4 files changed, 158 insertions, 0 deletions
diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch
new file mode 100644
index 0000000000..d8fa24bc65
--- /dev/null
+++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch
@@ -0,0 +1,79 @@
+From a7ff6e96155f550a5597621ebeddd03c98aa9294 Mon Sep 17 00:00:00 2001
+From: Sam Lantinga <slouken@libsdl.org>
+Date: Wed, 17 Jun 2020 08:44:45 -0700
+Subject: [PATCH] Fixed overflow in surface pitch calculation
+Upstream-Status: Backport
+[https://github.com/libsdl-org/SDL/commit/a7ff6e96155f550a5597621ebeddd03c98aa9294]
+CVE: CVE-2020-14409 CVE-2020-14410
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ src/video/SDL_surface.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+diff --git a/src/video/SDL_surface.c b/src/video/SDL_surface.c
+index 085d9ff1e..bff826f7c 100644
+--- a/src/video/SDL_surface.c
+++ b/src/video/SDL_surface.c
+@@ -28,24 +28,23 @@
+ #include "SDL_yuv_c.h"
+ 
+ 
+-/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */
+-SDL_COMPILE_TIME_ASSERT(surface_size_assumptions,
+-    sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32));
+/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow Sint64 */
+SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, sizeof(int) == sizeof(Sint32));
+ 
+ /* Public routines */
+ 
+ /*
+  * Calculate the pad-aligned scanline width of a surface
+  */
+-static int
+static Sint64
+ SDL_CalculatePitch(Uint32 format, int width)
+ {
+-    int pitch;
+    Sint64 pitch;
+ 
+     if (SDL_ISPIXELFORMAT_FOURCC(format) || SDL_BITSPERPIXEL(format) >= 8) {
+-        pitch = (width * SDL_BYTESPERPIXEL(format));
+        pitch = ((Sint64)width * SDL_BYTESPERPIXEL(format));
+     } else {
+-        pitch = ((width * SDL_BITSPERPIXEL(format)) + 7) / 8;
+        pitch = (((Sint64)width * SDL_BITSPERPIXEL(format)) + 7) / 8;
+     }
+     pitch = (pitch + 3) & ~3;   /* 4-byte aligning for speed */
+     return pitch;
+@@ -59,11 +58,19 @@ SDL_Surface *
+ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth,
+                                Uint32 format)
+ {
+    Sint64 pitch;
+     SDL_Surface *surface;
+ 
+     /* The flags are no longer used, make the compiler happy */
+     (void)flags;
+ 
+    pitch = SDL_CalculatePitch(format, width);
+    if (pitch < 0 || pitch > SDL_MAX_SINT32) {
+        /* Overflow... */
+        SDL_OutOfMemory();
+        return NULL;
+    }
+
+     /* Allocate the surface */
+     surface = (SDL_Surface *) SDL_calloc(1, sizeof(*surface));
+     if (surface == NULL) {
+@@ -78,7 +85,7 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth,
+     }
+     surface->w = width;
+     surface->h = height;
+-    surface->pitch = SDL_CalculatePitch(format, width);
+    surface->pitch = (int)pitch;
+     SDL_SetClipRect(surface, NULL);
+ 
+     if (SDL_ISPIXELFORMAT_INDEXED(surface->format->format)) {
diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch
new file mode 100644
index 0000000000..a4ed7ab8e6
--- /dev/null
+++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch
@@ -0,0 +1,38 @@
+From 8c91cf7dba5193f5ce12d06db1336515851c9ee9 Mon Sep 17 00:00:00 2001
+From: Sam Lantinga <slouken@libsdl.org>
+Date: Tue, 30 Nov 2021 12:36:46 -0800
+Subject: [PATCH] Always create a full 256-entry map in case color values are
+ out of range
+Fixes https://github.com/libsdl-org/SDL/issues/5042
+CVE: CVE-2021-33657
+Upstream-Status: Backport [https://github.com/libsdl-org/SDL/commit/8c91cf7dba5193f5ce12d06db1336515851c9ee9.patch]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+---
