diff options
author | Anuj Mittal <anuj.mittal@intel.com> | 2019-07-29 07:20:54 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-29 23:50:43 +0100 |
commit | ecc1ac5b04f5b54dee2c0e3c7a638861b73d9203 (patch) | |
tree | f73e60b968a9b8511851025e1edf74daa8c980d3 /meta/recipes-graphics | |
parent | e8cd30ba6cec854d85c7ad47edc208107858a5d7 (diff) | |
download | poky-ecc1ac5b04f5b54dee2c0e3c7a638861b73d9203.tar.gz |
libsdl: CVE fixes
Fixes CVE-2019-7572, CVE-2019-7574, CVE-2019-7575, CVE-2019-7576,
CVE-2019-7577, CVE-2019-7578, CVE-2019-7635, CVE-2019-7637,
CVE-2019-7638.
(From OE-Core rev: 2cfcb3b0fce7e1156eb52260df4330c95d87dc17)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-graphics')
10 files changed, 832 insertions, 0 deletions
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7572.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7572.patch new file mode 100644 index 0000000000..c41c2de0f3 --- /dev/null +++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7572.patch | |||
@@ -0,0 +1,114 @@ | |||
1 | # HG changeset patch | ||
2 | # User Petr Písař <ppisar@redhat.com> | ||
3 | # Date 1560182231 25200 | ||
4 | # Mon Jun 10 08:57:11 2019 -0700 | ||
5 | # Branch SDL-1.2 | ||
6 | # Node ID a8afedbcaea0e84921dc770195c4699bda3ccdc5 | ||
7 | # Parent faf9abbcfb5fe0d0ca23c4bf0394aa226ceccf02 | ||
8 | CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode | ||
9 | If data chunk was longer than expected based on a WAV format | ||
10 | definition, IMA_ADPCM_decode() tried to write past the output | ||
11 | buffer. This patch fixes it. | ||
12 | |||
13 | Based on patch from | ||
14 | <https://bugzilla.libsdl.org/show_bug.cgi?id=4496>. | ||
15 | |||
16 | CVE-2019-7572 | ||
17 | https://bugzilla.libsdl.org/show_bug.cgi?id=4495 | ||
18 | |||
19 | Signed-off-by: Petr Písař <ppisar@redhat.com> | ||
20 | |||
21 | # HG changeset patch | ||
22 | # User Petr Písař <ppisar@redhat.com> | ||
23 | # Date 1560041863 25200 | ||
24 | # Sat Jun 08 17:57:43 2019 -0700 | ||
25 | # Branch SDL-1.2 | ||
26 | # Node ID e52413f5258600878f9a10d2f92605a729aa8976 | ||
27 | # Parent 4e73be7b47877ae11d2279bd916910d469d18f8e | ||
28 | CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble | ||
29 | If an IMA ADPCM block contained an initial index out of step table | ||
30 | range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used | ||
31 | this bogus value and that lead to a buffer overread. | ||
32 | |||
33 | This patch fixes it by moving clamping the index value at the | ||
34 | beginning of IMA_ADPCM_nibble() function instead of the end after | ||
35 | an update. | ||
36 | |||
37 | CVE-2019-7572 | ||
38 | https://bugzilla.libsdl.org/show_bug.cgi?id=4495 | ||
39 | |||
40 | Signed-off-by: Petr Písař <ppisar@redhat.com> | ||
41 | |||
42 | CVE: CVE-2019-7572 | ||
43 | Upstream-Status: Backport | ||
44 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
45 | |||
46 | diff -r faf9abbcfb5f -r a8afedbcaea0 src/audio/SDL_wave.c | ||
47 | --- a/src/audio/SDL_wave.c Mon Jun 10 08:54:29 2019 -0700 | ||
48 | +++ b/src/audio/SDL_wave.c Mon Jun 10 08:57:11 2019 -0700 | ||
49 | @@ -346,7 +346,7 @@ | ||
50 | static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) | ||
51 | { | ||
52 | struct IMA_ADPCM_decodestate *state; | ||
53 | - Uint8 *freeable, *encoded, *encoded_end, *decoded; | ||
54 | + Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; | ||
55 | Sint32 encoded_len, samplesleft; | ||
56 | unsigned int c, channels; | ||
57 | |||
58 | @@ -373,6 +373,7 @@ | ||
59 | return(-1); | ||
60 | } | ||
61 | decoded = *audio_buf; | ||
62 | + decoded_end = decoded + *audio_len; | ||
63 | |||
64 | /* Get ready... Go! */ | ||
65 | while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) { | ||
66 | @@ -392,6 +393,7 @@ | ||
67 | } | ||
68 | |||
69 | /* Store the initial sample we start with */ | ||
70 | + if (decoded + 2 > decoded_end) goto invalid_size; | ||
71 | decoded[0] = (Uint8)(state[c].sample&0xFF); | ||
72 | decoded[1] = (Uint8)(state[c].sample>>8); | ||
73 | decoded += 2; | ||
74 | @@ -402,6 +404,8 @@ | ||
75 | while ( samplesleft > 0 ) { | ||
76 | for ( c=0; c<channels; ++c ) { | ||
77 | if (encoded + 4 > encoded_end) goto invalid_size; | ||
78 | + if (decoded + 4 * 4 * channels > decoded_end) | ||
79 | + goto invalid_size; | ||
80 | Fill_IMA_ADPCM_block(decoded, encoded, | ||
81 | c, channels, &state[c]); | ||
82 | encoded += 4; | ||
83 | |||
84 | diff -r 4e73be7b4787 -r e52413f52586 src/audio/SDL_wave.c | ||
85 | --- a/src/audio/SDL_wave.c Sat Jun 01 18:27:46 2019 +0100 | ||
86 | +++ b/src/audio/SDL_wave.c Sat Jun 08 17:57:43 2019 -0700 | ||
87 | @@ -264,6 +264,14 @@ | ||
88 | }; | ||
89 | Sint32 delta, step; | ||
90 | |||
91 | + /* Clamp index value. The inital value can be invalid. */ | ||
