Np1 -i ../SDL-1.2.15-const_XData32.patch + patch -Np1 -i ../SDL-1.2.15-ignore_insane_joystick_axis.patch + patch -Np1 -i ../SDL-1.2.15-no-default-backing-store.patch + + # https://bugs.freedesktop.org/show_bug.cgi?id=27222 + patch -Np1 -i ../SDL-1.2.15-x11-Bypass-SetGammaRamp-when-changing-gamma.patch + + patch -Np1 -i ../sdl-1.2.14-fix-mouse-clicking.patch + patch -Np1 -i ../sdl-1.2.14-disable-mmx.patch + patch -Np1 -i ../libsdl-1.2.15-resizing.patch + patch -Np1 -i ../X11_KeyToUnicode.patch + + # bunch of CVE fixes from Fedora - Thanks! + patch -Np1 -i ../SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch + patch -Np1 -i ../SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch + patch -Np1 -i ../SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch + patch -Np1 -i ../SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch + patch -Np1 -i ../SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch + patch -Np1 -i ../SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch + patch -Np1 -i ../SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch + patch -Np1 -i ../SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch + patch -Np1 -i ../SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch + patch -Np1 -i ../SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch + patch -Np1 -i ../SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch + patch -Np1 -i ../SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch + patch -Np1 -i ../SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch +} + +build() { + cd SDL-$pkgver + ./configure --prefix=/usr --disable-nasm --enable-alsa \ + --with-x --disable-rpath --disable-static + make +} + +package() { + cd SDL-$pkgver + make DESTDIR="$pkgdir" install +} Added: sdl/trunk/SDL-1.2.10-GrabNotViewable.patch =================================================================== --- sdl/trunk/SDL-1.2.10-GrabNotViewable.patch (rev 0) +++ sdl/trunk/SDL-1.2.10-GrabNotViewable.patch 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,22 @@ +Makes SDL-1.2 SDL_WM_GrabInput() non-blocking in case of SDL window is not +viewable. Patch provided by <[email protected]>. +See <http://bugzilla.libsdl.org/show_bug.cgi?id=1155>. + +--- ./src/video/x11/SDL_x11wm.c 2007-12-31 04:48:13.000000000 +0000 ++++ ./src/video/x11/SDL_x11wm.c 2009-01-15 10:27:14.000000000 +0000 +@@ -351,13 +351,14 @@ SDL_GrabMode X11_GrabInputNoLock(_THIS, + result = XGrabPointer(SDL_Display, SDL_Window, True, 0, + GrabModeAsync, GrabModeAsync, + SDL_Window, None, CurrentTime); +- if ( result == GrabSuccess ) { ++ if ( result == GrabSuccess || result == GrabNotViewable ) { + break; + } + SDL_Delay(100); + } + if ( result != GrabSuccess ) { + /* Uh, oh, what do we do here? */ ; ++ return(SDL_GRAB_OFF); + } + /* Now grab the keyboard */ + XGrabKeyboard(SDL_Display, WMwindow, True, Added: sdl/trunk/SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch =================================================================== --- sdl/trunk/SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch (rev 0) +++ sdl/trunk/SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,23 @@ +changeset: 12960:ad1bbfbca760 +branch: SDL-1.2 +parent: 12914:87d60cae0273 +user: Ozkan Sezer <[email protected]> +date: Tue Jul 30 21:30:24 2019 +0300 +summary: Fixed bug 4538 - validate image size when loading BMP files + +diff -r 87d60cae0273 -r ad1bbfbca760 src/video/SDL_bmp.c +--- a/src/video/SDL_bmp.c Tue Jun 18 23:31:40 2019 +0100 ++++ b/src/video/SDL_bmp.c Tue Jul 30 21:30:24 2019 +0300 +@@ -143,6 +143,11 @@ + (void) biYPelsPerMeter; + (void) biClrImportant; + ++ if (biWidth <= 0 || biHeight == 0) { ++ SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight); ++ was_error = SDL_TRUE; ++ goto done; ++ } + if (biHeight < 0) { + topDown = SDL_TRUE; + biHeight = -biHeight; + Added: sdl/trunk/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch =================================================================== --- sdl/trunk/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch (rev 0) +++ sdl/trunk/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,59 @@ +From bb11ffcff5ae2f25bead921c2a299e7e63d8a759 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]> +Date: Thu, 14 Feb 2019 16:51:54 +0100 +Subject: [PATCH] CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If an IMA ADPCM block contained an initial index out of step table +range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used +this bogus value and that lead to a buffer overread. + +This patch fixes it by moving clamping the index value at the +beginning of IMA_ADPCM_nibble() function instead of the end after +an update. + +CVE-2019-7572 +https://bugzilla.libsdl.org/show_bug.cgi?id=4495 + +Signed-off-by: Petr Písař <[email protected]> +--- + src/audio/SDL_wave.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 2968b3d..69d62dc 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -275,6 +275,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) + }; + Sint32 delta, step; + ++ /* Clamp index value. The inital value can be invalid. */ ++ if ( state->index > 88 ) { ++ state->index = 88; ++ } else ++ if ( state->index < 0 ) { ++ state->index = 0; ++ } ++ + /* Compute difference and new sample value */ + step = step_table[state->index]; + delta = step >> 3; +@@ -286,12 +294,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) + + /* Update index value */ + state->index += index_table[nybble]; +- if ( state->index > 88 ) { +- state->index = 88; +- } else +- if ( state->index < 0 ) { +- state->index = 0; +- } + + /* Clamp output sample */ + if ( state->sample > max_audioval ) { +-- +2.20.1 + Added: sdl/trunk/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch =================================================================== --- sdl/trunk/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch (rev 0) +++ sdl/trunk/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,64 @@ +From 6086741bda4d43cc227500bc7645a829380e6326 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]> +Date: Fri, 15 Feb 2019 09:21:45 +0100 +Subject: [PATCH] CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If data chunk was longer than expected based on a WAV format +definition, IMA_ADPCM_decode() tried to write past the output +buffer. This patch fixes it. + +Based on patch from +<https://bugzilla.libsdl.org/show_bug.cgi?id=4496>. + +CVE-2019-7572 +https://bugzilla.libsdl.org/show_bug.cgi?id=4495 + +Signed-off-by: Petr Písař <[email protected]> +--- + src/audio/SDL_wave.