summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7572.patch114
-rw-r--r--meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch68
-rw-r--r--meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7575.patch81
-rw-r--r--meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7576.patch80
-rw-r--r--meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch123
-rw-r--r--meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7578.patch64
-rw-r--r--meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch63
-rw-r--r--meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7637.patch192
-rw-r--r--meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7638.patch38
-rw-r--r--meta/recipes-graphics/libsdl/libsdl_1.2.15.bb9
10 files changed, 832 insertions, 0 deletions
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7572.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7572.patch
new file mode 100644
index 0000000000..c41c2de0f3
--- /dev/null
+++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7572.patch
@@ -0,0 +1,114 @@
1# HG changeset patch
2# User Petr Písař <ppisar@redhat.com>
3# Date 1560182231 25200
4# Mon Jun 10 08:57:11 2019 -0700
5# Branch SDL-1.2
6# Node ID a8afedbcaea0e84921dc770195c4699bda3ccdc5
7# Parent faf9abbcfb5fe0d0ca23c4bf0394aa226ceccf02
8CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode
9If data chunk was longer than expected based on a WAV format
10definition, IMA_ADPCM_decode() tried to write past the output
11buffer. This patch fixes it.
12
13Based on patch from
14<https://bugzilla.libsdl.org/show_bug.cgi?id=4496>.
15
16CVE-2019-7572
17https://bugzilla.libsdl.org/show_bug.cgi?id=4495
18
19Signed-off-by: Petr Písař <ppisar@redhat.com>
20
21# HG changeset patch
22# User Petr Písař <ppisar@redhat.com>
23# Date 1560041863 25200
24# Sat Jun 08 17:57:43 2019 -0700
25# Branch SDL-1.2
26# Node ID e52413f5258600878f9a10d2f92605a729aa8976
27# Parent 4e73be7b47877ae11d2279bd916910d469d18f8e
28CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble
29If an IMA ADPCM block contained an initial index out of step table
30range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used
31this bogus value and that lead to a buffer overread.
32
33This patch fixes it by moving clamping the index value at the
34beginning of IMA_ADPCM_nibble() function instead of the end after
35an update.
36
37CVE-2019-7572
38https://bugzilla.libsdl.org/show_bug.cgi?id=4495
39
40Signed-off-by: Petr Písař <ppisar@redhat.com>
41
42CVE: CVE-2019-7572
43Upstream-Status: Backport
44Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
45
46diff -r faf9abbcfb5f -r a8afedbcaea0 src/audio/SDL_wave.c
47--- a/src/audio/SDL_wave.c Mon Jun 10 08:54:29 2019 -0700
48+++ b/src/audio/SDL_wave.c Mon Jun 10 08:57:11 2019 -0700
49@@ -346,7 +346,7 @@
50 static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
51 {
52 struct IMA_ADPCM_decodestate *state;
53- Uint8 *freeable, *encoded, *encoded_end, *decoded;
54+ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
55 Sint32 encoded_len, samplesleft;
56 unsigned int c, channels;
57
58@@ -373,6 +373,7 @@
59 return(-1);
60 }
61 decoded = *audio_buf;
62+ decoded_end = decoded + *audio_len;
63
64 /* Get ready... Go! */
65 while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
66@@ -392,6 +393,7 @@
67 }
68
69 /* Store the initial sample we start with */
70+ if (decoded + 2 > decoded_end) goto invalid_size;
71 decoded[0] = (Uint8)(state[c].sample&0xFF);
72 decoded[1] = (Uint8)(state[c].sample>>8);
73 decoded += 2;
74@@ -402,6 +404,8 @@
75 while ( samplesleft > 0 ) {
76 for ( c=0; c<channels; ++c ) {
77 if (encoded + 4 > encoded_end) goto invalid_size;
78+ if (decoded + 4 * 4 * channels > decoded_end)
79+ goto invalid_size;
80 Fill_IMA_ADPCM_block(decoded, encoded,
81 c, channels, &state[c]);
82 encoded += 4;
83
84diff -r 4e73be7b4787 -r e52413f52586 src/audio/SDL_wave.c
85--- a/src/audio/SDL_wave.c Sat Jun 01 18:27:46 2019 +0100
86+++ b/src/audio/SDL_wave.c Sat Jun 08 17:57:43 2019 -0700
87@@ -264,6 +264,14 @@
88 };
89 Sint32 delta, step;
90
91+ /* Clamp index value. The inital value can be invalid. */
92+ if ( state->index > 88 ) {
93+ state->index = 88;
94+ } else
95+ if ( state->index < 0 ) {
96+ state->index = 0;
97+ }
98+
99 /* Compute difference and new sample value */
100 step = step_table[state->index];
101 delta = step >> 3;
102@@ -275,12 +283,6 @@
103
104 /* Update index value */
105 state->index += index_table[nybble];
106- if ( state->index > 88 ) {
107- state->index = 88;
108- } else
109- if ( state->index < 0 ) {
110- state->index = 0;
111- }
112
113 /* Clamp output sample */
114 if ( state->sample > max_audioval ) {
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch
new file mode 100644
index 0000000000..9fd53da29b
--- /dev/null
+++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch
@@ -0,0 +1,68 @@
1# HG changeset patch
2# User Petr Písař <ppisar@redhat.com>
3# Date 1560181859 25200
4# Mon Jun 10 08:50:59 2019 -0700
5# Branch SDL-1.2
6# Node ID a6e3d2f5183e1cc300ad993e10e9ce077e13bd9c
7# Parent 388987dff7bf8f1e214e69c2e4f1aa31e06396b5
8CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode
9If data chunk was shorter than expected based on a WAV format
10definition, IMA_ADPCM_decode() tried to read past the data chunk
11buffer. This patch fixes it.