92 | + if ( state->index > 88 ) { | ||
93 | + state->index = 88; | ||
94 | + } else | ||
95 | + if ( state->index < 0 ) { | ||
96 | + state->index = 0; | ||
97 | + } | ||
98 | + | ||
99 | /* Compute difference and new sample value */ | ||
100 | step = step_table[state->index]; | ||
101 | delta = step >> 3; | ||
102 | @@ -275,12 +283,6 @@ | ||
103 | |||
104 | /* Update index value */ | ||
105 | state->index += index_table[nybble]; | ||
106 | - if ( state->index > 88 ) { | ||
107 | - state->index = 88; | ||
108 | - } else | ||
109 | - if ( state->index < 0 ) { | ||
110 | - state->index = 0; | ||
111 | - } | ||
112 | |||
113 | /* Clamp output sample */ | ||
114 | if ( state->sample > max_audioval ) { | ||
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch new file mode 100644 index 0000000000..9fd53da29b --- /dev/null +++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch | |||
@@ -0,0 +1,68 @@ | |||
1 | # HG changeset patch | ||
2 | # User Petr Písař <ppisar@redhat.com> | ||
3 | # Date 1560181859 25200 | ||
4 | # Mon Jun 10 08:50:59 2019 -0700 | ||
5 | # Branch SDL-1.2 | ||
6 | # Node ID a6e3d2f5183e1cc300ad993e10e9ce077e13bd9c | ||
7 | # Parent 388987dff7bf8f1e214e69c2e4f1aa31e06396b5 | ||
8 | CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode | ||
9 | If data chunk was shorter than expected based on a WAV format | ||
10 | definition, IMA_ADPCM_decode() tried to read past the data chunk | ||
11 | buffer. This patch fixes it. | ||
12 | |||
13 | CVE-2019-7574 | ||
14 | https://bugzilla.libsdl.org/show_bug.cgi?id=4496 | ||
15 | |||
16 | Signed-off-by: Petr Písař <ppisar@redhat.com> | ||
17 | |||
18 | CVE: CVE-2019-7574 | ||
19 | Upstream-Status: Backport | ||
20 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
21 | |||
22 | diff -r 388987dff7bf -r a6e3d2f5183e src/audio/SDL_wave.c | ||
23 | --- a/src/audio/SDL_wave.c Sat Jun 08 18:02:09 2019 -0700 | ||
24 | +++ b/src/audio/SDL_wave.c Mon Jun 10 08:50:59 2019 -0700 | ||
25 | @@ -331,7 +331,7 @@ | ||
26 | static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) | ||
27 | { | ||
28 | struct IMA_ADPCM_decodestate *state; | ||
29 | - Uint8 *freeable, *encoded, *decoded; | ||
30 | + Uint8 *freeable, *encoded, *encoded_end, *decoded; | ||
31 | Sint32 encoded_len, samplesleft; | ||
32 | unsigned int c, channels; | ||
33 | |||
34 | @@ -347,6 +347,7 @@ | ||
35 | /* Allocate the proper sized output buffer */ | ||
36 | encoded_len = *audio_len; | ||
37 | encoded = *audio_buf; | ||
38 | + encoded_end = encoded + encoded_len; | ||
39 | freeable = *audio_buf; | ||
40 | *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) * | ||
41 | IMA_ADPCM_state.wSamplesPerBlock* | ||
42 | @@ -362,6 +363,7 @@ | ||
43 | while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) { | ||
44 | /* Grab the initial information for this block */ | ||
45 | for ( c=0; c<channels; ++c ) { | ||
46 | + if (encoded + 4 > encoded_end) goto invalid_size; | ||
47 | /* Fill the state information for this block */ | ||
48 | state[c].sample = ((encoded[1]<<8)|encoded[0]); | ||
49 | encoded += 2; | ||
50 | @@ -384,6 +386,7 @@ | ||
51 | samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels; | ||
52 | while ( samplesleft > 0 ) { | ||
53 | for ( c=0; c<channels; ++c ) { | ||
54 | + if (encoded + 4 > encoded_end) goto invalid_size; | ||
55 | Fill_IMA_ADPCM_block(decoded, encoded, | ||
56 | c, channels, &state[c]); | ||
57 | encoded += 4; | ||
58 | @@ -395,6 +398,10 @@ | ||
59 | } | ||
60 | SDL_free(freeable); | ||
61 | return(0); | ||
62 | +invalid_size: | ||
63 | + SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder"); | ||
64 | + SDL_free(freeable); | ||
65 | + return(-1); | ||
66 | } | ||
67 | |||
68 | SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, | ||
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7575.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7575.patch new file mode 100644 index 0000000000..a3e8416d0e --- /dev/null +++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7575.patch | |||
@@ -0,0 +1,81 @@ | |||
1 | # HG changeset patch | ||
2 | # User Petr Písař <ppisar@redhat.com> | ||
3 | # Date 1560183905 25200 | ||
4 | # Mon Jun 10 09:25:05 2019 -0700 | ||
5 | # Branch SDL-1.2 | ||
6 | # Node ID a936f9bd3e381d67d8ddee8b9243f85799ea4798 | ||
7 | # Parent fcbecae427951bac1684baaba2ade68221315140 | ||
8 | CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode | ||
9 | If a WAV format defines shorter audio stream and decoded MS ADPCM data chunk | ||
10 | is longer, decoding continued past the output audio buffer. | ||
11 | |||
12 | This fix is based on a patch from | ||
13 | <https://bugzilla.libsdl.org/show_bug.cgi?id=4492>. | ||
14 | |||
15 | https://bugzilla.libsdl.org/show_bug.cgi?id=4493 | ||
16 | CVE-2019-7575 | ||
17 | |||