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 69d62dc..91e89e8 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -336,7 +336,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded, + static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct IMA_ADPCM_decodestate *state; +- Uint8 *freeable, *encoded, *encoded_end, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; + Sint32 encoded_len, samplesleft; + unsigned int c, channels; + +@@ -363,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + return(-1); + } + decoded = *audio_buf; ++ decoded_end = decoded + *audio_len; + + /* Get ready... Go! */ + while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) { +@@ -382,6 +383,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + } + + /* Store the initial sample we start with */ ++ if (decoded + 2 > decoded_end) goto invalid_size; + decoded[0] = (Uint8)(state[c].sample&0xFF); + decoded[1] = (Uint8)(state[c].sample>>8); + decoded += 2; +@@ -392,6 +394,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + while ( samplesleft > 0 ) { + for ( c=0; c<channels; ++c ) { + if (encoded + 4 > encoded_end) goto invalid_size; ++ if (decoded + 4 * 4 * channels > decoded_end) ++ goto invalid_size; + Fill_IMA_ADPCM_block(decoded, encoded, + c, channels, &state[c]); + encoded += 4; +-- +2.20.1 + Added: sdl/trunk/SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch =================================================================== --- sdl/trunk/SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch (rev 0) +++ sdl/trunk/SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,83 @@ +From 3e2c89e516701f3586dfeadec13932f665371d2a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]> +Date: Fri, 15 Feb 2019 10:36:13 +0100 +Subject: [PATCH] CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in + InitMS_ADPCM +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it +could read past the end of chunk data. This patch fixes it. + +CVE-2019-7573 +https://bugzilla.libsdl.org/show_bug.cgi?id=4491 +CVE-2019-7576 +https://bugzilla.libsdl.org/show_bug.cgi?id=4490 + +Signed-off-by: Petr Písař <[email protected]> +--- + src/audio/SDL_wave.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 91e89e8..1d446ed 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -44,12 +44,13 @@ static struct MS_ADPCM_decoder { + struct MS_ADPCM_decodestate state[2]; + } MS_ADPCM_state; + +-static int InitMS_ADPCM(WaveFMT *format) ++static int InitMS_ADPCM(WaveFMT *format, int length) + { +- Uint8 *rogue_feel; ++ Uint8 *rogue_feel, *rogue_feel_end; + int i; + + /* Set the rogue pointer to the MS_ADPCM specific data */ ++ if (length < sizeof(*format)) goto too_short; + MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); + MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); + MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); +@@ -58,9 +59,11 @@ static int InitMS_ADPCM(WaveFMT *format) + MS_ADPCM_state.wavefmt.bitspersample = + SDL_SwapLE16(format->bitspersample); + rogue_feel = (Uint8 *)format+sizeof(*format); ++ rogue_feel_end = (Uint8 *)format + length; + if ( sizeof(*format) == 16 ) { + rogue_feel += sizeof(Uint16); + } ++ if (rogue_feel + 4 > rogue_feel_end) goto too_short; + MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); + rogue_feel += sizeof(Uint16); + MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]); +@@ -70,12 +73,16 @@ static int InitMS_ADPCM(WaveFMT *format) + return(-1); + } + for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) { ++ if (rogue_feel + 4 > rogue_feel_end) goto too_short; + MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]); + rogue_feel += sizeof(Uint16); + MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]); + rogue_feel += sizeof(Uint16); + } + return(0); ++too_short: ++ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format"); ++ return(-1); + } + + static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, +@@ -485,7 +492,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, + break; + case MS_ADPCM_CODE: + /* Try to understand this */ +- if ( InitMS_ADPCM(format) < 0 ) { ++ if ( InitMS_ADPCM(format, lenread) < 0 ) { + was_error = 1; + goto done; + } +-- +2.20.1 + Added: sdl/trunk/SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch =================================================================== --- sdl/trunk/SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch (rev 0) +++ sdl/trunk/SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,71 @@ +From 9b2eee24768889378032077423cb6a3221a8ad18 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]> +Date: Thu, 14 Feb 2019 15:41:47 +0100 +Subject: [PATCH] CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If data chunk was shorter than expected based on a WAV format +definition, IMA_ADPCM_decode() tried to read past the data chunk +buffer. This patch fixes it. + +CVE-2019-7574 +https://bugzilla.libsdl.org/show_bug.cgi?id=4496 + +Signed-off-by: Petr Písař <[email protected]> +--- + src/audio/SDL_wave.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index b6c49de..2968b3d 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -334,7 +334,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded, + static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct IMA_ADPCM_decodestate *state; +- Uint8 *freeable, *encoded, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded; + Sint32 encoded_len, samplesleft; + unsigned int c, channels; + +@@ -350,6 +350,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + /* Allocate the proper sized output buffer */ + encoded_len = *audio_len; + encoded = *audio_buf; ++ encoded_end = encoded + encoded_len; + freeable = *audio_buf; + *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) * + IMA_ADPCM_state.wSamplesPerBlock* +@@ -365,6 +366,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) { + /* Grab the initial information for this block */ + for ( c=0; c<channels; ++c ) { ++ if (encoded + 4 > encoded_end) goto invalid_size; + /* Fill the state information for this block */ + state[c].sample = ((encoded[1]<<8)|encoded[0]); + encoded += 2; +@@ -387,6 +389,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels; + while ( samplesleft > 0 ) { + for ( c=0; c<channels; ++c ) { ++ if (encoded + 4 > encoded_end) goto invalid_size; + Fill_IMA_ADPCM_block(decoded, encoded, + c, channels, &state[c]); + encoded += 4; +@@ -398,6 +401,10 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + } + SDL_free(freeable); + return(0); ++invalid_size: ++ SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); + } + + SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, +-- +2.20.1 + Added: sdl/trunk/SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch =================================================================== --- sdl/trunk/SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch (rev 0) +++ sdl/trunk/SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,84 @@ +From e1f80cadb079e35103e6eebf160a818815c823df Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]> +Date: Thu, 14 Feb 2019 14:51:52 +0100 +Subject: [PATCH] CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a WAV format defines shorter audio stream and decoded MS ADPCM data chunk +is longer, decoding continued past the output audio buffer. + +This fix is based on a patch from +<https://bugzilla.libsdl.org/show_bug.cgi?id=4492>. + +https://bugzilla.libsdl.org/show_bug.cgi?id=4493 +CVE-2019-7575 + +Signed-off-by: Petr Písař <[email protected]> +--- + src/audio/SDL_wave.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index e42d01c..b6c49de 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, + static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct MS_ADPCM_decodestate *state[2]; +- Uint8 *freeable, *encoded, *encoded_end, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; + Sint32 encoded_len, samplesleft; + Sint8 nybble, stereo; + Sint16 *coeff[2]; +@@ -135,6 +135,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + return(-1); + } + decoded = *audio_buf; ++ decoded_end = decoded + *audio_len; + + /* Get ready... Go! */ + stereo = (MS_ADPCM_state.wavefmt.channels == 2); +@@ -142,7 +143,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + state[1] = &MS_ADPCM_state.state[stereo]; + while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) { + /* Grab the initial information for this block */ +- if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short; ++ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size; + state[0]->hPredictor = *encoded++; + if ( stereo ) { + state[1]->hPredictor = *encoded++; +@@ -169,6 +170,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor]; + + /* Store the two initial samples we start with */ ++ if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size; + decoded[0] = state[0]->iSamp2&0xFF; + decoded[1] = state[0]->iSamp2>>8; + decoded += 2; +@@ -190,7 +192,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)* + MS_ADPCM_state.wavefmt.channels; + while ( samplesleft > 0 ) { +- if (encoded + 1 > encoded_end) goto too_short; ++ if (encoded + 1 > encoded_end) goto invalid_size; ++ if (decoded + 4 > decoded_end) goto invalid_size; + + nybble = (*encoded)>>4; + new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]); +@@ -213,8 +216,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + } + SDL_free(freeable); + return(0); +-too_short: +- SDL_SetError("Too short chunk for a MS ADPCM decoder"); ++invalid_size: ++ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder"); + SDL_free(freeable); + return(-1); + } +-- +2.20.1 + Added: sdl/trunk/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch =================================================================== --- sdl/trunk/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch (rev 0) +++ sdl/trunk/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,75 @@ +From ac3d0d365b1f01a6782565feda0c7432a5795671 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]> +Date: Thu, 14 Feb 2019 14:12:22 +0100 +Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If RIFF/WAV data chunk length is shorter then expected for an audio +format defined in preceeding RIFF/WAV format headers, a buffer +overread can happen. + +This patch fixes it by checking a MS ADPCM data to be decoded are not +past the initialized buffer. + +CVE-2019-7577 +Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 + +Signed-off-by: Petr Písař <[email protected]> +--- + src/audio/SDL_wave.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index b4ad6c7..e42d01c 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, + static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct MS_ADPCM_decodestate *state[2]; +- Uint8 *freeable, *encoded, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded; + Sint32 encoded_len, samplesleft; + Sint8 nybble, stereo; + Sint16 *coeff[2]; +@@ -124,6 +124,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + /* Allocate the proper sized output buffer */ + encoded_len = *audio_len; + encoded = *audio_buf; ++ encoded_end = encoded + encoded_len; + freeable = *audio_buf; + *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) * + MS_ADPCM_state.wSamplesPerBlock* +@@ -141,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + state[1] = &MS_ADPCM_state.state[stereo]; + while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) { + /* Grab the initial information for this block */ ++ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short; + state[0]->hPredictor = *encoded++; + if ( stereo ) { + state[1]->hPredictor = *encoded++; +@@ -188,6 +190,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)* + MS_ADPCM_state.wavefmt.channels; + while ( samplesleft > 0 ) { ++ if (encoded + 1 > encoded_end) goto too_short; ++ + nybble = (*encoded)>>4; + new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]); + decoded[0] = new_sample&0xFF; +@@ -209,6 +213,10 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + } + SDL_free(freeable); + return(0); ++too_short: ++ SDL_SetError("Too short chunk for a MS ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); + } + + struct IMA_ADPCM_decodestate { +-- +2.20.1 + Added: sdl/trunk/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch =================================================================== --- sdl/trunk/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch (rev 0) +++ sdl/trunk/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,57 @@ +From 69cd6157644cb0a5c9edd7b5920232c2ca31c151 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]> +Date: Tue, 12 Mar 2019 16:21:41 +0100 +Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble and + MS_ADPCM_decode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a chunk of RIFF/WAV file with MS ADPCM encoding contains an invalid +predictor (a valid predictor's value is between 0 and 6 inclusive), +a buffer overread can happen when the predictor is used as an index +into an array of MS ADPCM coefficients. + +The overead happens when indexing MS_ADPCM_state.aCoeff[] array in +MS_ADPCM_decode() and later when dereferencing a coef pointer in +MS_ADPCM_nibble(). + +This patch fixes it by checking the MS ADPCM predictor values fit +into the valid range. + +CVE-2019-7577 +Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 + +Signed-off-by: Petr Písař <[email protected]> +--- + src/audio/SDL_wave.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 08f65cb..5f93651 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -155,6 +155,9 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + if ( stereo ) { + state[1]->hPredictor = *encoded++; + } ++ if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) { ++ goto invalid_predictor; ++ } + state[0]->iDelta = ((encoded[1]<<8)|encoded[0]); + encoded += sizeof(Sint16); + if ( stereo ) { +@@ -227,6 +230,10 @@ invalid_size: + SDL_SetError("Unexpected chunk length for a MS ADPCM decoder"); + SDL_free(freeable); + return(-1); ++invalid_predictor: ++ SDL_SetError("Invalid predictor value for a MS ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); + } + + struct IMA_ADPCM_decodestate { +-- +2.20.1 + Added: sdl/trunk/SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch =================================================================== --- sdl/trunk/SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch (rev 0) +++ sdl/trunk/SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,67 @@ +From 0eb76f6cabcffa2104e34c26e0f41e6de95356ff Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]> +Date: Fri, 15 Feb 2019 10:56:59 +0100 +Subject: [PATCH] CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it +could read past the end of chunk data. This patch fixes it. + +CVE-2019-7578 +https://bugzilla.libsdl.org/show_bug.cgi?id=4494 + +Signed-off-by: Petr Písař <[email protected]> +--- + src/audio/SDL_wave.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 1d446ed..08f65cb 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -240,11 +240,12 @@ static struct IMA_ADPCM_decoder { + struct IMA_ADPCM_decodestate state[2]; + } IMA_ADPCM_state; + +-static int InitIMA_ADPCM(WaveFMT *format) ++static int InitIMA_ADPCM(WaveFMT *format, int length) + { +- Uint8 *rogue_feel; ++ Uint8 *rogue_feel, *rogue_feel_end; + + /* Set the rogue pointer to the IMA_ADPCM specific data */ ++ if (length < sizeof(*format)) goto too_short; + IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); + IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); + IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); +@@ -253,11 +254,16 @@ static int InitIMA_ADPCM(WaveFMT *format) + IMA_ADPCM_state.wavefmt.bitspersample = + SDL_SwapLE16(format->bitspersample); + rogue_feel = (Uint8 *)format+sizeof(*format); ++ rogue_feel_end = (Uint8 *)format + length; + if ( sizeof(*format) == 16 ) { + rogue_feel += sizeof(Uint16); + } ++ if (rogue_feel + 2 > rogue_feel_end) goto too_short; + IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); + return(0); ++too_short: ++ SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format"); ++ return(-1); + } + + static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) +@@ -500,7 +506,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, + break; + case IMA_ADPCM_CODE: + /* Try to understand this */ +- if ( InitIMA_ADPCM(format) < 0 ) { ++ if ( InitIMA_ADPCM(format, lenread) < 0 ) { + was_error = 1; + goto done; + } +-- +2.20.1 + Added: sdl/trunk/SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch =================================================================== --- sdl/trunk/SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch (rev 0) +++ sdl/trunk/SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,67 @@ +From beef32b0e510371f3c968d22a1e3d48abbf366c6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]> +Date: Tue, 19 Feb 2019 14:52:52 +0100 +Subject: [PATCH] CVE-2019-7635: Reject BMP images with pixel colors out the + palette +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a 1-, 4-, or 8-bit per pixel BMP image declares less used colors +than the palette offers an SDL_Surface with a palette of the indicated +number of used colors is created. If some of the image's pixel +refer to a color number higher then the maximal used colors, a subsequent +bliting operation on the surface will look up a color past a blit map +(that is based on the palette) memory. I.e. passing such SDL_Surface +to e.g. an SDL_DisplayFormat() function will result in a buffer overread in +a blit function. + +This patch fixes it by validing each pixel's color to be less than the +maximal color number in the palette. A validation failure raises an +error from a SDL_LoadBMP_RW() function. + +CVE-2019-7635 +https://bugzilla.libsdl.org/show_bug.cgi?id=4498 + +Signed-off-by: Petr Písař <[email protected]> +--- + src/video/SDL_bmp.