+ src/video/SDL_pixels.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c
+index ac04533c5d5..9bb02f771d0 100644
+--- a/src/video/SDL_pixels.c
+++ b/src/video/SDL_pixels.c
+@@ -947,7 +947,7 @@ Map1to1(SDL_Palette * src, SDL_Palette * dst, int *identical)
+         }
+         *identical = 0;
+     }
+-    map = (Uint8 *) SDL_malloc(src->ncolors);
+    map = (Uint8 *) SDL_calloc(256, sizeof(Uint8));
+     if (map == NULL) {
+         SDL_OutOfMemory();
+         return (NULL);
+@@ -971,7 +971,7 @@ Map1toN(SDL_PixelFormat * src, Uint8 Rmod, Uint8 Gmod, Uint8 Bmod, Uint8 Amod,
+     SDL_Palette *pal = src->palette;
+ 
+     bpp = ((dst->BytesPerPixel == 3) ? 4 : dst->BytesPerPixel);
+-    map = (Uint8 *) SDL_malloc(pal->ncolors * bpp);
+    map = (Uint8 *) SDL_calloc(256, bpp);
+     if (map == NULL) {
+         SDL_OutOfMemory();
+         return (NULL);
diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2022-4743.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2022-4743.patch
new file mode 100644
index 0000000000..b02a2169a6
--- /dev/null
+++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2022-4743.patch
@@ -0,0 +1,38 @@
+From 00b67f55727bc0944c3266e2b875440da132ce4b Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Wed, 21 Sep 2022 10:30:38 +0800
+Subject: [PATCH] Fix potential memory leak in GLES_CreateTexture
+CVE: CVE-2022-4743
+Upstream-Status: Backport [https://github.com/libsdl-org/SDL/commit/00b67f55727bc0944c3266e2b875440da132ce4b.patch]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+---
+ src/render/opengles/SDL_render_gles.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/src/render/opengles/SDL_render_gles.c b/src/render/opengles/SDL_render_gles.c
+index a5fbab309eda..ba08a46e2805 100644
+--- a/src/render/opengles/SDL_render_gles.c
+++ b/src/render/opengles/SDL_render_gles.c
+@@ -359,6 +359,9 @@ GLES_CreateTexture(SDL_Renderer * renderer, SDL_Texture * texture)
+     renderdata->glGenTextures(1, &data->texture);
+     result = renderdata->glGetError();
+     if (result != GL_NO_ERROR) {
+        if (texture->access == SDL_TEXTUREACCESS_STREAMING) {
+            SDL_free(data->pixels);
+        }
+         SDL_free(data);
+         return GLES_SetError("glGenTextures()", result);
+     }
+@@ -387,6 +390,9 @@ GLES_CreateTexture(SDL_Renderer * renderer, SDL_Texture * texture)
+ 
+     result = renderdata->glGetError();
+     if (result != GL_NO_ERROR) {
+        if (texture->access == SDL_TEXTUREACCESS_STREAMING) {
+            SDL_free(data->pixels);
+        }
+         SDL_free(data);
+         return GLES_SetError("glTexImage2D()", result);
+     }
diff --git a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb
index fa7acc4c50..fa29bc99ac 100644
--- a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb
+++ b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb
@@ -20,6 +20,9 @@ SRC_URI = "http://www.libsdl.org/release/SDL2-${PV}.tar.gz \
           file://more-gen-depends.patch \
           file://directfb-spurious-curly-brace-missing-e.patch \
           file://directfb-renderfillrect-fix.patch \
+           file://CVE-2020-14409-14410.patch \
+           file://CVE-2021-33657.patch \
+           file://CVE-2022-4743.patch \
 "
 S = "${WORKDIR}/SDL2-${PV}"

diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch new file mode 100644 index 0000000000..d8fa24bc65 --- /dev/null +++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch
@@ -0,0 +1,79 @@
