Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package SDL2_mixer for openSUSE:Factory checked in at 2021-01-21 21:57:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/SDL2_mixer (Old) and /work/SRC/openSUSE:Factory/.SDL2_mixer.new.28504 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "SDL2_mixer" Thu Jan 21 21:57:48 2021 rev:8 rq:865485 version:2.0.4 Changes: -------- --- /work/SRC/openSUSE:Factory/SDL2_mixer/SDL2_mixer.changes 2020-09-16 19:37:09.506659146 +0200 +++ /work/SRC/openSUSE:Factory/.SDL2_mixer.new.28504/SDL2_mixer.changes 2021-01-21 21:57:48.829867507 +0100 @@ -1,0 +2,7 @@ +Thu Jan 21 17:14:18 UTC 2021 - Tom Mbrt <[email protected]> + +- Add 0001-use-after-free-fluidsynth.patch to prevent + fluidsynth >= 2.1.6 from crashing: + https://hg.libsdl.org/SDL_mixer/rev/b0afe341a91d + +------------------------------------------------------------------- New: ---- 0001-use-after-free-fluidsynth.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ SDL2_mixer.spec ++++++ --- /var/tmp/diff_new_pack.MWRt11/_old 2021-01-21 21:57:49.445867756 +0100 +++ /var/tmp/diff_new_pack.MWRt11/_new 2021-01-21 21:57:49.449867757 +0100 @@ -1,7 +1,7 @@ # # spec file for package SDL2_mixer # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -28,6 +28,7 @@ #Hg-Clone: http://hg.libsdl.org/SDL_mixer/ Source: http://libsdl.org/projects/SDL_mixer/release/%name-%version.tar.gz Source1: baselibs.conf +Patch0: 0001-use-after-free-fluidsynth.patch BuildRequires: dos2unix BuildRequires: pkg-config BuildRequires: pkgconfig(flac) ++++++ 0001-use-after-free-fluidsynth.patch ++++++ >From adee41d0c5211142c3422c889dcda8ccf9aad34f Mon Sep 17 00:00:00 2001 From: Sam Lantinga <[email protected]> Date: Wed, 20 Jan 2021 10:17:10 -0800 Subject: [PATCH] Fixed use-after-free in music_fluidsynth.c Tom M. There is a dangerous use-after-free in FLUIDSYNTH_Delete(): the settings object is deleted **before** the synth. Since the settings have been created first to initialize the synth, you must first delete the synth and then delete the settings. This currently crashes all applications that use fluidsynth 2.1.6 and SDL2_mixer. Originally reported at https://github.com/FluidSynth/fluidsynth/issues/748 --- src/codecs/music_fluidsynth.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/codecs/music_fluidsynth.c b/src/codecs/music_fluidsynth.c index 8667f0d9..a47247f4 100644 --- a/music_fluidsynth.c 2018-10-31 15:59:00.000000000 +0100 +++ b/music_fluidsynth.c 2021-01-20 18:29:11.610459000 +0100 @@ -273,9 +273,10 @@ static void FLUIDSYNTH_Delete(void *context) { FLUIDSYNTH_Music *music = (FLUIDSYNTH_Music *)context; + fluid_settings_t *settings = fluidsynth.fluid_synth_get_settings(music->synth); fluidsynth.delete_fluid_player(music->player); - fluidsynth.delete_fluid_settings(fluidsynth.fluid_synth_get_settings(music->synth)); fluidsynth.delete_fluid_synth(music->synth); + fluidsynth.delete_fluid_settings(settings); SDL_free(music); }
