diff options
Diffstat (limited to 'meta/recipes-graphics/libsdl2')
4 files changed, 158 insertions, 0 deletions
diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch new file mode 100644 index 0000000000..d8fa24bc65 --- /dev/null +++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch | |||
@@ -0,0 +1,79 @@ | |||
1 | From a7ff6e96155f550a5597621ebeddd03c98aa9294 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sam Lantinga <slouken@libsdl.org> | ||
3 | Date: Wed, 17 Jun 2020 08:44:45 -0700 | ||
4 | Subject: [PATCH] Fixed overflow in surface pitch calculation | ||
5 | |||
6 | |||
7 | Upstream-Status: Backport | ||
8 | [https://github.com/libsdl-org/SDL/commit/a7ff6e96155f550a5597621ebeddd03c98aa9294] | ||
9 | CVE: CVE-2020-14409 CVE-2020-14410 | ||
10 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
11 | |||
12 | --- | ||
13 | src/video/SDL_surface.c | 23 +++++++++++++++-------- | ||
14 | 1 file changed, 15 insertions(+), 8 deletions(-) | ||
15 | |||
16 | diff --git a/src/video/SDL_surface.c b/src/video/SDL_surface.c | ||
17 | index 085d9ff1e..bff826f7c 100644 | ||
18 | --- a/src/video/SDL_surface.c | ||
19 | +++ b/src/video/SDL_surface.c | ||
20 | @@ -28,24 +28,23 @@ | ||
21 | #include "SDL_yuv_c.h" | ||
22 | |||
23 | |||
24 | -/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */ | ||
25 | -SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, | ||
26 | - sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32)); | ||
27 | +/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow Sint64 */ | ||
28 | +SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, sizeof(int) == sizeof(Sint32)); | ||
29 | |||
30 | /* Public routines */ | ||
31 | |||
32 | /* | ||
33 | * Calculate the pad-aligned scanline width of a surface | ||
34 | */ | ||
35 | -static int | ||
36 | +static Sint64 | ||
37 | SDL_CalculatePitch(Uint32 format, int width) | ||
38 | { | ||
39 | - int pitch; | ||
40 | + Sint64 pitch; | ||
41 | |||
42 | if (SDL_ISPIXELFORMAT_FOURCC(format) || SDL_BITSPERPIXEL(format) >= 8) { | ||
43 | - pitch = (width * SDL_BYTESPERPIXEL(format)); | ||
44 | + pitch = ((Sint64)width * SDL_BYTESPERPIXEL(format)); | ||
45 | } else { | ||
46 | - pitch = ((width * SDL_BITSPERPIXEL(format)) + 7) / 8; | ||
47 | + pitch = (((Sint64)width * SDL_BITSPERPIXEL(format)) + 7) / 8; | ||
48 | } | ||
49 | pitch = (pitch + 3) & ~3; /* 4-byte aligning for speed */ | ||
50 | return pitch; | ||
51 | @@ -59,11 +58,19 @@ SDL_Surface * | ||
52 | SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth, | ||
53 | Uint32 format) | ||
54 | { | ||
55 | + Sint64 pitch; | ||
56 | SDL_Surface *surface; | ||
57 | |||
58 | /* The flags are no longer used, make the compiler happy */ | ||
59 | (void)flags; | ||
60 | |||
61 | + pitch = SDL_CalculatePitch(format, width); | ||
62 | + if (pitch < 0 || pitch > SDL_MAX_SINT32) { | ||
63 | + /* Overflow... */ | ||
64 | + SDL_OutOfMemory(); | ||
65 | + return NULL; | ||
66 | + } | ||
67 | + | ||
68 | /* Allocate the surface */ | ||
69 | surface = (SDL_Surface *) SDL_calloc(1, sizeof(*surface)); | ||
70 | if (surface == NULL) { | ||
71 | @@ -78,7 +85,7 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth, | ||
72 | } | ||
73 | surface->w = width; | ||
74 | surface->h = height; | ||
75 | - surface->pitch = SDL_CalculatePitch(format, width); | ||
76 | + surface->pitch = (int)pitch; | ||
77 | SDL_SetClipRect(surface, NULL); | ||
78 | |||
79 | if (SDL_ISPIXELFORMAT_INDEXED(surface->format->format)) { | ||
diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch new file mode 100644 index 0000000000..a4ed7ab8e6 --- /dev/null +++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From 8c91cf7dba5193f5ce12d06db1336515851c9ee9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sam Lantinga <slouken@libsdl.org> | ||
3 | Date: Tue, 30 Nov 2021 12:36:46 -0800 | ||
4 | Subject: [PATCH] Always create a full 256-entry map in case color values are | ||
5 | out of range | ||
6 | |||
7 | Fixes https://github.com/libsdl-org/SDL/issues/5042 | ||
8 | |||
9 | CVE: CVE-2021-33657 | ||