12
13CVE-2019-7574
14https://bugzilla.libsdl.org/show_bug.cgi?id=4496
15
16Signed-off-by: Petr Písař <ppisar@redhat.com>
17
18CVE: CVE-2019-7574
19Upstream-Status: Backport
20Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
21
22diff -r 388987dff7bf -r a6e3d2f5183e src/audio/SDL_wave.c
23--- a/src/audio/SDL_wave.c Sat Jun 08 18:02:09 2019 -0700
24+++ b/src/audio/SDL_wave.c Mon Jun 10 08:50:59 2019 -0700
25@@ -331,7 +331,7 @@
26 static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
27 {
28 struct IMA_ADPCM_decodestate *state;
29- Uint8 *freeable, *encoded, *decoded;
30+ Uint8 *freeable, *encoded, *encoded_end, *decoded;
31 Sint32 encoded_len, samplesleft;
32 unsigned int c, channels;
33
34@@ -347,6 +347,7 @@
35 /* Allocate the proper sized output buffer */
36 encoded_len = *audio_len;
37 encoded = *audio_buf;
38+ encoded_end = encoded + encoded_len;
39 freeable = *audio_buf;
40 *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) *
41 IMA_ADPCM_state.wSamplesPerBlock*
42@@ -362,6 +363,7 @@
43 while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
44 /* Grab the initial information for this block */
45 for ( c=0; c<channels; ++c ) {
46+ if (encoded + 4 > encoded_end) goto invalid_size;
47 /* Fill the state information for this block */
48 state[c].sample = ((encoded[1]<<8)|encoded[0]);
49 encoded += 2;
50@@ -384,6 +386,7 @@
51 samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
52 while ( samplesleft > 0 ) {
53 for ( c=0; c<channels; ++c ) {
54+ if (encoded + 4 > encoded_end) goto invalid_size;
55 Fill_IMA_ADPCM_block(decoded, encoded,
56 c, channels, &state[c]);
57 encoded += 4;
58@@ -395,6 +398,10 @@
59 }
60 SDL_free(freeable);
61 return(0);
62+invalid_size:
63+ SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder");
64+ SDL_free(freeable);
65+ return(-1);
66 }
67
68 SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7575.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7575.patch
new file mode 100644
index 0000000000..a3e8416d0e
--- /dev/null
+++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7575.patch
@@ -0,0 +1,81 @@
1# HG changeset patch
2# User Petr Písař <ppisar@redhat.com>
3# Date 1560183905 25200
4# Mon Jun 10 09:25:05 2019 -0700
5# Branch SDL-1.2
6# Node ID a936f9bd3e381d67d8ddee8b9243f85799ea4798
7# Parent fcbecae427951bac1684baaba2ade68221315140
8CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode
9If a WAV format defines shorter audio stream and decoded MS ADPCM data chunk
10is longer, decoding continued past the output audio buffer.
11
12This fix is based on a patch from
13<https://bugzilla.libsdl.org/show_bug.cgi?id=4492>.