		1	From a7ff6e96155f550a5597621ebeddd03c98aa9294 Mon Sep 17 00:00:00 2001
		2	From: Sam Lantinga <slouken@libsdl.org>
		3	Date: Wed, 17 Jun 2020 08:44:45 -0700
		4	Subject: [PATCH] Fixed overflow in surface pitch calculation
		5
		6
		7	Upstream-Status: Backport
		8	[https://github.com/libsdl-org/SDL/commit/a7ff6e96155f550a5597621ebeddd03c98aa9294]
		9	CVE: CVE-2020-14409 CVE-2020-14410
		10	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		11
		12	---
		13	src/video/SDL_surface.c \| 23 +++++++++++++++--------
		14	1 file changed, 15 insertions(+), 8 deletions(-)
		15
		16	diff --git a/src/video/SDL_surface.c b/src/video/SDL_surface.c
		17	index 085d9ff1e..bff826f7c 100644
		18	--- a/src/video/SDL_surface.c
		19	+++ b/src/video/SDL_surface.c
		20	@@ -28,24 +28,23 @@
		21	#include "SDL_yuv_c.h"
		22
		23
		24	-/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */
		25	-SDL_COMPILE_TIME_ASSERT(surface_size_assumptions,
		26	- sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32));
		27	+/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow Sint64 */
		28	+SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, sizeof(int) == sizeof(Sint32));
		29
		30	/* Public routines */
		31
		32	/*
		33	* Calculate the pad-aligned scanline width of a surface
		34	*/
		35	-static int
		36	+static Sint64
		37	SDL_CalculatePitch(Uint32 format, int width)
		38	{
		39	- int pitch;
		40	+ Sint64 pitch;
		41
		42	if (SDL_ISPIXELFORMAT_FOURCC(format) \|\| SDL_BITSPERPIXEL(format) >= 8) {
		43	- pitch = (width * SDL_BYTESPERPIXEL(format));
		44	+ pitch = ((Sint64)width * SDL_BYTESPERPIXEL(format));
		45	} else {
		46	- pitch = ((width * SDL_BITSPERPIXEL(format)) + 7) / 8;
		47	+ pitch = (((Sint64)width * SDL_BITSPERPIXEL(format)) + 7) / 8;
		48	}
		49	pitch = (pitch + 3) & ~3; /* 4-byte aligning for speed */
		50	return pitch;
		51	@@ -59,11 +58,19 @@ SDL_Surface *
		52	SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth,
		53	Uint32 format)
		54	{
		55	+ Sint64 pitch;
		56	SDL_Surface *surface;
		57
		58	/* The flags are no longer used, make the compiler happy */
		59	(void)flags;
		60
		61	+ pitch = SDL_CalculatePitch(format, width);
		62	+ if (pitch < 0 \|\| pitch > SDL_MAX_SINT32) {
		63	+ /* Overflow... */
		64	+ SDL_OutOfMemory();
		65	+ return NULL;
		66	+ }
		67	+
		68	/* Allocate the surface */
		69	surface = (SDL_Surface ) SDL_calloc(1, sizeof(surface));
		70	if (surface == NULL) {
		71	@@ -78,7 +85,7 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth,
		72	}
		73	surface->w = width;
		74	surface->h = height;
		75	- surface->pitch = SDL_CalculatePitch(format, width);
		76	+ surface->pitch = (int)pitch;
		77	SDL_SetClipRect(surface, NULL);
		78
		79	if (SDL_ISPIXELFORMAT_INDEXED(surface->format->format)) {


diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch new file mode 100644 index 0000000000..a4ed7ab8e6 --- /dev/null +++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch
@@ -0,0 +1,38 @@
		1	From 8c91cf7dba5193f5ce12d06db1336515851c9ee9 Mon Sep 17 00:00:00 2001
		2	From: Sam Lantinga <slouken@libsdl.org>
		3	Date: Tue, 30 Nov 2021 12:36:46 -0800
		4	Subject: [PATCH] Always create a full 256-entry map in case color values are
		5	out of range
		6
		7	Fixes https://github.com/libsdl-org/SDL/issues/5042
		8
		9	CVE: CVE-2021-33657
		10	Upstream-Status: Backport [https://github.com/libsdl-org/SDL/commit/8c91cf7dba5193f5ce12d06db1336515851c9ee9.patch]
		11	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
		12
		13	---
		14	src/video/SDL_pixels.c \| 4 ++--