10 | Upstream-Status: Backport [https://github.com/libsdl-org/SDL/commit/8c91cf7dba5193f5ce12d06db1336515851c9ee9.patch] | ||
11 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
12 | |||
13 | --- | ||
14 | src/video/SDL_pixels.c | 4 ++-- | ||
15 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
16 | |||
17 | diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c | ||
18 | index ac04533c5d5..9bb02f771d0 100644 | ||
19 | --- a/src/video/SDL_pixels.c | ||
20 | +++ b/src/video/SDL_pixels.c | ||
21 | @@ -947,7 +947,7 @@ Map1to1(SDL_Palette * src, SDL_Palette * dst, int *identical) | ||
22 | } | ||
23 | *identical = 0; | ||
24 | } | ||
25 | - map = (Uint8 *) SDL_malloc(src->ncolors); | ||
26 | + map = (Uint8 *) SDL_calloc(256, sizeof(Uint8)); | ||
27 | if (map == NULL) { | ||
28 | SDL_OutOfMemory(); | ||
29 | return (NULL); | ||
30 | @@ -971,7 +971,7 @@ Map1toN(SDL_PixelFormat * src, Uint8 Rmod, Uint8 Gmod, Uint8 Bmod, Uint8 Amod, | ||
31 | SDL_Palette *pal = src->palette; | ||
32 | |||
33 | bpp = ((dst->BytesPerPixel == 3) ? 4 : dst->BytesPerPixel); | ||
34 | - map = (Uint8 *) SDL_malloc(pal->ncolors * bpp); | ||
35 | + map = (Uint8 *) SDL_calloc(256, bpp); | ||
36 | if (map == NULL) { | ||
37 | SDL_OutOfMemory(); | ||
38 | return (NULL); | ||
diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2022-4743.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2022-4743.patch new file mode 100644 index 0000000000..b02a2169a6 --- /dev/null +++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2022-4743.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From 00b67f55727bc0944c3266e2b875440da132ce4b Mon Sep 17 00:00:00 2001 | ||
2 | From: zhailiangliang <zhailiangliang@loongson.cn> | ||
3 | Date: Wed, 21 Sep 2022 10:30:38 +0800 | ||
4 | Subject: [PATCH] Fix potential memory leak in GLES_CreateTexture | ||
5 | |||
6 | |||
7 | CVE: CVE-2022-4743 | ||
8 | Upstream-Status: Backport [https://github.com/libsdl-org/SDL/commit/00b67f55727bc0944c3266e2b875440da132ce4b.patch] | ||
9 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
10 | |||
11 | --- | ||
12 | src/render/opengles/SDL_render_gles.c | 6 ++++++ | ||
13 | 1 file changed, 6 insertions(+) | ||
14 | |||
15 | diff --git a/src/render/opengles/SDL_render_gles.c b/src/render/opengles/SDL_render_gles.c | ||
16 | index a5fbab309eda..ba08a46e2805 100644 | ||
17 | --- a/src/render/opengles/SDL_render_gles.c | ||
18 | +++ b/src/render/opengles/SDL_render_gles.c | ||
19 | @@ -359,6 +359,9 @@ GLES_CreateTexture(SDL_Renderer * renderer, SDL_Texture * texture) | ||
20 | renderdata->glGenTextures(1, &data->texture); | ||
21 | result = renderdata->glGetError(); | ||
22 | if (result != GL_NO_ERROR) { | ||
23 | + if (texture->access == SDL_TEXTUREACCESS_STREAMING) { | ||
24 | + SDL_free(data->pixels); | ||
25 | + } | ||
26 | SDL_free(data); | ||
27 | return GLES_SetError("glGenTextures()", result); | ||
28 | } | ||
29 | @@ -387,6 +390,9 @@ GLES_CreateTexture(SDL_Renderer * renderer, SDL_Texture * texture) | ||
30 | |||
31 | result = renderdata->glGetError(); | ||
32 | if (result != GL_NO_ERROR) { | ||
33 | + if (texture->access == SDL_TEXTUREACCESS_STREAMING) { | ||
34 | + SDL_free(data->pixels); | ||
35 | + } | ||
36 | SDL_free(data); | ||
37 | return GLES_SetError("glTexImage2D()", result); | ||
38 | } | ||
diff --git a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb index fa7acc4c50..fa29bc99ac 100644 --- a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb +++ b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb | |||
@@ -20,6 +20,9 @@ SRC_URI = "http://www.libsdl.org/release/SDL2-${PV}.tar.gz \ | |||
20 | file://more-gen-depends.patch \ | 20 | file://more-gen-depends.patch \ |
21 | file://directfb-spurious-curly-brace-missing-e.patch \ | 21 | file://directfb-spurious-curly-brace-missing-e.patch \ |
22 | file://directfb-renderfillrect-fix.patch \ | 22 | file://directfb-renderfillrect-fix.patch \ |
23 | file://CVE-2020-14409-14410.patch \ | ||
24 | file://CVE-2021-33657.patch \ | ||
25 | file://CVE-2022-4743.patch \ | ||
23 | " | 26 | " |
24 | 27 | ||
25 | S = "${WORKDIR}/SDL2-${PV}" | 28 | S = "${WORKDIR}/SDL2-${PV}" |