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c +index 3accded..8eadc5f 100644 +--- a/src/video/SDL_bmp.c ++++ b/src/video/SDL_bmp.c +@@ -300,6 +300,12 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) + } + *(bits+i) = (pixel>>shift); + pixel <<= ExpandBMP; ++ if ( bits[i] >= biClrUsed ) { ++ SDL_SetError( ++ "A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } + } } + break; + +@@ -310,6 +316,16 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) + was_error = SDL_TRUE; + goto done; + } ++ if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) { ++ for ( i=0; i<surface->w; ++i ) { ++ if ( bits[i] >= biClrUsed ) { ++ SDL_SetError( ++ "A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } ++ } ++ } + #if SDL_BYTEORDER == SDL_BIG_ENDIAN + /* Byte-swap the pixels if needed. Note that the 24bpp + case has already been taken care of above. */ +-- +2.20.1 + Added: sdl/trunk/SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch =================================================================== --- sdl/trunk/SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch (rev 0) +++ sdl/trunk/SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,209 @@ +From cc50d843089c8cf386c3e0f9cb2fae0b258a9b7b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]> +Date: Mon, 18 Feb 2019 13:53:16 +0100 +Subject: [PATCH] CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a too large width is passed to SDL_SetVideoMode() the width travels +to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by +BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch +variable. During this arithmetics an integer overflow can happen (e.g. +the value is clamped as 65532). As a result SDL_Surface with a pitch +smaller than width * BytesPerPixel is created, too small pixel buffer +is allocated and when the SDL_Surface is processed in SDL_FillRect() +a buffer overflow occurs. + +This can be reproduced with "./graywin -width 21312312313123213213213" +command. + +This patch fixes is by using a very careful arithmetics in +SDL_CalculatePitch(). If an overflow is detected, an error is reported +back as a special 0 value. We assume that 0-width surfaces do not +occur in the wild. Since SDL_CalculatePitch() is a private function, +we can change the semantics. + +CVE-2019-7637 +https://bugzilla.libsdl.org/show_bug.cgi?id=4497 + +Signed-off-by: Petr Písař <[email protected]> +--- + src/video/SDL_pixels.c | 41 +++++++++++++++++++++++++++------ + src/video/gapi/SDL_gapivideo.c | 3 +++ + src/video/nanox/SDL_nxvideo.c | 4 ++++ + src/video/ps2gs/SDL_gsvideo.c | 3 +++ + src/video/ps3/SDL_ps3video.c | 3 +++ + src/video/windib/SDL_dibvideo.c | 3 +++ + src/video/windx5/SDL_dx5video.c | 3 +++ + src/video/x11/SDL_x11video.c | 4 ++++ + 8 files changed, 57 insertions(+), 7 deletions(-) + +diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c +index 1a7fd51..44626b7 100644 +--- a/src/video/SDL_pixels.c ++++ b/src/video/SDL_pixels.c +@@ -286,26 +286,53 @@ void SDL_DitherColors(SDL_Color *colors, int bpp) + } + } + /* +- * Calculate the pad-aligned scanline width of a surface ++ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of ++ * an error. + */ + Uint16 SDL_CalculatePitch(SDL_Surface *surface) + { +- Uint16 pitch; ++ unsigned int pitch = 0; + + /* Surface should be 4-byte aligned for speed */ +- pitch = surface->w*surface->format->BytesPerPixel; ++ /* The code tries to prevent from an Uint16 overflow. */; ++ for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) { ++ pitch += (unsigned int)surface->w; ++ if (pitch < surface->w) { ++ SDL_SetError("A scanline is too wide"); ++ return(0); ++ } ++ } + switch (surface->format->BitsPerPixel) { + case 1: +- pitch = (pitch+7)/8; ++ if (pitch % 8) { ++ pitch = pitch / 8 + 1; ++ } else { ++ pitch = pitch / 8; ++ } + break; + case 4: +- pitch = (pitch+1)/2; ++ if (pitch % 2) { ++ pitch = pitch / 2 + 1; ++ } else { ++ pitch = pitch / 2; ++ } + break; + default: + break; + } +- pitch = (pitch + 3) & ~3; /* 4-byte aligning */ +- return(pitch); ++ /* 4-byte aligning */ ++ if (pitch & 3) { ++ if (pitch + 3 < pitch) { ++ SDL_SetError("A scanline is too wide"); ++ return(0); ++ } ++ pitch = (pitch + 3) & ~3; ++ } ++ if (pitch > 0xFFFF) { ++ SDL_SetError("A scanline is too wide"); ++ return(0); ++ } ++ return((Uint16)pitch); + } + /* + * Match an RGB value to a particular palette index +diff --git a/src/video/gapi/SDL_gapivideo.c b/src/video/gapi/SDL_gapivideo.c +index 86deadc..8a06485 100644 +--- a/src/video/gapi/SDL_gapivideo.c ++++ b/src/video/gapi/SDL_gapivideo.c +@@ -733,6 +733,9 @@ SDL_Surface *GAPI_SetVideoMode(_THIS, SDL_Surface *current, + video->w = gapi->w = width; + video->h = gapi->h = height; + video->pitch = SDL_CalculatePitch(video); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Small fix for WinCE/Win32 - when activating window + SDL_VideoSurface is equal to zero, so activating code +diff --git a/src/video/nanox/SDL_nxvideo.c b/src/video/nanox/SDL_nxvideo.c +index b188e09..cbdd09a 100644 +--- a/src/video/nanox/SDL_nxvideo.c ++++ b/src/video/nanox/SDL_nxvideo.c +@@ -378,6 +378,10 @@ SDL_Surface * NX_SetVideoMode (_THIS, SDL_Surface * current, + current -> w = width ; + current -> h = height ; + current -> pitch = SDL_CalculatePitch (current) ; ++ if (!current->pitch) { ++ current = NULL; ++ goto done; ++ } + NX_ResizeImage (this, current, flags) ; + } + +diff --git a/src/video/ps2gs/SDL_gsvideo.c b/src/video/ps2gs/SDL_gsvideo.c +index e172c60..3290866 100644 +--- a/src/video/ps2gs/SDL_gsvideo.c ++++ b/src/video/ps2gs/SDL_gsvideo.c +@@ -479,6 +479,9 @@ static SDL_Surface *GS_SetVideoMode(_THIS, SDL_Surface *current, + current->w = width; + current->h = height; + current->pitch = SDL_CalculatePitch(current); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Memory map the DMA area for block memory transfer */ + if ( ! mapped_mem ) { +diff --git a/src/video/ps3/SDL_ps3video.c b/src/video/ps3/SDL_ps3video.c +index d5519e0..17848e3 100644 +--- a/src/video/ps3/SDL_ps3video.c ++++ b/src/video/ps3/SDL_ps3video.c +@@ -339,6 +339,9 @@ static SDL_Surface *PS3_SetVideoMode(_THIS, SDL_Surface * current, int width, in + current->w = width; + current->h = height; + current->pitch = SDL_CalculatePitch(current); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Alloc aligned mem for current->pixels */ + s_pixels = memalign(16, current->h * current->pitch); +diff --git a/src/video/windib/SDL_dibvideo.c b/src/video/windib/SDL_dibvideo.c +index 6187bfc..86ebb12 100644 +--- a/src/video/windib/SDL_dibvideo.c ++++ b/src/video/windib/SDL_dibvideo.c +@@ -675,6 +675,9 @@ SDL_Surface *DIB_SetVideoMode(_THIS, SDL_Surface *current, + video->w = width; + video->h = height; + video->pitch = SDL_CalculatePitch(video); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Small fix for WinCE/Win32 - when activating window + SDL_VideoSurface is equal to zero, so activating code +diff --git a/src/video/windx5/SDL_dx5video.c b/src/video/windx5/SDL_dx5video.c +index f80ca97..39fc4fc 100644 +--- a/src/video/windx5/SDL_dx5video.c ++++ b/src/video/windx5/SDL_dx5video.c +@@ -1127,6 +1127,9 @@ SDL_Surface *DX5_SetVideoMode(_THIS, SDL_Surface *current, + video->w = width; + video->h = height; + video->pitch = SDL_CalculatePitch(video); ++ if (!current->pitch) { ++ return(NULL); ++ } + + #ifndef NO_CHANGEDISPLAYSETTINGS + /* Set fullscreen mode if appropriate. +diff --git a/src/video/x11/SDL_x11video.c b/src/video/x11/SDL_x11video.c +index 79e60f9..45d1f79 100644 +--- a/src/video/x11/SDL_x11video.c ++++ b/src/video/x11/SDL_x11video.c +@@ -1220,6 +1220,10 @@ SDL_Surface *X11_SetVideoMode(_THIS, SDL_Surface *current, + current->w = width; + current->h = height; + current->pitch = SDL_CalculatePitch(current); ++ if (!current->pitch) { ++ current = NULL; ++ goto done; ++ } + if (X11_ResizeImage(this, current, flags) < 0) { + current = NULL; + goto done; +-- +2.20.1 + Added: sdl/trunk/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch =================================================================== --- sdl/trunk/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch (rev 0) +++ sdl/trunk/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,56 @@ +From 28b1433b4bd7982524f2418420e8cc01786df5c4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]> +Date: Fri, 15 Feb 2019 16:52:27 +0100 +Subject: [PATCH] CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images with + too high number of colors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a BMP file that defines more colors than can fit into +a palette of color depth defined in the same BMP file is loaded by +SDL_LoadBMP_RW() function, invalid number of colors is set into +resulting SDL surface. + +Then if the SDL surface is passed to SDL_DisplayFormat() function to +convert the surface format into a native video format, a buffer +overread will happen in Map1to1() or Map1toN() function +(CVE-2019-7638). (The choice of the mapping function depends on +a actual video hardware.) + +In addition SDL_GetRGB() called indirectly from SDL_DisplayFormat() +performs the same buffer overread (CVE-2019-7636). + +There is also probably a buffer overwrite when the SDL_LoadBMP_RW() +loads colors from a file. + +This patch fixes it by refusing loading such badly damaged BMP files. + +CVE-2019-7638 +https://bugzilla.libsdl.org/show_bug.cgi?id=4500 +CVE-2019-7636 +https://bugzilla.libsdl.org/show_bug.cgi?id=4499 + +Signed-off-by: Petr Písař <[email protected]> +--- + src/video/SDL_bmp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c +index d56cfd8..3accded 100644 +--- a/src/video/SDL_bmp.c ++++ b/src/video/SDL_bmp.c +@@ -233,6 +233,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) + if ( palette ) { + if ( biClrUsed == 0 ) { + biClrUsed = 1 << biBitCount; ++ } else if ( biClrUsed > (1 << biBitCount) ) { ++ SDL_SetError("BMP file has an invalid number of colors"); ++ was_error = SDL_TRUE; ++ goto done; + } + if ( biSize == 12 ) { + for ( i = 0; i < (int)biClrUsed; ++i ) { +-- +2.20.1 + Added: sdl/trunk/SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch =================================================================== --- sdl/trunk/SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch (rev 0) +++ sdl/trunk/SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,42 @@ +From 70c3d0e97755e1b208ceba2ae012877797f15627 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]> +Date: Thu, 21 Feb 2019 10:57:41 +0100 +Subject: [PATCH] Reject 2, 3, 5, 6, 7-bpp BMP images +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BMP decoder assumes less than 8 bit depth images have 1 or 4 bits +per pixel. No other depths are correctly translated to an 8bpp +surface. + +This patch rejects loading these images. + +https://bugzilla.libsdl.org/show_bug.cgi?id=4498 +Signed-off-by: Petr Písař <[email protected]> +--- + src/video/SDL_bmp.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c +index 8eadc5f..758d4bb 100644 +--- a/src/video/SDL_bmp.c ++++ b/src/video/SDL_bmp.c +@@ -163,6 +163,14 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) + ExpandBMP = biBitCount; + biBitCount = 8; + break; ++ case 2: ++ case 3: ++ case 5: ++ case 6: ++ case 7: ++ SDL_SetError("%d-bpp BMP images are not supported", biBitCount); ++ was_error = SDL_TRUE; ++ goto done; + default: + ExpandBMP = 0; + break; +-- +2.20.1 + Added: sdl/trunk/SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch =================================================================== --- sdl/trunk/SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch (rev 0) +++ sdl/trunk/SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,73 @@ +# HG changeset patch +# User Sam Lantinga <[email protected]> +# Date 1397799374 25200 +# Thu Apr 17 22:36:14 2014 -0700 +# Branch SDL-1.2 +# Node ID 0aade9c0203f717fe4b823a176c3c040f1a709f8 +# Parent 22a7f096bb9d4d596f35a93e33608825693462b0 +Fixed bug 2325 - SDL_EnableUNICODE sometimes drops keyboard events completely + +Rafał Mużyło + +The most annoying part of this bug is that though I've found it in two separate apps, I don't have a trivial testcase for it. + +The problem seems to be a condition race, as it's triggered quite randomly (therefore it will be hard to tell whether it really gets fixed, if a probable fix is found). + +While it's specific to SDL 1.2, it seems quite similar to the problem described and fixed in http://forums.libsdl.org/viewtopic.php?p=40503. + +Now, I should start describing the problem. + +A game uses Escape to open menu (the exact key might not be important). Upon opening, it calls SDL_EnableUNICODE(1). Upon closing it calls SDL_EnableUNICODE(0). + +I have an IME running. + +Game uses SDL_PollEvent to get the events. + +If Escape is pressed repeatedly, menu is opened and closed, till it eventually freezes in open state. +"freezes" in this context means "app itself still runs, but no keyboard events are getting delivered (though - for example - mouse events still are)". "getting delivered" should mean "SDL_PollEvent is not receiving any". +If it matters, the last delivered keyboard event is a keypress, the release never arrives. + +It seems (no guarantees, due to random nature of the freeze) that unsetting XMODIFIERS (which - AFAIU - will disable IME as far as SDL is concerned) prevents the freeze, therefore the reference to that SDL2 thread. + +diff -r 22a7f096bb9d -r 0aade9c0203f src/video/x11/SDL_x11events.c +--- a/src/video/x11/SDL_x11events.c