Hi. I've ported the CVE patches from Debian LTS for libsdl2 in unstable.
>From 71a63c55e96dc351058d3700d1a4cba1726136e2 Mon Sep 17 00:00:00 2001 From: Kari Pahula <[email protected]> Date: Wed, 24 Apr 2019 16:56:30 +0300 Subject: [PATCH] Port patches from Debian LTS release for CVE bugs.
Fixes for CVE-2019-7572, CVE-2019-7573, CVE-2019-7574, CVE-2019-7575, CVE-2019-7576, CVE-2019-7577, CVE-2019-7578, CVE-2019-7635, CVE-2019-7636, CVE-2019-7637, CVE-2019-7638. --- debian/patches/CVE-2019-7572_CVE-2019-7574.patch | 92 ++++++++++++++++++++++ debian/patches/CVE-2019-7573.patch | 69 ++++++++++++++++ debian/patches/CVE-2019-7575_CVE-2019-7577.patch | 91 +++++++++++++++++++++ debian/patches/CVE-2019-7577_1_2.patch | 34 ++++++++ debian/patches/CVE-2019-7578.patch | 79 +++++++++++++++++++ ...CVE-2019-7635_CVE-2019-7636_CVE-2019-7638.patch | 83 +++++++++++++++++++ debian/patches/CVE-2019-7637.patch | 86 ++++++++++++++++++++ debian/patches/series | 8 ++ 8 files changed, 542 insertions(+) create mode 100644 debian/patches/CVE-2019-7572_CVE-2019-7574.patch create mode 100644 debian/patches/CVE-2019-7573.patch create mode 100644 debian/patches/CVE-2019-7575_CVE-2019-7577.patch create mode 100644 debian/patches/CVE-2019-7577_1_2.patch create mode 100644 debian/patches/CVE-2019-7578.patch create mode 100644 debian/patches/CVE-2019-7635_CVE-2019-7636_CVE-2019-7638.patch create mode 100644 debian/patches/CVE-2019-7637.patch diff --git a/debian/patches/CVE-2019-7572_CVE-2019-7574.patch b/debian/patches/CVE-2019-7572_CVE-2019-7574.patch new file mode 100644 index 0000000..32e347e --- /dev/null +++ b/debian/patches/CVE-2019-7572_CVE-2019-7574.patch @@ -0,0 +1,92 @@ +Description: CVE-2019-7572, CVE-2019-7574 + CVE-2019-7572: a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c. + CVE-2019-7574: a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c. + +--- +Author: Abhijith PA <[email protected]> +Origin: https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3610 + https://bugzilla.libsdl.org/attachment.cgi?id=3612 + https://bugzilla.libsdl.org/attachment.cgi?id=3618 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4496 + https://bugzilla.libsdl.org/show_bug.cgi?id=4495 +Last-Update: <2018-03-12> + +Index: libsdl2/src/audio/SDL_wave.c +=================================================================== +--- libsdl2.orig/src/audio/SDL_wave.c ++++ libsdl2/src/audio/SDL_wave.c +@@ -272,6 +272,14 @@ IMA_ADPCM_nibble(struct IMA_ADPCM_decode + 22385, 24623, 27086, 29794, 32767 + }; + Sint32 delta, step; ++ /* Clamp index value. The inital value can be invalid. */ ++ if ( state->index > 88 ) { ++ state->index = 88; ++ } else ++ if ( state->index < 0 ) { ++ state->index = 0; ++ } ++ + + /* Compute difference and new sample value */ + if (state->index > 88) { +@@ -338,7 +346,7 @@ static int + IMA_ADPCM_decode(Uint8 ** audio_buf, Uint32 * audio_len) + { + struct IMA_ADPCM_decodestate *state; +- Uint8 *freeable, *encoded, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; + Sint32 encoded_len, samplesleft; + unsigned int c, channels; + +@@ -354,6 +362,7 @@ IMA_ADPCM_decode(Uint8 ** audio_buf, Uin + /* Allocate the proper sized output buffer */ + encoded_len = *audio_len; + encoded = *audio_buf; ++ encoded_end = encoded + encoded_len; + freeable = *audio_buf; + *audio_len = (encoded_len / IMA_ADPCM_state.wavefmt.blockalign) * + IMA_ADPCM_state.wSamplesPerBlock * +@@ -363,11 +372,13 @@ IMA_ADPCM_decode(Uint8 ** audio_buf, Uin + return SDL_OutOfMemory(); + } + decoded = *audio_buf; ++ decoded_end = decoded + *audio_len; + + /* Get ready... Go! */ + while (encoded_len >= IMA_ADPCM_state.wavefmt.blockalign) { + /* Grab the initial information for this block */ + for (c = 0; c < channels; ++c) { ++ if (encoded + 4 > encoded_end) goto invalid_size; + /* Fill the state information for this block */ + state[c].sample = ((encoded[1] << 8) | encoded[0]); + encoded += 2; +@@ -381,6 +392,7 @@ IMA_ADPCM_decode(Uint8 ** audio_buf, Uin + } + + /* Store the initial sample we start with */ ++ if (decoded + 2 > decoded_end) goto invalid_size; + decoded[0] = (Uint8) (state[c].sample & 0xFF); + decoded[1] = (Uint8) (state[c].sample >> 8); + decoded += 2; +@@ -390,6 +402,9 @@ IMA_ADPCM_decode(Uint8 ** audio_buf, Uin + samplesleft = (IMA_ADPCM_state.wSamplesPerBlock - 1) * channels; + while (samplesleft > 0) { + for (c = 0; c < channels; ++c) { ++ if (encoded + 4 > encoded_end) goto invalid_size; +++ if (decoded + 4 * 4 * channels > decoded_end) +++ goto invalid_size; + Fill_IMA_ADPCM_block(decoded, encoded, + c, channels, &state[c]); + encoded += 4; +@@ -401,6 +416,10 @@ IMA_ADPCM_decode(Uint8 ** audio_buf, Uin + } + SDL_free(freeable); + return (0); ++ invalid_size: ++ SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); + } + + diff --git a/debian/patches/CVE-2019-7573.patch b/debian/patches/CVE-2019-7573.patch new file mode 100644 index 0000000..790a27f --- /dev/null +++ b/debian/patches/CVE-2019-7573.patch @@ -0,0 +1,69 @@ +Description: CVE-2019-7573 + a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (inside the + wNumCoef loop). + +--- +Author: Abhijith PA <[email protected]> +Origin: https://bugzilla.libsdl.org/attachment.cgi?id=3620 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4491 +Last-Update: 2019-03-05 + +Index: libsdl2/src/audio/SDL_wave.c +=================================================================== +--- libsdl2.orig/src/audio/SDL_wave.c ++++ libsdl2/src/audio/SDL_wave.c +@@ -46,12 +46,13 @@ static struct MS_ADPCM_decoder + } MS_ADPCM_state; + + static int +-InitMS_ADPCM(WaveFMT * format) ++InitMS_ADPCM(WaveFMT * format, int length) + { +- Uint8 *rogue_feel; ++ Uint8 *rogue_feel, *rogue_feel_end; + int i; + + /* Set the rogue pointer to the MS_ADPCM specific data */ ++ if (length < sizeof(*format)) goto too_short; + MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); + MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); + MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); +@@ -60,10 +61,12 @@ InitMS_ADPCM(WaveFMT * format) + MS_ADPCM_state.wavefmt.bitspersample = + SDL_SwapLE16(format->bitspersample); + rogue_feel = (Uint8 *) format + sizeof(*format); ++ rogue_feel_end = (Uint8 *)format + length; + if (sizeof(*format) == 16) { + /* const Uint16 extra_info = ((rogue_feel[1] << 8) | rogue_feel[0]); */ + rogue_feel += sizeof(Uint16); + } ++ if (rogue_feel + 4 > rogue_feel_end) goto too_short; + MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1] << 8) | rogue_feel[0]); + rogue_feel += sizeof(Uint16); + MS_ADPCM_state.wNumCoef = ((rogue_feel[1] << 8) | rogue_feel[0]); +@@ -73,12 +76,16 @@ InitMS_ADPCM(WaveFMT * format) + return (-1); + } + for (i = 0; i < MS_ADPCM_state.wNumCoef; ++i) { ++ if (rogue_feel + 4 > rogue_feel_end) goto