18 | Signed-off-by: Petr Písař <ppisar@redhat.com> | ||
19 | |||
20 | CVE: CVE-2019-7575 | ||
21 | Upstream-Status: Backport | ||
22 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
23 | |||
24 | diff -r fcbecae42795 -r a936f9bd3e38 src/audio/SDL_wave.c | ||
25 | --- a/src/audio/SDL_wave.c Mon Jun 10 09:06:23 2019 -0700 | ||
26 | +++ b/src/audio/SDL_wave.c Mon Jun 10 09:25:05 2019 -0700 | ||
27 | @@ -122,7 +122,7 @@ | ||
28 | static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) | ||
29 | { | ||
30 | struct MS_ADPCM_decodestate *state[2]; | ||
31 | - Uint8 *freeable, *encoded, *encoded_end, *decoded; | ||
32 | + Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; | ||
33 | Sint32 encoded_len, samplesleft; | ||
34 | Sint8 nybble, stereo; | ||
35 | Sint16 *coeff[2]; | ||
36 | @@ -142,6 +142,7 @@ | ||
37 | return(-1); | ||
38 | } | ||
39 | decoded = *audio_buf; | ||
40 | + decoded_end = decoded + *audio_len; | ||
41 | |||
42 | /* Get ready... Go! */ | ||
43 | stereo = (MS_ADPCM_state.wavefmt.channels == 2); | ||
44 | @@ -149,7 +150,7 @@ | ||
45 | state[1] = &MS_ADPCM_state.state[stereo]; | ||
46 | while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) { | ||
47 | /* Grab the initial information for this block */ | ||
48 | - if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short; | ||
49 | + if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size; | ||
50 | state[0]->hPredictor = *encoded++; | ||
51 | if ( stereo ) { | ||
52 | state[1]->hPredictor = *encoded++; | ||
53 | @@ -179,6 +180,7 @@ | ||
54 | coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor]; | ||
55 | |||
56 | /* Store the two initial samples we start with */ | ||
57 | + if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size; | ||
58 | decoded[0] = state[0]->iSamp2&0xFF; | ||
59 | decoded[1] = state[0]->iSamp2>>8; | ||
60 | decoded += 2; | ||
61 | @@ -200,7 +202,8 @@ | ||
62 | samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)* | ||
63 | MS_ADPCM_state.wavefmt.channels; | ||
64 | while ( samplesleft > 0 ) { | ||
65 | - if (encoded + 1 > encoded_end) goto too_short; | ||
66 | + if (encoded + 1 > encoded_end) goto invalid_size; | ||
67 | + if (decoded + 4 > decoded_end) goto invalid_size; | ||
68 | |||
69 | nybble = (*encoded)>>4; | ||
70 | new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]); | ||
71 | @@ -223,8 +226,8 @@ | ||
72 | } | ||
73 | SDL_free(freeable); | ||
74 | return(0); | ||
75 | -too_short: | ||
76 | - SDL_SetError("Too short chunk for a MS ADPCM decoder"); | ||
77 | +invalid_size: | ||
78 | + SDL_SetError("Unexpected chunk length for a MS ADPCM decoder"); | ||
79 | SDL_free(freeable); | ||
80 | return(-1); | ||
81 | invalid_predictor: | ||
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7576.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7576.patch new file mode 100644 index 0000000000..d9a505217b --- /dev/null +++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7576.patch | |||
@@ -0,0 +1,80 @@ | |||
1 | # HG changeset patch | ||
2 | # User Petr Písař <ppisar@redhat.com> | ||
3 | # Date 1560182783 25200 | ||
4 | # Mon Jun 10 09:06:23 2019 -0700 | ||
5 | # Branch SDL-1.2 | ||
6 | # Node ID fcbecae427951bac1684baaba2ade68221315140 | ||
7 | # Parent a8afedbcaea0e84921dc770195c4699bda3ccdc5 | ||
8 | CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in InitMS_ADPCM | ||
9 | If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it | ||
10 | could read past the end of chunk data. This patch fixes it. | ||
11 | |||
12 | CVE-2019-7573 | ||
13 | https://bugzilla.libsdl.org/show_bug.cgi?id=4491 | ||
14 | CVE-2019-7576 | ||
15 | https://bugzilla.libsdl.org/show_bug.cgi?id=4490 | ||
16 | |||
17 | Signed-off-by: Petr Písař <ppisar@redhat.com> | ||
18 | |||
19 | CVE: CVE-2019-7573 | ||
20 | CVE: CVE-2019-7576 | ||
21 | Upstream-Status: Backport | ||
22 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
23 | |||
24 | diff -r a8afedbcaea0 -r fcbecae42795 src/audio/SDL_wave.c | ||
25 | --- a/src/audio/SDL_wave.c Mon Jun 10 08:57:11 2019 -0700 | ||
26 | +++ b/src/audio/SDL_wave.c Mon Jun 10 09:06:23 2019 -0700 | ||
27 | @@ -44,12 +44,13 @@ | ||
28 | struct MS_ADPCM_decodestate state[2]; | ||
29 | } MS_ADPCM_state; | ||
30 | |||
31 | -static int InitMS_ADPCM(WaveFMT *format) | ||
32 | +static int InitMS_ADPCM(WaveFMT *format, int length) | ||
33 | { | ||
34 | - Uint8 *rogue_feel; | ||
35 | + Uint8 *rogue_feel, *rogue_feel_end; | ||
36 | int i; | ||
37 | |||
38 | /* Set the rogue pointer to the MS_ADPCM specific data */ | ||
39 | + if (length < sizeof(*format)) goto too_short; | ||
40 | MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); | ||
41 | MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); | ||
42 | MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); | ||
