1 files changed, 192 insertions, 0 deletions
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7637.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7637.patch
new file mode 100644
index 0000000000..c95338e61a
--- /dev/null
+++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7637.patch
@@ -0,0 +1,192 @@
+# HG changeset patch
+# User Petr Písař <ppisar@redhat.com>
+# Date 1552788984 25200
+#      Sat Mar 16 19:16:24 2019 -0700
+# Branch SDL-1.2
+# Node ID 9b0e5c555c0f5ce6d2c3c19da6cc2c7fb5048bf2
+# Parent  4646533663ae1d80c2cc6b2d6dbfb37c62491c1e
+CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch
+If a too large width is passed to SDL_SetVideoMode() the width travels
+to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by
+BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch
+variable. During this arithmetics an integer overflow can happen (e.g.
+the value is clamped as 65532). As a result SDL_Surface with a pitch
+smaller than width * BytesPerPixel is created, too small pixel buffer
+is allocated and when the SDL_Surface is processed in SDL_FillRect()
+a buffer overflow occurs.
+This can be reproduced with "./graywin -width 21312312313123213213213"
+command.
+This patch fixes is by using a very careful arithmetics in
+SDL_CalculatePitch(). If an overflow is detected, an error is reported
+back as a special 0 value. We assume that 0-width surfaces do not
+occur in the wild. Since SDL_CalculatePitch() is a private function,
+we can change the semantics.
+CVE-2019-7637
+https://bugzilla.libsdl.org/show_bug.cgi?id=4497
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+CVE: CVE-2019-7637
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/SDL_pixels.c
+--- a/src/video/SDL_pixels.c    Sat Mar 16 18:35:33 2019 -0700
+++ b/src/video/SDL_pixels.c    Sat Mar 16 19:16:24 2019 -0700
+@@ -286,26 +286,53 @@
+        }
+ }
+ /* 
+- * Calculate the pad-aligned scanline width of a surface
+ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of
+ * an error.
+  */
+ Uint16 SDL_CalculatePitch(SDL_Surface *surface)
+ {
+-       Uint16 pitch;
+       unsigned int pitch = 0;
+ 
+        /* Surface should be 4-byte aligned for speed */
+-       pitch = surface->w*surface->format->BytesPerPixel;
+       /* The code tries to prevent from an Uint16 overflow. */;
+       for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) {
+               pitch += (unsigned int)surface->w;
+               if (pitch < surface->w) {
+                       SDL_SetError("A scanline is too wide");
+                       return(0);
+               }
+       }
+        switch (surface->format->BitsPerPixel) {
+                case 1:
+-                       pitch = (pitch+7)/8;
+                       if (pitch % 8) {
+                               pitch = pitch / 8 + 1;
+                       } else {
+                               pitch = pitch / 8;
+                       }
+                        break;
+                case 4:
+-                       pitch = (pitch+1)/2;
+                       if (pitch % 2) {
+                               pitch = pitch / 2 + 1;
+                       } else {
+                               pitch = pitch / 2;
+                       }
+                        break;
+                default:
+                        break;
+        }
+-       pitch = (pitch + 3) & ~3;       /* 4-byte aligning */
+-       return(pitch);
+       /* 4-byte aligning */
+       if (pitch & 3) {
+               if (pitch + 3 < pitch) {
+                       SDL_SetError("A scanline is too wide");
+                       return(0);
+               }
+               pitch = (pitch + 3) & ~3;
+       }
+       if (pitch > 0xFFFF) {
+               SDL_SetError("A scanline is too wide");
+               return(0);
+       }
+       return((Uint16)pitch);
+ }
+ /*
+  * Match an RGB value to a particular palette index
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/gapi/SDL_gapivideo.c
+--- a/src/video/gapi/SDL_gapivideo.c    Sat Mar 16 18:35:33 2019 -0700
+++ b/src/video/gapi/SDL_gapivideo.c    Sat Mar 16 19:16:24 2019 -0700
+@@ -733,6 +733,9 @@
+        video->w = gapi->w = width;
+        video->h = gapi->h = height;
+        video->pitch = SDL_CalculatePitch(video); 
+       if (!current->pitch) {
+               return(NULL);
+       }