too_short; + MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1] << 8) | rogue_feel[0]); + rogue_feel += sizeof(Uint16); + MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1] << 8) | rogue_feel[0]); + rogue_feel += sizeof(Uint16); + } + return (0); ++too_short: ++ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format"); ++ return(-1); + } + + static Sint32 +@@ -541,7 +548,7 @@ SDL_LoadWAV_RW(SDL_RWops * src, int free + break; + case MS_ADPCM_CODE: + /* Try to understand this */ +- if (InitMS_ADPCM(format) < 0) { ++ if ( InitMS_ADPCM(format, lenread) < 0 ) + was_error = 1; + goto done; + } diff --git a/debian/patches/CVE-2019-7575_CVE-2019-7577.patch b/debian/patches/CVE-2019-7575_CVE-2019-7577.patch new file mode 100644 index 0000000..c6250ea --- /dev/null +++ b/debian/patches/CVE-2019-7575_CVE-2019-7577.patch @@ -0,0 +1,91 @@ +Description: CVE-2019-7575, CVE-2019-7577 + CVE-2019-7575 +a heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c. + CVE-2019-7577 +a buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c. + +--- +Author: Abhijith PA <[email protected]> +Origin: https://bugzilla.libsdl.org/attachment.cgi?id=3609 + https://bugzilla.libsdl.org/attachment.cgi?id=3608 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4493 + https://bugzilla.libsdl.org/show_bug.cgi?id=4492 +Last-Update: 2019-03-12 + +Index: libsdl2/src/audio/SDL_wave.c +=================================================================== +--- libsdl2.orig/src/audio/SDL_wave.c ++++ libsdl2/src/audio/SDL_wave.c +@@ -126,7 +126,7 @@ static int + MS_ADPCM_decode(Uint8 ** audio_buf, Uint32 * audio_len) + { + struct MS_ADPCM_decodestate *state[2]; +- Uint8 *freeable, *encoded, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; + Sint32 encoded_len, samplesleft; + Sint8 nybble; + Uint8 stereo; +@@ -136,6 +136,7 @@ MS_ADPCM_decode(Uint8 ** audio_buf, Uint + /* Allocate the proper sized output buffer */ + encoded_len = *audio_len; + encoded = *audio_buf; ++ encoded_end = encoded + encoded_len; + freeable = *audio_buf; + *audio_len = (encoded_len / MS_ADPCM_state.wavefmt.blockalign) * + MS_ADPCM_state.wSamplesPerBlock * +@@ -145,6 +146,7 @@ MS_ADPCM_decode(Uint8 ** audio_buf, Uint + return SDL_OutOfMemory(); + } + decoded = *audio_buf; ++ decoded_end = decoded + *audio_len; + + /* Get ready... Go! */ + stereo = (MS_ADPCM_state.wavefmt.channels == 2); +@@ -152,6 +154,7 @@ MS_ADPCM_decode(Uint8 ** audio_buf, Uint + state[1] = &MS_ADPCM_state.state[stereo]; + while (encoded_len >= MS_ADPCM_state.wavefmt.blockalign) { + /* Grab the initial information for this block */ ++ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size; + state[0]->hPredictor = *encoded++; + if (stereo) { + state[1]->hPredictor = *encoded++; +@@ -178,6 +181,7 @@ MS_ADPCM_decode(Uint8 ** audio_buf, Uint + coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor]; + + /* Store the two initial samples we start with */ ++ if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size; + decoded[0] = state[0]->iSamp2 & 0xFF; + decoded[1] = state[0]->iSamp2 >> 8; + decoded += 2; +@@ -199,6 +203,9 @@ MS_ADPCM_decode(Uint8 ** audio_buf, Uint + samplesleft = (MS_ADPCM_state.wSamplesPerBlock - 2) * + MS_ADPCM_state.wavefmt.channels; + while (samplesleft > 0) { ++ if (encoded + 1 > encoded_end) goto invalid_size; ++ if (decoded + 4 > decoded_end) goto invalid_size; ++ + nybble = (*encoded) >> 4; + new_sample = MS_ADPCM_nibble(state[0], nybble, coeff[0]); + decoded[0] = new_sample & 0xFF; +@@ -220,6 +227,10 @@ MS_ADPCM_decode(Uint8 ** audio_buf, Uint + } + SDL_free(freeable); + return (0); ++invalid_size: ++ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); + } + + struct IMA_ADPCM_decodestate +@@ -410,8 +421,8 @@ IMA_ADPCM_decode(Uint8 ** audio_buf, Uin + while (samplesleft > 0) { + for (c = 0; c < channels; ++c) { + if (encoded + 4 > encoded_end) goto invalid_size; +-+ if (decoded + 4 * 4 * channels > decoded_end) +-+ goto invalid_size; ++ if (decoded + 4 * 4 * channels > decoded_end) ++ goto invalid_size; + Fill_IMA_ADPCM_block(decoded, encoded, + c, channels, &state[c]); + encoded += 4; diff --git a/debian/patches/CVE-2019-7577_1_2.patch b/debian/patches/CVE-2019-7577_1_2.patch new file mode 100644 index 0000000..58f5383 --- /dev/null +++ b/debian/patches/CVE-2019-7577_1_2.patch @@ -0,0 +1,34 @@ +Description: CVE-2019-7577 + a buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c. + +--- +Author: Abhijith PA <[email protected]> +Origin: https://bugzilla.libsdl.org/attachment.cgi?id=3694 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 +Last-Update: 2019-03-13 + +Index: libsdl2/src/audio/SDL_wave.c +=================================================================== +--- libsdl2.orig/src/audio/SDL_wave.c ++++ libsdl2/src/audio/SDL_wave.c +@@ -159,6 +159,9 @@ MS_ADPCM_decode(Uint8 ** audio_buf, Uint + if (stereo) { + state[1]->hPredictor = *encoded++; + } ++ if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) { ++ goto invalid_predictor; ++ } + state[0]->iDelta = ((encoded[1] << 8) | encoded[0]); + encoded += sizeof(Sint16); + if (stereo) { +@@ -231,6 +234,10 @@ invalid_size: + SDL_SetError("Unexpected chunk length for a MS ADPCM decoder"); + SDL_free(freeable); + return(-1); ++invalid_predictor: ++ SDL_SetError("Invalid predictor value for a MS ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); + } + + struct IMA_ADPCM_decodestate diff --git a/debian/patches/CVE-2019-7578.patch b/debian/patches/CVE-2019-7578.patch new file mode 100644 index 0000000..4115dee --- /dev/null +++ b/debian/patches/CVE-2019-7578.patch @@ -0,0 +1,79 @@ +Description: CVE-2019-7578 + + If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it + could read past the end of chunk data. This patch fixes it. +--- +Author: Abhijith PA <[email protected]> +Origin: https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3623 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4494 +Last-Update: 2019-03-12 + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: <vendor|upstream|other>, <url of original patch> +Bug: <url in upstream bugtracker> +Bug-Debian: https://bugs.debian.org/<bugnumber> +Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber> +Forwarded: <no|not-needed|url proving that it has been forwarded> +Reviewed-By: <name and email of someone who approved the patch> +Last-Update: 2019-03-13 + +Index: libsdl2/src/audio/SDL_wave.c +=================================================================== +--- libsdl2.orig/src/audio/SDL_wave.c ++++ libsdl2/src/audio/SDL_wave.c +@@ -247,11 +247,12 @@ static struct IMA_ADPCM_decoder + } IMA_ADPCM_state; + + static int +-InitIMA_ADPCM(WaveFMT * format) ++InitIMA_ADPCM(WaveFMT * format, int length) + { +- Uint8 *rogue_feel; ++ Uint8 *rogue_feel, *rogue_feel_end; + + /* Set