43 | @@ -58,9 +59,11 @@ | ||
44 | MS_ADPCM_state.wavefmt.bitspersample = | ||
45 | SDL_SwapLE16(format->bitspersample); | ||
46 | rogue_feel = (Uint8 *)format+sizeof(*format); | ||
47 | + rogue_feel_end = (Uint8 *)format + length; | ||
48 | if ( sizeof(*format) == 16 ) { | ||
49 | rogue_feel += sizeof(Uint16); | ||
50 | } | ||
51 | + if (rogue_feel + 4 > rogue_feel_end) goto too_short; | ||
52 | MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); | ||
53 | rogue_feel += sizeof(Uint16); | ||
54 | MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]); | ||
55 | @@ -70,12 +73,16 @@ | ||
56 | return(-1); | ||
57 | } | ||
58 | for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) { | ||
59 | + if (rogue_feel + 4 > rogue_feel_end) goto too_short; | ||
60 | MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]); | ||
61 | rogue_feel += sizeof(Uint16); | ||
62 | MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]); | ||
63 | rogue_feel += sizeof(Uint16); | ||
64 | } | ||
65 | return(0); | ||
66 | +too_short: | ||
67 | + SDL_SetError("Unexpected length of a chunk with a MS ADPCM format"); | ||
68 | + return(-1); | ||
69 | } | ||
70 | |||
71 | static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, | ||
72 | @@ -495,7 +502,7 @@ | ||
73 | break; | ||
74 | case MS_ADPCM_CODE: | ||
75 | /* Try to understand this */ | ||
76 | - if ( InitMS_ADPCM(format) < 0 ) { | ||
77 | + if ( InitMS_ADPCM(format, lenread) < 0 ) { | ||
78 | was_error = 1; | ||
79 | goto done; | ||
80 | } | ||
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch new file mode 100644 index 0000000000..92e40aec5e --- /dev/null +++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch | |||
@@ -0,0 +1,123 @@ | |||
1 | # HG changeset patch | ||
2 | # User Petr Písař <ppisar@redhat.com> | ||
3 | # Date 1560182051 25200 | ||
4 | # Mon Jun 10 08:54:11 2019 -0700 | ||
5 | # Branch SDL-1.2 | ||
6 | # Node ID 416136310b88cbeeff8773e573e90ac1e22b3526 | ||
7 | # Parent a6e3d2f5183e1cc300ad993e10e9ce077e13bd9c | ||
8 | CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode | ||
9 | If RIFF/WAV data chunk length is shorter then expected for an audio | ||
10 | format defined in preceeding RIFF/WAV format headers, a buffer | ||
11 | overread can happen. | ||
12 | |||
13 | This patch fixes it by checking a MS ADPCM data to be decoded are not | ||
14 | past the initialized buffer. | ||
15 | |||
16 | CVE-2019-7577 | ||
17 | Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 | ||
18 | |||
19 | Signed-off-by: Petr Písař <ppisar@redhat.com> | ||
20 | |||
21 | # HG changeset patch | ||
22 | # User Petr Písař <ppisar@redhat.com> | ||
23 | # Date 1560182069 25200 | ||
24 | # Mon Jun 10 08:54:29 2019 -0700 | ||
25 | # Branch SDL-1.2 | ||
26 | # Node ID faf9abbcfb5fe0d0ca23c4bf0394aa226ceccf02 | ||
27 | # Parent 416136310b88cbeeff8773e573e90ac1e22b3526 | ||
28 | CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble and MS_ADPCM_decode | ||
29 | If a chunk of RIFF/WAV file with MS ADPCM encoding contains an invalid | ||
30 | predictor (a valid predictor's value is between 0 and 6 inclusive), | ||
31 | a buffer overread can happen when the predictor is used as an index | ||
32 | into an array of MS ADPCM coefficients. | ||
33 | |||
34 | The overead happens when indexing MS_ADPCM_state.aCoeff[] array in | ||
35 | MS_ADPCM_decode() and later when dereferencing a coef pointer in | ||
36 | MS_ADPCM_nibble(). | ||
37 | |||
38 | This patch fixes it by checking the MS ADPCM predictor values fit | ||
39 | into the valid range. | ||
40 | |||
41 | CVE-2019-7577 | ||
42 | Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 | ||
43 | |||
44 | Signed-off-by: Petr Písař <ppisar@redhat.com> | ||
45 | |||
46 | CVE: CVE-2019-7577 | ||
47 | Upstream-Status: Backport | ||
48 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
49 | |||
50 | diff -r a6e3d2f5183e -r 416136310b88 src/audio/SDL_wave.c | ||
51 | --- a/src/audio/SDL_wave.c Mon Jun 10 08:50:59 2019 -0700 | ||
52 | +++ b/src/audio/SDL_wave.c Mon Jun 10 08:54:11 2019 -0700 | ||
53 | @@ -115,7 +115,7 @@ | ||
54 | static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) | ||
55 | { | ||
56 | struct MS_ADPCM_decodestate *state[2]; | ||
57 | - Uint8 *freeable, *encoded, *decoded; | ||
58 | + Uint8 *freeable, *encoded, *encoded_end, *decoded; | ||
59 | Sint32 encoded_len, samplesleft; | ||
60 | Sint8 nybble, stereo; | ||
61 | Sint16 *coeff[2]; | ||
62 | @@ -124,6 +124,7 @@ | ||
63 | /* Allocate the proper sized output buffer */ | ||
64 | encoded_len = *audio_len; | ||
65 | encoded = *audio_buf; | ||
66 | + encoded_end = encoded + encoded_len; | ||
67 | freeable = *audio_buf; | ||
68 | *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) * | ||
69 | MS_ADPCM_state.wSamplesPerBlock* | ||
70 | @@ -141,6 +142,7 @@ | ||