+ 
+        /* Small fix for WinCE/Win32 - when activating window
+           SDL_VideoSurface is equal to zero, so activating code
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/nanox/SDL_nxvideo.c
+--- a/src/video/nanox/SDL_nxvideo.c     Sat Mar 16 18:35:33 2019 -0700
+++ b/src/video/nanox/SDL_nxvideo.c     Sat Mar 16 19:16:24 2019 -0700
+@@ -378,6 +378,10 @@
+         current -> w = width ;
+         current -> h = height ;
+         current -> pitch = SDL_CalculatePitch (current) ;
+        if (!current->pitch) {
+            current = NULL;
+            goto done;
+        }
+         NX_ResizeImage (this, current, flags) ;
+     }
+ 
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/ps2gs/SDL_gsvideo.c
+--- a/src/video/ps2gs/SDL_gsvideo.c     Sat Mar 16 18:35:33 2019 -0700
+++ b/src/video/ps2gs/SDL_gsvideo.c     Sat Mar 16 19:16:24 2019 -0700
+@@ -479,6 +479,9 @@
+        current->w = width;
+        current->h = height;
+        current->pitch = SDL_CalculatePitch(current);
+       if (!current->pitch) {
+               return(NULL);
+       }
+ 
+        /* Memory map the DMA area for block memory transfer */
+        if ( ! mapped_mem ) {
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/ps3/SDL_ps3video.c
+--- a/src/video/ps3/SDL_ps3video.c      Sat Mar 16 18:35:33 2019 -0700
+++ b/src/video/ps3/SDL_ps3video.c      Sat Mar 16 19:16:24 2019 -0700
+@@ -339,6 +339,9 @@
+        current->w = width;
+        current->h = height;
+        current->pitch = SDL_CalculatePitch(current);
+       if (!current->pitch) {
+               return(NULL);
+       }
+ 
+        /* Alloc aligned mem for current->pixels */
+        s_pixels = memalign(16, current->h * current->pitch);
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/windib/SDL_dibvideo.c
+--- a/src/video/windib/SDL_dibvideo.c   Sat Mar 16 18:35:33 2019 -0700
+++ b/src/video/windib/SDL_dibvideo.c   Sat Mar 16 19:16:24 2019 -0700
+@@ -675,6 +675,9 @@
+        video->w = width;
+        video->h = height;
+        video->pitch = SDL_CalculatePitch(video);
+       if (!current->pitch) {
+               return(NULL);
+       }
+ 
+        /* Small fix for WinCE/Win32 - when activating window
+           SDL_VideoSurface is equal to zero, so activating code
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/windx5/SDL_dx5video.c
+--- a/src/video/windx5/SDL_dx5video.c   Sat Mar 16 18:35:33 2019 -0700
+++ b/src/video/windx5/SDL_dx5video.c   Sat Mar 16 19:16:24 2019 -0700
+@@ -1127,6 +1127,9 @@
+                video->w = width;
+                video->h = height;
+                video->pitch = SDL_CalculatePitch(video);
+               if (!current->pitch) {
+                       return(NULL);
+               }
+ 
+ #ifndef NO_CHANGEDISPLAYSETTINGS
+                /* Set fullscreen mode if appropriate.
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/x11/SDL_x11video.c
+--- a/src/video/x11/SDL_x11video.c      Sat Mar 16 18:35:33 2019 -0700
+++ b/src/video/x11/SDL_x11video.c      Sat Mar 16 19:16:24 2019 -0700
+@@ -1225,6 +1225,10 @@
+                current->w = width;
+                current->h = height;
+                current->pitch = SDL_CalculatePitch(current);
+               if (!current->pitch) {
+                       current = NULL;
+                       goto done;
+               }
+                if (X11_ResizeImage(this, current, flags) < 0) {
+                        current = NULL;
+                        goto done;

diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7637.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7637.patch new file mode 100644 index 0000000000..c95338e61a --- /dev/null +++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7637.patch
@@ -0,0 +1,192 @@
	1	# HG changeset patch
	2	# User Petr Písař <ppisar@redhat.com>
	3	# Date 1552788984 25200
	4	# Sat Mar 16 19:16:24 2019 -0700
	5	# Branch SDL-1.2
	6	# Node ID 9b0e5c555c0f5ce6d2c3c19da6cc2c7fb5048bf2
	7	# Parent 4646533663ae1d80c2cc6b2d6dbfb37c62491c1e
	8	CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch
	9	If a too large width is passed to SDL_SetVideoMode() the width travels
	10	to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by
	11	BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch
	12	variable. During this arithmetics an integer overflow can happen (e.g.