the rogue pointer to the IMA_ADPCM specific data */ ++ if (length < sizeof(*format)) goto too_short; + IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); + IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); + IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); +@@ -260,12 +261,17 @@ InitIMA_ADPCM(WaveFMT * format) + IMA_ADPCM_state.wavefmt.bitspersample = + SDL_SwapLE16(format->bitspersample); + rogue_feel = (Uint8 *) format + sizeof(*format); ++ rogue_feel_end = (Uint8 *)format + length; + if (sizeof(*format) == 16) { + /* const Uint16 extra_info = ((rogue_feel[1] << 8) | rogue_feel[0]); */ + rogue_feel += sizeof(Uint16); + } ++ if (rogue_feel + 2 > rogue_feel_end) goto too_short; + IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1] << 8) | rogue_feel[0]); + return (0); ++too_short: ++ SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format"); ++ return(-1); + } + + static Sint32 +@@ -560,15 +566,15 @@ SDL_LoadWAV_RW(SDL_RWops * src, int free + case MS_ADPCM_CODE: + /* Try to understand this */ + if ( InitMS_ADPCM(format, lenread) < 0 ) +- was_error = 1; ++ { was_error = 1; + goto done; + } + MS_ADPCM_encoded = 1; + break; + case IMA_ADPCM_CODE: + /* Try to understand this */ +- if (InitIMA_ADPCM(format) < 0) { +- was_error = 1; ++ if ( InitIMA_ADPCM(format, lenread) < 0 ) ++ { was_error = 1; + goto done; + } + IMA_ADPCM_encoded = 1; diff --git a/debian/patches/CVE-2019-7635_CVE-2019-7636_CVE-2019-7638.patch b/debian/patches/CVE-2019-7635_CVE-2019-7636_CVE-2019-7638.patch new file mode 100644 index 0000000..e65c374 --- /dev/null +++ b/debian/patches/CVE-2019-7635_CVE-2019-7636_CVE-2019-7638.patch @@ -0,0 +1,83 @@ +Description: CVE-2019-7635_CVE-2019-7636, CVE-2019-7638 + CVE-2019-7635 +a heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c + CVE-2019-7636 +a heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c + CVE-2019-7638 +buffer overwrite when the SDL_LoadBMP_RW() +loads colors from a file. + +--- +Author: Abhijith PA <[email protected]> +Origin: https://bugzilla.libsdl.org/attachment.cgi?id=3637 + https://bugzilla.libsdl.org/attachment.cgi?id=3645 + https://hg.libsdl.org/SDL/rev/19d8c3b9c251 + +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4499 + https://bugzilla.libsdl.org/show_bug.cgi?id=4498 + https://bugzilla.libsdl.org/show_bug.cgi?id=4500 +Last-Update: 2019-03-12 + +Index: libsdl2/src/video/SDL_bmp.c +=================================================================== +--- libsdl2.orig/src/video/SDL_bmp.c ++++ libsdl2/src/video/SDL_bmp.c +@@ -135,6 +135,17 @@ SDL_LoadBMP_RW(SDL_RWops * src, int free + goto done; + } + ++ if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) { ++ for ( i=0; i<surface->w; ++i ) { ++ if ( bits[i] >= biClrUsed ) { ++ SDL_SetError( ++ "A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } ++ } ++ } ++ + /* Read in the BMP file header */ + fp_offset = SDL_RWtell(src); + SDL_ClearError(); +@@ -246,6 +257,14 @@ SDL_LoadBMP_RW(SDL_RWops * src, int free + ExpandBMP = biBitCount; + biBitCount = 8; + break; ++ case 2: ++ case 3: ++ case 5: ++ case 6: ++ case 7: ++ SDL_SetError("%d-bpp BMP images are not supported", biBitCount); ++ was_error = SDL_TRUE; ++ goto done; + default: + ExpandBMP = 0; + break; +@@ -313,7 +332,11 @@ SDL_LoadBMP_RW(SDL_RWops * src, int free + SDL_assert(biBitCount <= 8); + if (biClrUsed == 0) { + biClrUsed = 1 << biBitCount; +- } ++ } else if ( biClrUsed > (1 << biBitCount) ) { ++ SDL_SetError("BMP file has an invalid number of colors"); ++ was_error = SDL_TRUE; ++ goto done; ++ } + if ((int) biClrUsed > palette->ncolors) { + SDL_Color *colors; + int ncolors = biClrUsed; +@@ -396,6 +419,12 @@ SDL_LoadBMP_RW(SDL_RWops * src, int free + } + *(bits + i) = (pixel >> shift); + pixel <<= ExpandBMP; ++ if ( bits[i] >= biClrUsed ) { ++ SDL_SetError( ++ "A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } + } + } + break; diff --git a/debian/patches/CVE-2019-7637.patch b/debian/patches/CVE-2019-7637.patch new file mode 100644 index 0000000..ee00685 --- /dev/null +++ b/debian/patches/CVE-2019-7637.patch @@ -0,0 +1,86 @@ +Description: CVE-2019-7637 + a heap-based buffer overflow in SDL_FillRect in video/SDL_surface.c. + +--- +Author: Abhijith PA <[email protected]> +Origin: https://bugzilla.libsdl.org/attachment.cgi?id=3630 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4497 +Last-Update: 2019-03-13 + +Index: libsdl2/src/video/SDL_surface.c +=================================================================== +--- libsdl2.orig/src/video/SDL_surface.c ++++ libsdl2/src/video/SDL_surface.c +@@ -35,27 +35,55 @@ SDL_COMPILE_TIME_ASSERT(surface_size_ass + /* Public routines */ + + /* +- * Calculate the pad-aligned scanline width of a surface ++ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of ++ * an error. + */ + static int +-SDL_CalculatePitch(Uint32 format, int width) ++SDL_CalculatePitch(Uint32 format, int width, Uint8 bpp) + { +- int pitch; ++ unsigned int pitch = 0; + + /* Surface should be 4-byte aligned for speed */ +- pitch = width * SDL_BYTESPERPIXEL(format); ++ /* The code tries to prevent from an Uint16 overflow. */; ++ for (Uint8 byte = bpp; byte; byte--) { ++ pitch += (unsigned int)width; ++ if (pitch < width) { ++ SDL_SetError("A scanline is too wide"); ++ return(0); ++ } ++ } ++ + switch (SDL_BITSPERPIXEL(format)) { + case 1: +- pitch = (pitch + 7) / 8; ++ if (pitch % 8) { ++ pitch = pitch / 8 + 1; ++ } else { ++ pitch = pitch / 8; ++ } + break; + case 4: +- pitch = (pitch + 1) / 2; ++ if (pitch % 2) { ++ pitch = pitch / 2 + 1; ++ } else { ++ pitch = pitch / 2; ++ } + break; + default: + break; + } +- pitch = (pitch + 3) & ~3; /* 4-byte aligning */ +- return pitch; ++ /* 4-byte aligning */ ++ if (pitch & 3) { ++ if (pitch + 3 < pitch) { ++ SDL_SetError("A scanline is too wide"); ++ return(0); ++ } ++ pitch = (pitch + 3) & ~3; ++ } ++ if (pitch > 0xFFFF) { ++ SDL_SetError("A scanline is too wide"); ++ return(0); ++ } ++ return((Uint16)pitch); + } + + /* +@@ -85,7 +113,7 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 fl + } + surface->w = width; + surface->h = height; +- surface->pitch = SDL_CalculatePitch(format, width); ++ surface->pitch = SDL_CalculatePitch(format, width, surface->format->BytesPerPixel); + SDL_SetClipRect(surface, NULL); + + if (SDL_ISPIXELFORMAT_INDEXED(surface->format->format)) { diff --git a/debian/patches/series b/debian/patches/series index 1c305d2..0164823 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,10 @@ no-libdir.patch fix-cross-building-907711.patch +CVE-2019-7572_CVE-2019-7574.patch +CVE-2019-7573.patch +CVE-2019-7575_CVE-2019-7577.patch +CVE-2019-7578.patch +CVE-2019-7635_CVE-2019-7636_CVE-2019-7638.patch +CVE-2019-7637.patch +CVE-2019-7577_1_2.patch + -- 2.11.0