71 | state[1] = &MS_ADPCM_state.state[stereo]; | ||
72 | while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) { | ||
73 | /* Grab the initial information for this block */ | ||
74 | + if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short; | ||
75 | state[0]->hPredictor = *encoded++; | ||
76 | if ( stereo ) { | ||
77 | state[1]->hPredictor = *encoded++; | ||
78 | @@ -188,6 +190,8 @@ | ||
79 | samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)* | ||
80 | MS_ADPCM_state.wavefmt.channels; | ||
81 | while ( samplesleft > 0 ) { | ||
82 | + if (encoded + 1 > encoded_end) goto too_short; | ||
83 | + | ||
84 | nybble = (*encoded)>>4; | ||
85 | new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]); | ||
86 | decoded[0] = new_sample&0xFF; | ||
87 | @@ -209,6 +213,10 @@ | ||
88 | } | ||
89 | SDL_free(freeable); | ||
90 | return(0); | ||
91 | +too_short: | ||
92 | + SDL_SetError("Too short chunk for a MS ADPCM decoder"); | ||
93 | + SDL_free(freeable); | ||
94 | + return(-1); | ||
95 | } | ||
96 | |||
97 | struct IMA_ADPCM_decodestate { | ||
98 | |||
99 | |||
100 | diff -r 416136310b88 -r faf9abbcfb5f src/audio/SDL_wave.c | ||
101 | --- a/src/audio/SDL_wave.c Mon Jun 10 08:54:11 2019 -0700 | ||
102 | +++ b/src/audio/SDL_wave.c Mon Jun 10 08:54:29 2019 -0700 | ||
103 | @@ -147,6 +147,9 @@ | ||
104 | if ( stereo ) { | ||
105 | state[1]->hPredictor = *encoded++; | ||
106 | } | ||
107 | + if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) { | ||
108 | + goto invalid_predictor; | ||
109 | + } | ||
110 | state[0]->iDelta = ((encoded[1]<<8)|encoded[0]); | ||
111 | encoded += sizeof(Sint16); | ||
112 | if ( stereo ) { | ||
113 | @@ -217,6 +220,10 @@ | ||
114 | SDL_SetError("Too short chunk for a MS ADPCM decoder"); | ||
115 | SDL_free(freeable); | ||
116 | return(-1); | ||
117 | +invalid_predictor: | ||
118 | + SDL_SetError("Invalid predictor value for a MS ADPCM decoder"); | ||
119 | + SDL_free(freeable); | ||
120 | + return(-1); | ||
121 | } | ||
122 | |||
123 | struct IMA_ADPCM_decodestate { | ||
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7578.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7578.patch new file mode 100644 index 0000000000..7028890333 --- /dev/null +++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7578.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | # HG changeset patch | ||
2 | # User Petr Písař <ppisar@redhat.com> | ||
3 | # Date 1560042129 25200 | ||
4 | # Sat Jun 08 18:02:09 2019 -0700 | ||
5 | # Branch SDL-1.2 | ||
6 | # Node ID 388987dff7bf8f1e214e69c2e4f1aa31e06396b5 | ||
7 | # Parent e52413f5258600878f9a10d2f92605a729aa8976 | ||
8 | CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM | ||
9 | If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it | ||
10 | could read past the end of chunk data. This patch fixes it. | ||
11 | |||
12 | CVE-2019-7578 | ||
13 | https://bugzilla.libsdl.org/show_bug.cgi?id=4494 | ||
14 | |||
15 | Signed-off-by: Petr Písař <ppisar@redhat.com> | ||
16 | |||
17 | CVE: CVE-2019-7578 | ||
18 | Upstream-Status: Backport | ||
19 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
20 | |||
21 | diff -r e52413f52586 -r 388987dff7bf src/audio/SDL_wave.c | ||
22 | --- a/src/audio/SDL_wave.c Sat Jun 08 17:57:43 2019 -0700 | ||
23 | +++ b/src/audio/SDL_wave.c Sat Jun 08 18:02:09 2019 -0700 | ||
24 | @@ -222,11 +222,12 @@ | ||
25 | struct IMA_ADPCM_decodestate state[2]; | ||
26 | } IMA_ADPCM_state; | ||
27 | |||
28 | -static int InitIMA_ADPCM(WaveFMT *format) | ||
29 | +static int InitIMA_ADPCM(WaveFMT *format, int length) | ||
30 | { | ||
31 | - Uint8 *rogue_feel; | ||
32 | + Uint8 *rogue_feel, *rogue_feel_end; | ||
33 | |||
34 | /* Set the rogue pointer to the IMA_ADPCM specific data */ | ||
35 | + if (length < sizeof(*format)) goto too_short; | ||
36 | IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); | ||
37 | IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); | ||
38 | IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); | ||
39 | @@ -235,11 +236,16 @@ | ||
40 | IMA_ADPCM_state.wavefmt.bitspersample = | ||
41 | SDL_SwapLE16(format->bitspersample); | ||
42 | rogue_feel = (Uint8 *)format+sizeof(*format); | ||
43 | + rogue_feel_end = (Uint8 *)format + length; | ||
44 | if ( sizeof(*format) == 16 ) { | ||
45 | rogue_feel += sizeof(Uint16); | ||
46 | } | ||
47 | + if (rogue_feel + 2 > rogue_feel_end) goto too_short; | ||
48 | IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); | ||
49 | return(0); | ||
50 | +too_short: | ||
51 | + SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format"); | ||
52 | + return(-1); | ||
53 | } | ||
54 | |||
55 | static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) | ||
56 | @@ -471,7 +477,7 @@ | ||
57 | break; | ||
58 | case IMA_ADPCM_CODE: | ||