	13	the value is clamped as 65532). As a result SDL_Surface with a pitch
	14	smaller than width * BytesPerPixel is created, too small pixel buffer
	15	is allocated and when the SDL_Surface is processed in SDL_FillRect()
	16	a buffer overflow occurs.
	17
	18	This can be reproduced with "./graywin -width 21312312313123213213213"
	19	command.
	20
	21	This patch fixes is by using a very careful arithmetics in
	22	SDL_CalculatePitch(). If an overflow is detected, an error is reported
	23	back as a special 0 value. We assume that 0-width surfaces do not
	24	occur in the wild. Since SDL_CalculatePitch() is a private function,
	25	we can change the semantics.
	26
	27	CVE-2019-7637
	28	https://bugzilla.libsdl.org/show_bug.cgi?id=4497
	29
	30	Signed-off-by: Petr Písař <ppisar@redhat.com>
	31
	32	CVE: CVE-2019-7637
	33	Upstream-Status: Backport
	34	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
	35
	36	diff -r 4646533663ae -r 9b0e5c555c0f src/video/SDL_pixels.c
	37	--- a/src/video/SDL_pixels.c Sat Mar 16 18:35:33 2019 -0700
	38	+++ b/src/video/SDL_pixels.c Sat Mar 16 19:16:24 2019 -0700
	39	@@ -286,26 +286,53 @@
	40	}
	41	}
	42	/*
	43	- * Calculate the pad-aligned scanline width of a surface
	44	+ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of
	45	+ * an error.
	46	*/
	47	Uint16 SDL_CalculatePitch(SDL_Surface *surface)
	48	{
	49	- Uint16 pitch;
	50	+ unsigned int pitch = 0;
	51
	52	/* Surface should be 4-byte aligned for speed */
	53	- pitch = surface->w*surface->format->BytesPerPixel;
	54	+ /* The code tries to prevent from an Uint16 overflow. */;
	55	+ for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) {
	56	+ pitch += (unsigned int)surface->w;
	57	+ if (pitch < surface->w) {
	58	+ SDL_SetError("A scanline is too wide");
	59	+ return(0);
	60	+ }
	61	+ }
	62	switch (surface->format->BitsPerPixel) {
	63	case 1:
	64	- pitch = (pitch+7)/8;
	65	+ if (pitch % 8) {
	66	+ pitch = pitch / 8 + 1;
	67	+ } else {
	68	+ pitch = pitch / 8;
	69	+ }
	70	break;
	71	case 4:
	72	- pitch = (pitch+1)/2;
	73	+ if (pitch % 2) {
	74	+ pitch = pitch / 2 + 1;
	75	+ } else {
	76	+ pitch = pitch / 2;
	77	+ }
	78	break;
	79	default:
	80	break;
	81	}
	82	- pitch = (pitch + 3) & ~3; /* 4-byte aligning */
	83	- return(pitch);
	84	+ /* 4-byte aligning */
	85	+ if (pitch & 3) {
	86	+ if (pitch + 3 < pitch) {
	87	+ SDL_SetError("A scanline is too wide");
	88	+ return(0);
	89	+ }
	90	+ pitch = (pitch + 3) & ~3;
	91	+ }
	92	+ if (pitch > 0xFFFF) {
	93	+ SDL_SetError("A scanline is too wide");
	94	+ return(0);
	95	+ }
	96	+ return((Uint16)pitch);
	97	}
	98	/*
	99	* Match an RGB value to a particular palette index
	100	diff -r 4646533663ae -r 9b0e5c555c0f src/video/gapi/SDL_gapivideo.c
	101	--- a/src/video/gapi/SDL_gapivideo.c Sat Mar 16 18:35:33 2019 -0700
	102	+++ b/src/video/gapi/SDL_gapivideo.c Sat Mar 16 19:16:24 2019 -0700
	103	@@ -733,6 +733,9 @@
	104	video->w = gapi->w = width;
	105	video->h = gapi->h = height;
	106	video->pitch = SDL_CalculatePitch(video);
	107	+ if (!current->pitch) {
	108	+ return(NULL);
	109	+ }
	110
	111	/* Small fix for WinCE/Win32 - when activating window
