diff options
author | Lee Chee Yang <chee.yang.lee@intel.com> | 2021-03-03 00:12:23 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-03-10 00:22:50 +0000 |
commit | f7e5b0002559b093fc2299faf86f4b2d6144cce8 (patch) | |
tree | 8e5aff9636d6580765475ca68f158909abb1253f | |
parent | 8581672ccec2b3a34c9d2a939db2267b5b9dba85 (diff) | |
download | poky-f7e5b0002559b093fc2299faf86f4b2d6144cce8.tar.gz |
libsdl2: fix CVE-2020-14409 CVE-2020-14410
(From OE-Core rev: d3b5f34efbfb9b2db961a649da5ba6b275db5e0b)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch | 79 | ||||
-rw-r--r-- | meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb | 1 |
2 files changed, 80 insertions, 0 deletions
diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch new file mode 100644 index 0000000000..d8fa24bc65 --- /dev/null +++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch | |||
@@ -0,0 +1,79 @@ | |||
1 | From a7ff6e96155f550a5597621ebeddd03c98aa9294 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sam Lantinga <slouken@libsdl.org> | ||
3 | Date: Wed, 17 Jun 2020 08:44:45 -0700 | ||
4 | Subject: [PATCH] Fixed overflow in surface pitch calculation | ||
5 | |||
6 | |||
7 | Upstream-Status: Backport | ||
8 | [https://github.com/libsdl-org/SDL/commit/a7ff6e96155f550a5597621ebeddd03c98aa9294] | ||
9 | CVE: CVE-2020-14409 CVE-2020-14410 | ||
10 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
11 | |||
12 | --- | ||
13 | src/video/SDL_surface.c | 23 +++++++++++++++-------- | ||
14 | 1 file changed, 15 insertions(+), 8 deletions(-) | ||
15 | |||
16 | diff --git a/src/video/SDL_surface.c b/src/video/SDL_surface.c | ||
17 | index 085d9ff1e..bff826f7c 100644 | ||
18 | --- a/src/video/SDL_surface.c | ||
19 | +++ b/src/video/SDL_surface.c | ||
20 | @@ -28,24 +28,23 @@ | ||
21 | #include "SDL_yuv_c.h" | ||
22 | |||
23 | |||
24 | -/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */ | ||
25 | -SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, | ||
26 | - sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32)); | ||
27 | +/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow Sint64 */ | ||
28 | +SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, sizeof(int) == sizeof(Sint32)); | ||
29 | |||
30 | /* Public routines */ | ||
31 | |||
32 | /* | ||
33 | * Calculate the pad-aligned scanline width of a surface | ||
34 | */ | ||
35 | -static int | ||
36 | +static Sint64 | ||
37 | SDL_CalculatePitch(Uint32 format, int width) | ||
38 | { | ||
39 | - int pitch; | ||
40 | + Sint64 pitch; | ||
41 | |||
42 | if (SDL_ISPIXELFORMAT_FOURCC(format) || SDL_BITSPERPIXEL(format) >= 8) { | ||
43 | - pitch = (width * SDL_BYTESPERPIXEL(format)); | ||
44 | + pitch = ((Sint64)width * SDL_BYTESPERPIXEL(format)); | ||
45 | } else { | ||
46 | - pitch = ((width * SDL_BITSPERPIXEL(format)) + 7) / 8; | ||
47 | + pitch = (((Sint64)width * SDL_BITSPERPIXEL(format)) + 7) / 8; | ||
48 | } | ||
49 | pitch = (pitch + 3) & ~3; /* 4-byte aligning for speed */ | ||
50 | return pitch; | ||
51 | @@ -59,11 +58,19 @@ SDL_Surface * | ||
52 | SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth, | ||
53 | Uint32 format) | ||
54 | { | ||
55 | + Sint64 pitch; | ||
56 | SDL_Surface *surface; | ||
57 | |||
58 | /* The flags are no longer used, make the compiler happy */ | ||
59 | (void)flags; | ||
60 | |||
61 | + pitch = SDL_CalculatePitch(format, width); | ||
62 | + if (pitch < 0 || pitch > SDL_MAX_SINT32) { | ||
63 | + /* Overflow... */ | ||
64 | + SDL_OutOfMemory(); | ||
65 | + return NULL; | ||
66 | + } | ||
67 | + | ||
68 | /* Allocate the surface */ | ||
69 | surface = (SDL_Surface *) SDL_calloc(1, sizeof(*surface)); | ||
70 | if (surface == NULL) { | ||
71 | @@ -78,7 +85,7 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth, | ||
72 | } | ||
73 | surface->w = width; | ||
74 | surface->h = height; | ||
75 | - surface->pitch = SDL_CalculatePitch(format, width); | ||
76 | + surface->pitch = (int)pitch; | ||
77 | SDL_SetClipRect(surface, NULL); | ||
78 | |||
79 | if (SDL_ISPIXELFORMAT_INDEXED(surface->format->format)) { | ||
diff --git a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb index fa7acc4c50..8e77c18f2d 100644 --- a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb +++ b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb | |||
@@ -20,6 +20,7 @@ SRC_URI = "http://www.libsdl.org/release/SDL2-${PV}.tar.gz \ | |||
20 | file://more-gen-depends.patch \ | 20 | file://more-gen-depends.patch \ |
21 | file://directfb-spurious-curly-brace-missing-e.patch \ | 21 | file://directfb-spurious-curly-brace-missing-e.patch \ |
22 | file://directfb-renderfillrect-fix.patch \ | 22 | file://directfb-renderfillrect-fix.patch \ |
23 | file://CVE-2020-14409-14410.patch \ | ||
23 | " | 24 | " |
24 | 25 | ||
25 | S = "${WORKDIR}/SDL2-${PV}" | 26 | S = "${WORKDIR}/SDL2-${PV}" |