59 | /* Try to understand this */ | ||
60 | - if ( InitIMA_ADPCM(format) < 0 ) { | ||
61 | + if ( InitIMA_ADPCM(format, lenread) < 0 ) { | ||
62 | was_error = 1; | ||
63 | goto done; | ||
64 | } | ||
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch new file mode 100644 index 0000000000..78af1b061d --- /dev/null +++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | # HG changeset patch | ||
2 | # User Petr Písař <ppisar@redhat.com> | ||
3 | # Date 1560259692 25200 | ||
4 | # Tue Jun 11 06:28:12 2019 -0700 | ||
5 | # Branch SDL-1.2 | ||
6 | # Node ID f1f5878be5dbf63c1161a8ee52b8a86ece30e552 | ||
7 | # Parent a936f9bd3e381d67d8ddee8b9243f85799ea4798 | ||
8 | CVE-2019-7635: Reject BMP images with pixel colors out the palette | ||
9 | If a 1-, 4-, or 8-bit per pixel BMP image declares less used colors | ||
10 | than the palette offers an SDL_Surface with a palette of the indicated | ||
11 | number of used colors is created. If some of the image's pixel | ||
12 | refer to a color number higher then the maximal used colors, a subsequent | ||
13 | bliting operation on the surface will look up a color past a blit map | ||
14 | (that is based on the palette) memory. I.e. passing such SDL_Surface | ||
15 | to e.g. an SDL_DisplayFormat() function will result in a buffer overread in | ||
16 | a blit function. | ||
17 | |||
18 | This patch fixes it by validing each pixel's color to be less than the | ||
19 | maximal color number in the palette. A validation failure raises an | ||
20 | error from a SDL_LoadBMP_RW() function. | ||
21 | |||
22 | CVE-2019-7635 | ||
23 | https://bugzilla.libsdl.org/show_bug.cgi?id=4498 | ||
24 | |||
25 | Signed-off-by: Petr Písař <ppisar@redhat.com> | ||
26 | |||
27 | CVE: CVE-2019-7635 | ||
28 | Upstream-Status: Backport | ||
29 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
30 | |||
31 | diff -r a936f9bd3e38 -r f1f5878be5db src/video/SDL_bmp.c | ||
32 | --- a/src/video/SDL_bmp.c Mon Jun 10 09:25:05 2019 -0700 | ||
33 | +++ b/src/video/SDL_bmp.c Tue Jun 11 06:28:12 2019 -0700 | ||
34 | @@ -308,6 +308,12 @@ | ||
35 | } | ||
36 | *(bits+i) = (pixel>>shift); | ||
37 | pixel <<= ExpandBMP; | ||
38 | + if ( bits[i] >= biClrUsed ) { | ||
39 | + SDL_SetError( | ||
40 | + "A BMP image contains a pixel with a color out of the palette"); | ||
41 | + was_error = SDL_TRUE; | ||
42 | + goto done; | ||
43 | + } | ||
44 | } } | ||
45 | break; | ||
46 | |||
47 | @@ -318,6 +324,16 @@ | ||
48 | was_error = SDL_TRUE; | ||
49 | goto done; | ||
50 | } | ||
51 | + if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) { | ||
52 | + for ( i=0; i<surface->w; ++i ) { | ||
53 | + if ( bits[i] >= biClrUsed ) { | ||
54 | + SDL_SetError( | ||
55 | + "A BMP image contains a pixel with a color out of the palette"); | ||
56 | + was_error = SDL_TRUE; | ||
57 | + goto done; | ||
58 | + } | ||
59 | + } | ||
60 | + } | ||
61 | #if SDL_BYTEORDER == SDL_BIG_ENDIAN | ||
62 | /* Byte-swap the pixels if needed. Note that the 24bpp | ||
63 | case has already been taken care of above. */ | ||
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7637.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7637.patch new file mode 100644 index 0000000000..c95338e61a --- /dev/null +++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7637.patch | |||
@@ -0,0 +1,192 @@ | |||
1 | # HG changeset patch | ||
2 | # User Petr Písař <ppisar@redhat.com> | ||
3 | # Date 1552788984 25200 | ||
4 | # Sat Mar 16 19:16:24 2019 -0700 | ||
5 | # Branch SDL-1.2 | ||
6 | # Node ID 9b0e5c555c0f5ce6d2c3c19da6cc2c7fb5048bf2 | ||
7 | # Parent 4646533663ae1d80c2cc6b2d6dbfb37c62491c1e | ||
8 | CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch | ||
9 | If a too large width is passed to SDL_SetVideoMode() the width travels | ||
10 | to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by | ||
11 | BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch | ||
12 | variable. During this arithmetics an integer overflow can happen (e.g. | ||
13 | the value is clamped as 65532). As a result SDL_Surface with a pitch | ||
14 | smaller than width * BytesPerPixel is created, too small pixel buffer | ||
15 | is allocated and when the SDL_Surface is processed in SDL_FillRect() | ||
16 | a buffer overflow occurs. | ||
17 | |||
18 | This can be reproduced with "./graywin -width 21312312313123213213213" | ||
19 | command. | ||
20 | |||
21 | This patch fixes is by using a very careful arithmetics in | ||
22 | SDL_CalculatePitch(). If an overflow is detected, an error is reported | ||
23 | back as a special 0 value. We assume that 0-width surfaces do not | ||
24 | occur in the wild. Since SDL_CalculatePitch() is a private function, | ||
25 | we can change the semantics. | ||
26 | |||
27 | CVE-2019-7637 | ||
28 | https://bugzilla.libsdl.org/show_bug.cgi?id=4497 | ||