	112	SDL_VideoSurface is equal to zero, so activating code
	113	diff -r 4646533663ae -r 9b0e5c555c0f src/video/nanox/SDL_nxvideo.c
	114	--- a/src/video/nanox/SDL_nxvideo.c Sat Mar 16 18:35:33 2019 -0700
	115	+++ b/src/video/nanox/SDL_nxvideo.c Sat Mar 16 19:16:24 2019 -0700
	116	@@ -378,6 +378,10 @@
	117	current -> w = width ;
	118	current -> h = height ;
	119	current -> pitch = SDL_CalculatePitch (current) ;
	120	+ if (!current->pitch) {
	121	+ current = NULL;
	122	+ goto done;
	123	+ }
	124	NX_ResizeImage (this, current, flags) ;
	125	}
	126
	127	diff -r 4646533663ae -r 9b0e5c555c0f src/video/ps2gs/SDL_gsvideo.c
	128	--- a/src/video/ps2gs/SDL_gsvideo.c Sat Mar 16 18:35:33 2019 -0700
	129	+++ b/src/video/ps2gs/SDL_gsvideo.c Sat Mar 16 19:16:24 2019 -0700
	130	@@ -479,6 +479,9 @@
	131	current->w = width;
	132	current->h = height;
	133	current->pitch = SDL_CalculatePitch(current);
	134	+ if (!current->pitch) {
	135	+ return(NULL);
	136	+ }
	137
	138	/* Memory map the DMA area for block memory transfer */
	139	if ( ! mapped_mem ) {
	140	diff -r 4646533663ae -r 9b0e5c555c0f src/video/ps3/SDL_ps3video.c
	141	--- a/src/video/ps3/SDL_ps3video.c Sat Mar 16 18:35:33 2019 -0700
	142	+++ b/src/video/ps3/SDL_ps3video.c Sat Mar 16 19:16:24 2019 -0700
	143	@@ -339,6 +339,9 @@
	144	current->w = width;
	145	current->h = height;
	146	current->pitch = SDL_CalculatePitch(current);
	147	+ if (!current->pitch) {
	148	+ return(NULL);
	149	+ }
	150
	151	/* Alloc aligned mem for current->pixels */
	152	s_pixels = memalign(16, current->h * current->pitch);
	153	diff -r 4646533663ae -r 9b0e5c555c0f src/video/windib/SDL_dibvideo.c
	154	--- a/src/video/windib/SDL_dibvideo.c Sat Mar 16 18:35:33 2019 -0700
	155	+++ b/src/video/windib/SDL_dibvideo.c Sat Mar 16 19:16:24 2019 -0700
	156	@@ -675,6 +675,9 @@
	157	video->w = width;
	158	video->h = height;
	159	video->pitch = SDL_CalculatePitch(video);
	160	+ if (!current->pitch) {
	161	+ return(NULL);
	162	+ }
	163
	164	/* Small fix for WinCE/Win32 - when activating window
	165	SDL_VideoSurface is equal to zero, so activating code
	166	diff -r 4646533663ae -r 9b0e5c555c0f src/video/windx5/SDL_dx5video.c
	167	--- a/src/video/windx5/SDL_dx5video.c Sat Mar 16 18:35:33 2019 -0700
	168	+++ b/src/video/windx5/SDL_dx5video.c Sat Mar 16 19:16:24 2019 -0700
	169	@@ -1127,6 +1127,9 @@
	170	video->w = width;
	171	video->h = height;
	172	video->pitch = SDL_CalculatePitch(video);
	173	+ if (!current->pitch) {
	174	+ return(NULL);
	175	+ }
	176
	177	#ifndef NO_CHANGEDISPLAYSETTINGS
	178	/* Set fullscreen mode if appropriate.
	179	diff -r 4646533663ae -r 9b0e5c555c0f src/video/x11/SDL_x11video.c
	180	--- a/src/video/x11/SDL_x11video.c Sat Mar 16 18:35:33 2019 -0700
	181	+++ b/src/video/x11/SDL_x11video.c Sat Mar 16 19:16:24 2019 -0700
	182	@@ -1225,6 +1225,10 @@
	183	current->w = width;
	184	current->h = height;
	185	current->pitch = SDL_CalculatePitch(current);
	186	+ if (!current->pitch) {
	187	+ current = NULL;
	188	+ goto done;
	189	+ }
	190	if (X11_ResizeImage(this, current, flags) < 0) {
	191	current = NULL;
	192	goto done;