Sun Dec 01 00:00:17 2013 -0500 ++++ b/src/video/x11/SDL_x11events.c Thu Apr 17 22:36:14 2014 -0700 +@@ -395,6 +395,8 @@ + { + int posted; + XEvent xevent; ++ int orig_event_type; ++ KeyCode orig_keycode; + + SDL_memset(&xevent, '\0', sizeof (XEvent)); /* valgrind fix. --ryan. */ + XNextEvent(SDL_Display, &xevent); +@@ -410,9 +412,29 @@ + #ifdef X_HAVE_UTF8_STRING + /* If we are translating with IM, we need to pass all events + to XFilterEvent, and discard those filtered events immediately. */ ++ orig_event_type = xevent.type; ++ if (orig_event_type == KeyPress || orig_event_type == KeyRelease) { ++ orig_keycode = xevent.xkey.keycode; ++ } else { ++ orig_keycode = 0; ++ } + if ( SDL_TranslateUNICODE + && SDL_IM != NULL + && XFilterEvent(&xevent, None) ) { ++ if (orig_keycode) { ++ SDL_keysym keysym; ++ static XComposeStatus state; ++ char keybuf[32]; ++ ++ keysym.scancode = xevent.xkey.keycode; ++ keysym.sym = X11_TranslateKeycode(SDL_Display, xevent.xkey.keycode); ++ keysym.mod = KMOD_NONE; ++ keysym.unicode = 0; ++ if (orig_event_type == KeyPress && XLookupString(&xevent.xkey, keybuf, sizeof(keybuf), NULL, &state)) ++ keysym.unicode = (Uint8)keybuf[0]; ++ ++ SDL_PrivateKeyboard(orig_event_type == KeyPress ? SDL_PRESSED : SDL_RELEASED, &keysym); ++ } + return 0; + } + #endif Added: sdl/trunk/SDL-1.2.15-const_XData32.patch =================================================================== --- sdl/trunk/SDL-1.2.15-const_XData32.patch (rev 0) +++ sdl/trunk/SDL-1.2.15-const_XData32.patch 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,16 @@ +libX11-1.5.99.901 has changed prototype of _XData32 + +<http://bugzilla.libsdl.org/show_bug.cgi?id=1769> + +diff -r b6b2829cd7ef src/video/x11/SDL_x11sym.h +--- a/src/video/x11/SDL_x11sym.h Wed Feb 27 15:20:31 2013 -0800 ++++ b/src/video/x11/SDL_x11sym.h Wed Mar 27 16:07:23 2013 +0100 +@@ -165,7 +165,7 @@ + */ + #ifdef LONG64 + SDL_X11_MODULE(IO_32BIT) +-SDL_X11_SYM(int,_XData32,(Display *dpy,register long *data,unsigned len),(dpy,data,len),return) ++SDL_X11_SYM(int,_XData32,(Display *dpy,register _Xconst long *data,unsigned len),(dpy,data,len),return) + SDL_X11_SYM(void,_XRead32,(Display *dpy,register long *data,long len),(dpy,data,len),) + #endif + Added: sdl/trunk/SDL-1.2.15-ignore_insane_joystick_axis.patch =================================================================== --- sdl/trunk/SDL-1.2.15-ignore_insane_joystick_axis.patch (rev 0) +++ sdl/trunk/SDL-1.2.15-ignore_insane_joystick_axis.patch 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,20 @@ +changeset: 6324:95abff7adcc2 +branch: SDL-1.2 +parent: 6306:2b923729fd01 +user: Ryan C. Gordon <[email protected]> +date: Sun Jun 03 04:49:25 2012 -0400 +summary: Linux evdev: ignore joystick axis events if they aren't in a sane range. + +diff -r 2b923729fd01 -r 95abff7adcc2 src/joystick/linux/SDL_sysjoystick.c +--- a/src/joystick/linux/SDL_sysjoystick.c Sat May 12 23:32:51 2012 -0700 ++++ b/src/joystick/linux/SDL_sysjoystick.c Sun Jun 03 04:49:25 2012 -0400 +@@ -1106,6 +1106,9 @@ + } + break; + case EV_ABS: ++ if (code > ABS_MISC) { ++ break; ++ } + switch (code) { + case ABS_HAT0X: + case ABS_HAT0Y: Added: sdl/trunk/SDL-1.2.15-no-default-backing-store.patch =================================================================== --- sdl/trunk/SDL-1.2.15-no-default-backing-store.patch (rev 0) +++ sdl/trunk/SDL-1.2.15-no-default-backing-store.patch 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,24 @@ +Do not harness backing store by default + +xorg-server 1.15 enables backing store if composite extension is enabled +(default settings). Harnessing backing store through compositor leads to +tearing effect. + +This patch reverts default harnessing backing store to conditional use if +SDL_VIDEO_X11_BACKINGSTORE environment variable exists. + +<https://bugzilla.libsdl.org/show_bug.cgi?id=2383> +<https://bugzilla.redhat.com/show_bug.cgi?id=1073057> + +diff -up SDL-1.2.15/src/video/x11/SDL_x11video.c.jx SDL-1.2.15/src/video/x11/SDL_x11video.c +--- SDL-1.2.15/src/video/x11/SDL_x11video.c.jx 2012-01-19 01:30:06.000000000 -0500 ++++ SDL-1.2.15/src/video/x11/SDL_x11video.c 2014-03-04 14:39:34.691545549 -0500 +@@ -1088,7 +1088,7 @@ static int X11_CreateWindow(_THIS, SDL_S + } + } + +-#if 0 /* This is an experiment - are the graphics faster now? - nope. */ ++#if 1 /* This is an experiment - are the graphics faster now? - nope. */ + if ( SDL_getenv("SDL_VIDEO_X11_BACKINGSTORE") ) + #endif + /* Cache the window in the server, when possible */ Added: sdl/trunk/SDL-1.2.15-x11-Bypass-SetGammaRamp-when-changing-gamma.patch =================================================================== --- sdl/trunk/SDL-1.2.15-x11-Bypass-SetGammaRamp-when-changing-gamma.patch (rev 0) +++ sdl/trunk/SDL-1.2.15-x11-Bypass-SetGammaRamp-when-changing-gamma.patch 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,44 @@ +From 4b56fa058a45b7c804d1a5fcaf7a70db0bd0581c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]> +Date: Tue, 1 Jan 2013 21:25:15 +0100 +Subject: [PATCH] x11: Bypass SetGammaRamp when changing gamma + +Recent Xorg has broken dynamic colors setting, so calling SDL_SetGamme() +does not have any effect here. Recent means xorg-server >= 1.7, since 2010. +See <https://bugs.freedesktop.org/show_bug.cgi?id=27222>. +--- + src/video/SDL_gamma.c | 15 ++------------- + 1 files changed, 2 insertions(+), 13 deletions(-) + +diff --git a/src/video/SDL_gamma.c b/src/video/SDL_gamma.c +index 4fd0370..464ab88 100644 +--- a/src/video/SDL_gamma.c ++++ b/src/video/SDL_gamma.c +@@ -92,22 +92,11 @@ static void CalculateGammaFromRamp(float *gamma, Uint16 *ramp) + + int SDL_SetGamma(float red, float green, float blue) + { +- int succeeded; ++ int succeeded = -1; + SDL_VideoDevice *video = current_video; + SDL_VideoDevice *this = current_video; + +- succeeded = -1; +- /* Prefer using SetGammaRamp(), as it's more flexible */ +- { +- Uint16 ramp[3][256]; +- +- CalculateGammaRamp(red, ramp[0]); +- CalculateGammaRamp(green, ramp[1]); +- CalculateGammaRamp(blue, ramp[2]); +- succeeded = SDL_SetGammaRamp(ramp[0], ramp[1], ramp[2]); +- } +- if ( (succeeded < 0) && video->SetGamma ) { +- SDL_ClearError(); ++ if ( video->SetGamma ) { + succeeded = video->SetGamma(this, red, green, blue); + } + return succeeded; +-- +1.7.8.6 + Added: sdl/trunk/X11_KeyToUnicode.patch =================================================================== --- sdl/trunk/X11_KeyToUnicode.patch (rev 0) +++ sdl/trunk/X11_KeyToUnicode.patch 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,52 @@ + +# HG changeset patch +# User Sam Lantinga <[email protected]> +# Date 1327258041 18000 +# Node ID 900a0fae90ca65cff55a70a17b9ec39d2ddccbcf +# Parent 5273dfd19a5e8c5736a0d417bd441f704c5355f8 +Fixed bug 1390 - X11_KeyToUnicode + +manuel.montezelo 2012-01-22 08:56:18 PST + +We had the following bug report at Debian: +http://bugs.debian.org/376560 + +Same one in Ubuntu: +https://bugs.launchpad.net/ubuntu/+source/libsdl1.2/+bug/66217 + +We've been including a patch since then (attached) to actually export the +symbol, since 2006. In the last release the function seems to be there, alive +and kicking. + +It's affecting other people too: +http://www.garagegames.com/community/forums/viewthread/52287 + +diff -r 5273dfd19a5e -r 900a0fae90ca src/video/x11/SDL_x11events.c +--- a/src/video/x11/SDL_x11events.c Sat Jan 21 12:06:51 2012 -0500 ++++ b/src/video/x11/SDL_x11events.c Sun Jan 22 13:47:21 2012 -0500 +@@ -1246,8 +1246,11 @@ + * sequences (dead accents, compose key sequences) will not work since the + * state has been irrevocably lost. + */ ++extern DECLSPEC Uint16 SDLCALL X11_KeyToUnicode(SDLKey, SDLMod); ++ + Uint16 X11_KeyToUnicode(SDLKey keysym, SDLMod modifiers) + { ++ static int warning = 0; + struct SDL_VideoDevice *this = current_video; + char keybuf[32]; + int i; +@@ -1255,6 +1258,12 @@ + XKeyEvent xkey; + Uint16 unicode; + ++ if ( warning ) { ++ warning = 0; ++ fprintf(stderr, "WARNING: Application is using X11_KeyToUnicode().\n"); ++ fprintf(stderr, "This is not an official SDL function, please report this as a bug.\n"); ++ } ++ + if ( !this || !SDL_Display ) { + return 0; + } + Added: sdl/trunk/libsdl-1.2.15-resizing.patch =================================================================== --- sdl/trunk/libsdl-1.2.15-resizing.patch (rev 0) +++ sdl/trunk/libsdl-1.2.15-resizing.patch 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,63 @@ +Description: Revert change that breaks window corner resizing + http://bugzilla.libsdl.org/show_bug.cgi?id=1430 +Author: Andrew Caudwell <[email protected]> +Last-Update: 2012-04-10 +Bug-Debian: http://bugs.debian.org/665779 + +diff -r c787fb1b5699 src/video/x11/SDL_x11events.c +--- a/src/video/x11/SDL_x11events.c Mon Feb 20 23:51:08 2012 -0500 ++++ b/src/video/x11/SDL_x11events.c Mon Mar 26 12:26:52 2012 +1300 +@@ -57,12 +57,6 @@ + static SDLKey MISC_keymap[256]; + SDLKey X11_TranslateKeycode(Display *display, KeyCode kc); + +-/* +- Pending resize target for ConfigureNotify (so outdated events don't +- cause inappropriate resize events) +-*/ +-int X11_PendingConfigureNotifyWidth = -1; +-int X11_PendingConfigureNotifyHeight = -1; + + #ifdef X_HAVE_UTF8_STRING + Uint32 Utf8ToUcs4(const Uint8 *utf8) +@@ -825,16 +819,6 @@ + #ifdef DEBUG_XEVENTS + printf("ConfigureNotify! (resize: %dx%d)\n", xevent.xconfigure.width, xevent.xconfigure.height); + #endif +- if ((X11_PendingConfigureNotifyWidth != -1) && +- (X11_PendingConfigureNotifyHeight != -1)) { +- if ((xevent.xconfigure.width != X11_PendingConfigureNotifyWidth) && +- (xevent.xconfigure.height != X11_PendingConfigureNotifyHeight)) { +- /* Event is from before the resize, so ignore. */ +- break; +- } +- X11_PendingConfigureNotifyWidth = -1; +- X11_PendingConfigureNotifyHeight = -1; +- } + if ( SDL_VideoSurface ) { + if ((xevent.xconfigure.width != SDL_VideoSurface->w) || + (xevent.xconfigure.height != SDL_VideoSurface->h)) { +diff -r c787fb1b5699 src/video/x11/SDL_x11events_c.h +--- a/src/video/x11/SDL_x11events_c.h Mon Feb 20 23:51:08 2012 -0500 ++++ b/src/video/x11/SDL_x11events_c.h Mon Mar 26 12:26:52 2012 +1300 +@@ -27,8 +27,3 @@ + extern void X11_InitOSKeymap(_THIS); + extern void X11_PumpEvents(_THIS); + extern void X11_SetKeyboardState(Display *display, const char *key_vec); +- +-/* Variables to be exported */ +-extern int X11_PendingConfigureNotifyWidth; +-extern int X11_PendingConfigureNotifyHeight; +- +diff -r c787fb1b5699 src/video/x11/SDL_x11video.c +--- a/src/video/x11/SDL_x11video.c Mon Feb 20 23:51:08 2012 -0500 ++++ b/src/video/x11/SDL_x11video.c Mon Mar 26 12:26:52 2012 +1300 +@@ -1182,8 +1182,6 @@ + current = NULL; + goto done; + } +- X11_PendingConfigureNotifyWidth = width; +- X11_PendingConfigureNotifyHeight = height; + } else { + if (X11_CreateWindow(this,current,width,height,bpp,flags) < 0) { + current = NULL; Added: sdl/trunk/sdl-1.2.14-disable-mmx.patch =================================================================== --- sdl/trunk/sdl-1.2.14-disable-mmx.patch (rev 0) +++ sdl/trunk/sdl-1.2.14-disable-mmx.patch 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,13 @@ +# and another one from FS#26020 + +--- a/src/video/SDL_yuv_sw.c 2009-10-13 06:07:15.000000000 +0700 ++++ b/src/video/SDL_yuv_sw.c 2011-09-20 19:26:30.247742620 +0700 +@@ -89,6 +89,8 @@ + #include "SDL_yuvfuncs.h" + #include "SDL_yuv_sw_c.h" + ++#undef __OPTIMIZE__ ++ + /* The functions used to manipulate software video overlays */ + static struct private_yuvhwfuncs sw_yuvfuncs = { + SDL_LockYUV_SW, Added: sdl/trunk/sdl-1.2.14-fix-mouse-clicking.patch =================================================================== --- sdl/trunk/sdl-1.2.14-fix-mouse-clicking.patch (rev 0) +++ sdl/trunk/sdl-1.2.14-fix-mouse-clicking.patch 2021-03-01 13:25:43 UTC (rev 876395) @@ -0,0 +1,23 @@ +--- SDL-1.2.14/src/video/x11/SDL_x11events.c.orig 2010-04-08 11:57:05.003169834 -0700 ++++ SDL-1.2.14/src/video/x11/SDL_x11events.c 2010-04-08 12:33:51.690926340 -0700 +@@ -423,12 +423,15 @@ + if ( xevent.xcrossing.mode == NotifyUngrab ) + printf("Mode: NotifyUngrab\n"); + #endif +- if ( this->input_grab == SDL_GRAB_OFF ) { +- posted = SDL_PrivateAppActive(1, SDL_APPMOUSEFOCUS); ++ if ( (xevent.xcrossing.mode != NotifyGrab) && ++ (xevent.xcrossing.mode != NotifyUngrab) ) { ++ if ( this->input_grab == SDL_GRAB_OFF ) { ++ posted = SDL_PrivateAppActive(1, SDL_APPMOUSEFOCUS); ++ } ++ posted = SDL_PrivateMouseMotion(0, 0, ++ xevent.xcrossing.x, ++ xevent.xcrossing.y); + } +- posted = SDL_PrivateMouseMotion(0, 0, +- xevent.xcrossing.x, +- xevent.xcrossing.y); + } + break; +