29 | |||
30 | Signed-off-by: Petr Písař <ppisar@redhat.com> | ||
31 | |||
32 | CVE: CVE-2019-7637 | ||
33 | Upstream-Status: Backport | ||
34 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
35 | |||
36 | diff -r 4646533663ae -r 9b0e5c555c0f src/video/SDL_pixels.c | ||
37 | --- a/src/video/SDL_pixels.c Sat Mar 16 18:35:33 2019 -0700 | ||
38 | +++ b/src/video/SDL_pixels.c Sat Mar 16 19:16:24 2019 -0700 | ||
39 | @@ -286,26 +286,53 @@ | ||
40 | } | ||
41 | } | ||
42 | /* | ||
43 | - * Calculate the pad-aligned scanline width of a surface | ||
44 | + * Calculate the pad-aligned scanline width of a surface. Return 0 in case of | ||
45 | + * an error. | ||
46 | */ | ||
47 | Uint16 SDL_CalculatePitch(SDL_Surface *surface) | ||
48 | { | ||
49 | - Uint16 pitch; | ||
50 | + unsigned int pitch = 0; | ||
51 | |||
52 | /* Surface should be 4-byte aligned for speed */ | ||
53 | - pitch = surface->w*surface->format->BytesPerPixel; | ||
54 | + /* The code tries to prevent from an Uint16 overflow. */; | ||
55 | + for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) { | ||
56 | + pitch += (unsigned int)surface->w; | ||
57 | + if (pitch < surface->w) { | ||
58 | + SDL_SetError("A scanline is too wide"); | ||
59 | + return(0); | ||
60 | + } | ||
61 | + } | ||
62 | switch (surface->format->BitsPerPixel) { | ||
63 | case 1: | ||
64 | - pitch = (pitch+7)/8; | ||
65 | + if (pitch % 8) { | ||
66 | + pitch = pitch / 8 + 1; | ||
67 | + } else { | ||
68 | + pitch = pitch / 8; | ||
69 | + } | ||
70 | break; | ||
71 | case 4: | ||
72 | - pitch = (pitch+1)/2; | ||
73 | + if (pitch % 2) { | ||
74 | + pitch = pitch / 2 + 1; | ||
75 | + } else { | ||
76 | + pitch = pitch / 2; | ||
77 | + } | ||
78 | break; | ||
79 | default: | ||
80 | break; | ||
81 | } | ||
82 | - pitch = (pitch + 3) & ~3; /* 4-byte aligning */ | ||
83 | - return(pitch); | ||
84 | + /* 4-byte aligning */ | ||
85 | + if (pitch & 3) { | ||
86 | + if (pitch + 3 < pitch) { | ||
87 | + SDL_SetError("A scanline is too wide"); | ||
88 | + return(0); | ||
89 | + } | ||
90 | + pitch = (pitch + 3) & ~3; | ||
91 | + } | ||
92 | + if (pitch > 0xFFFF) { | ||
93 | + SDL_SetError("A scanline is too wide"); | ||
94 | + return(0); | ||
95 | + } | ||
96 | + return((Uint16)pitch); | ||
97 | } | ||
98 | /* | ||
99 | * Match an RGB value to a particular palette index | ||
100 | diff -r 4646533663ae -r 9b0e5c555c0f src/video/gapi/SDL_gapivideo.c | ||
101 | --- a/src/video/gapi/SDL_gapivideo.c Sat Mar 16 18:35:33 2019 -0700 | ||
102 | +++ b/src/video/gapi/SDL_gapivideo.c Sat Mar 16 19:16:24 2019 -0700 | ||
103 | @@ -733,6 +733,9 @@ | ||
104 | video->w = gapi->w = width; | ||
105 | video->h = gapi->h = height; | ||
106 | video->pitch = SDL_CalculatePitch(video); | ||
107 | + if (!current->pitch) { | ||
108 | + return(NULL); | ||
109 | + } | ||
110 | |||
111 | /* Small fix for WinCE/Win32 - when activating window | ||
112 | SDL_VideoSurface is equal to zero, so activating code | ||
113 | diff -r 4646533663ae -r 9b0e5c555c0f src/video/nanox/SDL_nxvideo.c | ||
114 | --- a/src/video/nanox/SDL_nxvideo.c Sat Mar 16 18:35:33 2019 -0700 | ||
115 | +++ b/src/video/nanox/SDL_nxvideo.c Sat Mar 16 19:16:24 2019 -0700 | ||
116 | @@ -378,6 +378,10 @@ | ||
117 | current -> w = width ; | ||
118 | current -> h = height ; | ||
119 | current -> pitch = SDL_CalculatePitch (current) ; | ||
120 | + if (!current->pitch) { | ||
121 | + current = NULL; | ||
122 | + goto done; | ||
123 | + } | ||
124 | NX_ResizeImage (this, current, flags) ; | ||
125 | } | ||
126 | |||
127 | diff -r 4646533663ae -r 9b0e5c555c0f src/video/ps2gs/SDL_gsvideo.c | ||
128 | --- a/src/video/ps2gs/SDL_gsvideo.c Sat Mar 16 18:35:33 2019 -0700 | ||
129 | +++ b/src/video/ps2gs/SDL_gsvideo.c Sat Mar 16 19:16:24 2019 -0700 | ||
130 | @@ -479,6 +479,9 @@ | ||
131 | current->w = width; | ||
132 | current->h = height; | ||
133 | current->pitch = SDL_CalculatePitch(current); | ||
134 | + if (!current->pitch) { | ||
135 | + return(NULL); | ||
136 | + } | ||
137 | |||
138 | /* Memory map the DMA area for block memory transfer */ | ||
139 | if ( ! mapped_mem ) { | ||
140 | diff -r 4646533663ae -r 9b0e5c555c0f src/video/ps3/SDL_ps3video.c | ||
141 | --- a/src/video/ps3/SDL_ps3video.c Sat Mar 16 18:35:33 2019 -0700 | ||
142 | +++ b/src/video/ps3/SDL_ps3video.c Sat Mar 16 19:16:24 2019 -0700 | ||
143 | @@ -339,6 +339,9 @@ | ||
144 | current->w = width; | ||
145 | current->h = height; | ||
146 | current->pitch = SDL_CalculatePitch(current); | ||
147 | + if (!current->pitch) { | ||
148 | + return(NULL); | ||
149 | + } | ||
150 | |||
151 | /* Alloc aligned mem for current->pixels */ | ||
152 | s_pixels = memalign(16, current->h * current->pitch); | ||
153 | diff -r 4646533663ae -r 9b0e5c555c0f src/video/windib/SDL_dibvideo.c | ||