		15	1 file changed, 2 insertions(+), 2 deletions(-)
		16
		17	diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c
		18	index ac04533c5d5..9bb02f771d0 100644
		19	--- a/src/video/SDL_pixels.c
		20	+++ b/src/video/SDL_pixels.c
		21	@@ -947,7 +947,7 @@ Map1to1(SDL_Palette * src, SDL_Palette * dst, int *identical)
		22	}
		23	*identical = 0;
		24	}
		25	- map = (Uint8 *) SDL_malloc(src->ncolors);
		26	+ map = (Uint8 *) SDL_calloc(256, sizeof(Uint8));
		27	if (map == NULL) {
		28	SDL_OutOfMemory();
		29	return (NULL);
		30	@@ -971,7 +971,7 @@ Map1toN(SDL_PixelFormat * src, Uint8 Rmod, Uint8 Gmod, Uint8 Bmod, Uint8 Amod,
		31	SDL_Palette *pal = src->palette;
		32
		33	bpp = ((dst->BytesPerPixel == 3) ? 4 : dst->BytesPerPixel);
		34	- map = (Uint8 ) SDL_malloc(pal->ncolors bpp);
		35	+ map = (Uint8 *) SDL_calloc(256, bpp);
		36	if (map == NULL) {
		37	SDL_OutOfMemory();
		38	return (NULL);


diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2022-4743.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2022-4743.patch new file mode 100644 index 0000000000..b02a2169a6 --- /dev/null +++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2022-4743.patch
@@ -0,0 +1,38 @@
		1	From 00b67f55727bc0944c3266e2b875440da132ce4b Mon Sep 17 00:00:00 2001
		2	From: zhailiangliang <zhailiangliang@loongson.cn>
		3	Date: Wed, 21 Sep 2022 10:30:38 +0800
		4	Subject: [PATCH] Fix potential memory leak in GLES_CreateTexture
		5
		6
		7	CVE: CVE-2022-4743
		8	Upstream-Status: Backport [https://github.com/libsdl-org/SDL/commit/00b67f55727bc0944c3266e2b875440da132ce4b.patch]
		9	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
		10
		11	---
		12	src/render/opengles/SDL_render_gles.c \| 6 ++++++
		13	1 file changed, 6 insertions(+)
		14
		15	diff --git a/src/render/opengles/SDL_render_gles.c b/src/render/opengles/SDL_render_gles.c
		16	index a5fbab309eda..ba08a46e2805 100644
		17	--- a/src/render/opengles/SDL_render_gles.c
		18	+++ b/src/render/opengles/SDL_render_gles.c
		19	@@ -359,6 +359,9 @@ GLES_CreateTexture(SDL_Renderer * renderer, SDL_Texture * texture)
		20	renderdata->glGenTextures(1, &data->texture);
		21	result = renderdata->glGetError();
		22	if (result != GL_NO_ERROR) {
		23	+ if (texture->access == SDL_TEXTUREACCESS_STREAMING) {
		24	+ SDL_free(data->pixels);
		25	+ }
		26	SDL_free(data);
		27	return GLES_SetError("glGenTextures()", result);
		28	}
		29	@@ -387,6 +390,9 @@ GLES_CreateTexture(SDL_Renderer * renderer, SDL_Texture * texture)
		30
		31	result = renderdata->glGetError();
		32	if (result != GL_NO_ERROR) {
		33	+ if (texture->access == SDL_TEXTUREACCESS_STREAMING) {
		34	+ SDL_free(data->pixels);
		35	+ }
		36	SDL_free(data);
		37	return GLES_SetError("glTexImage2D()", result);
		38	}


diff --git a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb index fa7acc4c50..fa29bc99ac 100644 --- a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb +++ b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb
@@ -20,6 +20,9 @@ SRC_URI = "http://www.libsdl.org/release/SDL2-${PV}.tar.gz \
20	file://more-gen-depends.patch \	20	file://more-gen-depends.patch \
21	file://directfb-spurious-curly-brace-missing-e.patch \	21	file://directfb-spurious-curly-brace-missing-e.patch \
22	file://directfb-renderfillrect-fix.patch \	22	file://directfb-renderfillrect-fix.patch \
		23	file://CVE-2020-14409-14410.patch \
		24	file://CVE-2021-33657.patch \
		25	file://CVE-2022-4743.patch \
23	"	26	"
24		27
25	S = "${WORKDIR}/SDL2-${PV}"	28	S = "${WORKDIR}/SDL2-${PV}"