Hello community, here is the log from the commit of package SDL2 for openSUSE:Factory checked in at 2017-10-28 14:16:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/SDL2 (Old) and /work/SRC/openSUSE:Factory/.SDL2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "SDL2" Sat Oct 28 14:16:41 2017 rev:18 rq:535131 version:2.0.6 Changes: -------- --- /work/SRC/openSUSE:Factory/SDL2/SDL2.changes 2017-10-17 01:50:34.935875412 +0200 +++ /work/SRC/openSUSE:Factory/.SDL2.new/SDL2.changes 2017-10-28 14:16:41.822493590 +0200 @@ -1,0 +2,5 @@ +Thu Oct 19 04:00:09 UTC 2017 - [email protected] + +- Add SDL-bnc1062784-check-overflow-xcf-props.patch. CVE-2017-2888 + +------------------------------------------------------------------- New: ---- SDL-bnc1062784-check-overflow-xcf-props.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ SDL2.spec ++++++ --- /var/tmp/diff_new_pack.L5m9od/_old 2017-10-28 14:16:43.766422500 +0200 +++ /var/tmp/diff_new_pack.L5m9od/_new 2017-10-28 14:16:43.770422354 +0200 @@ -32,6 +32,7 @@ Source4: baselibs.conf Patch1: dbus.diff Patch2: %name-ppc64-declaration-after-statement.patch +Patch3: SDL-bnc1062784-check-overflow-xcf-props.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: cmake BuildRequires: dos2unix @@ -105,7 +106,7 @@ %prep %setup -q -%patch -P 1 -p1 +%patch -P 1 -P 3 -p1 %ifarch ppc64 ppc64le %patch -P 2 -p1 %endif ++++++ SDL-bnc1062784-check-overflow-xcf-props.patch ++++++ # From: [email protected] # CVE-2017-2888. Check for overflow when computing size. # Based on upstream patch: 81a4950907a01359f2f9390875291eb3951e6c6b Index: SDL2-2.0.6/include/SDL_stdinc.h =================================================================== --- SDL2-2.0.6.orig/include/SDL_stdinc.h +++ SDL2-2.0.6/include/SDL_stdinc.h @@ -162,6 +162,7 @@ typedef uint16_t Uint16; /** * \brief A signed 32-bit integer type. */ +#define SDL_MAX_SINT32 ((Sint32)0x7FFFFFFF) /* 2147483647 */ typedef int32_t Sint32; /** * \brief An unsigned 32-bit integer type. Index: SDL2-2.0.6/src/video/SDL_surface.c =================================================================== --- SDL2-2.0.6.orig/src/video/SDL_surface.c +++ SDL2-2.0.6/src/video/SDL_surface.c @@ -26,6 +26,10 @@ #include "SDL_RLEaccel_c.h" #include "SDL_pixels_c.h" +/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */ +SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, + sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32)); + /* Public routines */ /* @@ -80,7 +84,16 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 fl /* Get the pixels */ if (surface->w && surface->h) { - surface->pixels = SDL_malloc(surface->h * surface->pitch); + /* Assumptions checked in surface_size_assumptions assert above */ + Sint64 size = ((Sint64)surface->h * surface->pitch); + if (size < 0 || size > SDL_MAX_SINT32) { + /* Overflow... */ + SDL_FreeSurface(surface); + SDL_OutOfMemory(); + return NULL; + } + + surface->pixels = SDL_malloc((size_t)size); if (!surface->pixels) { SDL_FreeSurface(surface); SDL_OutOfMemory();