154 | --- a/src/video/windib/SDL_dibvideo.c Sat Mar 16 18:35:33 2019 -0700 | ||
155 | +++ b/src/video/windib/SDL_dibvideo.c Sat Mar 16 19:16:24 2019 -0700 | ||
156 | @@ -675,6 +675,9 @@ | ||
157 | video->w = width; | ||
158 | video->h = height; | ||
159 | video->pitch = SDL_CalculatePitch(video); | ||
160 | + if (!current->pitch) { | ||
161 | + return(NULL); | ||
162 | + } | ||
163 | |||
164 | /* Small fix for WinCE/Win32 - when activating window | ||
165 | SDL_VideoSurface is equal to zero, so activating code | ||
166 | diff -r 4646533663ae -r 9b0e5c555c0f src/video/windx5/SDL_dx5video.c | ||
167 | --- a/src/video/windx5/SDL_dx5video.c Sat Mar 16 18:35:33 2019 -0700 | ||
168 | +++ b/src/video/windx5/SDL_dx5video.c Sat Mar 16 19:16:24 2019 -0700 | ||
169 | @@ -1127,6 +1127,9 @@ | ||
170 | video->w = width; | ||
171 | video->h = height; | ||
172 | video->pitch = SDL_CalculatePitch(video); | ||
173 | + if (!current->pitch) { | ||
174 | + return(NULL); | ||
175 | + } | ||
176 | |||
177 | #ifndef NO_CHANGEDISPLAYSETTINGS | ||
178 | /* Set fullscreen mode if appropriate. | ||
179 | diff -r 4646533663ae -r 9b0e5c555c0f src/video/x11/SDL_x11video.c | ||
180 | --- a/src/video/x11/SDL_x11video.c Sat Mar 16 18:35:33 2019 -0700 | ||
181 | +++ b/src/video/x11/SDL_x11video.c Sat Mar 16 19:16:24 2019 -0700 | ||
182 | @@ -1225,6 +1225,10 @@ | ||
183 | current->w = width; | ||
184 | current->h = height; | ||
185 | current->pitch = SDL_CalculatePitch(current); | ||
186 | + if (!current->pitch) { | ||
187 | + current = NULL; | ||
188 | + goto done; | ||
189 | + } | ||
190 | if (X11_ResizeImage(this, current, flags) < 0) { | ||
191 | current = NULL; | ||
192 | goto done; | ||
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7638.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7638.patch new file mode 100644 index 0000000000..dab9aaeb2b --- /dev/null +++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7638.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | # HG changeset patch | ||
2 | # User Sam Lantinga <slouken@libsdl.org> | ||
3 | # Date 1550504903 28800 | ||
4 | # Mon Feb 18 07:48:23 2019 -0800 | ||
5 | # Branch SDL-1.2 | ||
6 | # Node ID 19d8c3b9c25143f71a34ff40ce1df91b4b3e3b78 | ||
7 | # Parent 8586f153eedec4c4e07066d6248ebdf67f10a229 | ||
8 | Fixed bug 4500 - Heap-Buffer Overflow in Map1toN pertaining to SDL_pixels.c | ||
9 | |||
10 | Petr Pisar | ||
11 | |||
12 | The reproducer has these data in BITMAPINFOHEADER: | ||
13 | |||
14 | biSize = 40 | ||
15 | biBitCount = 8 | ||
16 | biClrUsed = 131075 | ||
17 | |||
18 | SDL_LoadBMP_RW() function passes biBitCount as a color depth to SDL_CreateRGBSurface(), thus 256-color pallete is allocated. But then biClrUsed colors are read from a file and stored into the palette. SDL_LoadBMP_RW should report an error if biClrUsed is greater than 2^biBitCount. | ||
19 | |||
20 | CVE: CVE-2019-7638 | ||
21 | CVE: CVE-2019-7636 | ||
22 | Upstream-Status: Backport | ||
23 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
24 | |||
25 | diff -r 8586f153eede -r 19d8c3b9c251 src/video/SDL_bmp.c | ||
26 | --- a/src/video/SDL_bmp.c Sun Jan 13 15:27:50 2019 +0100 | ||
27 | +++ b/src/video/SDL_bmp.c Mon Feb 18 07:48:23 2019 -0800 | ||
28 | @@ -233,6 +233,10 @@ | ||
29 | if ( palette ) { | ||
30 | if ( biClrUsed == 0 ) { | ||
31 | biClrUsed = 1 << biBitCount; | ||
32 | + } else if ( biClrUsed > (1 << biBitCount) ) { | ||
33 | + SDL_SetError("BMP file has an invalid number of colors"); | ||
34 | + was_error = SDL_TRUE; | ||
35 | + goto done; | ||
36 | } | ||
37 | if ( biSize == 12 ) { | ||
38 | for ( i = 0; i < (int)biClrUsed; ++i ) { | ||
diff --git a/meta/recipes-graphics/libsdl/libsdl_1.2.15.bb b/meta/recipes-graphics/libsdl/libsdl_1.2.15.bb index 3680ea9d80..d61ee0f981 100644 --- a/meta/recipes-graphics/libsdl/libsdl_1.2.15.bb +++ b/meta/recipes-graphics/libsdl/libsdl_1.2.15.bb | |||
@@ -18,6 +18,15 @@ SRC_URI = "http://www.libsdl.org/release/SDL-${PV}.tar.gz \ | |||
18 | file://libsdl-1.2.15-xdata32.patch \ | 18 | file://libsdl-1.2.15-xdata32.patch \ |
19 | file://pkgconfig.patch \ | 19 | file://pkgconfig.patch \ |
20 | file://0001-build-Pass-tag-CC-explictly-when-using-libtool.patch \ | 20 | file://0001-build-Pass-tag-CC-explictly-when-using-libtool.patch \ |
21 | file://CVE-2019-7577.patch \ | ||
22 | file://CVE-2019-7574.patch \ | ||
23 | file://CVE-2019-7572.patch \ | ||
24 | file://CVE-2019-7578.patch \ | ||
25 | file://CVE-2019-7575.patch \ | ||
26 | file://CVE-2019-7635.patch \ | ||
27 | file://CVE-2019-7637.patch \ | ||
28 | file://CVE-2019-7638.patch \ | ||
29 | file://CVE-2019-7576.patch \ | ||
21 | " | 30 | " |
22 | 31 | ||
23 | UPSTREAM_CHECK_REGEX = "SDL-(?P<pver>\d+(\.\d+)+)\.tar" | 32 | UPSTREAM_CHECK_REGEX = "SDL-(?P<pver>\d+(\.\d+)+)\.tar" |