14
15https://bugzilla.libsdl.org/show_bug.cgi?id=4493
16CVE-2019-7575
17
18Signed-off-by: Petr Písař <ppisar@redhat.com>
19
20CVE: CVE-2019-7575
21Upstream-Status: Backport
22Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
23
24diff -r fcbecae42795 -r a936f9bd3e38 src/audio/SDL_wave.c
25--- a/src/audio/SDL_wave.c Mon Jun 10 09:06:23 2019 -0700
26+++ b/src/audio/SDL_wave.c Mon Jun 10 09:25:05 2019 -0700
27@@ -122,7 +122,7 @@
28 static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
29 {
30 struct MS_ADPCM_decodestate *state[2];
31- Uint8 *freeable, *encoded, *encoded_end, *decoded;
32+ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
33 Sint32 encoded_len, samplesleft;
34 Sint8 nybble, stereo;
35 Sint16 *coeff[2];
36@@ -142,6 +142,7 @@
37 return(-1);
38 }
39 decoded = *audio_buf;
40+ decoded_end = decoded + *audio_len;
41
42 /* Get ready... Go! */
43 stereo = (MS_ADPCM_state.wavefmt.channels == 2);
44@@ -149,7 +150,7 @@
45 state[1] = &MS_ADPCM_state.state[stereo];
46 while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
47 /* Grab the initial information for this block */
48- if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
49+ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size;
50 state[0]->hPredictor = *encoded++;
51 if ( stereo ) {
52 state[1]->hPredictor = *encoded++;
53@@ -179,6 +180,7 @@
54 coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
55
56 /* Store the two initial samples we start with */
57+ if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size;
58 decoded[0] = state[0]->iSamp2&0xFF;
59 decoded[1] = state[0]->iSamp2>>8;
60 decoded += 2;
61@@ -200,7 +202,8 @@
62 samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
63 MS_ADPCM_state.wavefmt.channels;
64 while ( samplesleft > 0 ) {
65- if (encoded + 1 > encoded_end) goto too_short;
66+ if (encoded + 1 > encoded_end) goto invalid_size;
67+ if (decoded + 4 > decoded_end) goto invalid_size;
68
69 nybble = (*encoded)>>4;
70 new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
71@@ -223,8 +226,8 @@
72 }
73 SDL_free(freeable);
74 return(0);
75-too_short:
76- SDL_SetError("Too short chunk for a MS ADPCM decoder");
77+invalid_size:
78+ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
79 SDL_free(freeable);
80 return(-1);
81 invalid_predictor:
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7576.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7576.patch
new file mode 100644
index 0000000000..d9a505217b
--- /dev/null
+++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7576.patch
@@ -0,0 +1,80 @@
1# HG changeset patch
2# User Petr Písař <ppisar@redhat.com>
3# Date 1560182783 25200
4# Mon Jun 10 09:06:23 2019 -0700
5# Branch SDL-1.2
6# Node ID fcbecae427951bac1684baaba2ade68221315140
7# Parent a8afedbcaea0e84921dc770195c4699bda3ccdc5
8CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in InitMS_ADPCM
9If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it
10could read past the end of chunk data. This patch fixes it.
11
12CVE-2019-7573
13https://bugzilla.libsdl.org/show_bug.cgi?id=4491
14CVE-2019-7576
15https://bugzilla.libsdl.org/show_bug.cgi?id=4490
16
17Signed-off-by: Petr Písař <ppisar@redhat.com>
18
19CVE: CVE-2019-7573
20CVE: CVE-2019-7576
21Upstream-Status: Backport
22Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
23
24diff -r a8afedbcaea0 -r fcbecae42795 src/audio/SDL_wave.c
25--- a/src/audio/SDL_wave.c Mon Jun 10 08:57:11 2019 -0700
26+++ b/src/audio/SDL_wave.c Mon Jun 10 09:06:23 2019 -0700
27@@ -44,12 +44,13 @@
28 struct MS_ADPCM_decodestate state[2];
29 } MS_ADPCM_state;
30
31-static int InitMS_ADPCM(WaveFMT *format)
32+static int InitMS_ADPCM(WaveFMT *format, int length)
33 {
34- Uint8 *rogue_feel;
35+ Uint8 *rogue_feel, *rogue_feel_end;
36 int i;
37
38 /* Set the rogue pointer to the MS_ADPCM specific data */
39+ if (length < sizeof(*format)) goto too_short;
40 MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
41 MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
42 MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
43@@ -58,9 +59,11 @@
44 MS_ADPCM_state.wavefmt.bitspersample =
45 SDL_SwapLE16(format->bitspersample);
46 rogue_feel = (Uint8 *)format+sizeof(*format);
47+ rogue_feel_end = (Uint8 *)format + length;
48 if ( sizeof(*format) == 16 ) {
49 rogue_feel += sizeof(Uint16);
50 }
51+ if (rogue_feel + 4 > rogue_feel_end) goto too_short;
52 MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
53 rogue_feel += sizeof(Uint16);
54 MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]);
55@@ -70,12 +73,16 @@
56 return(-1);
57 }
58 for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) {
59+ if (rogue_feel + 4 > rogue_feel_end) goto too_short;
60 MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]);
61 rogue_feel += sizeof(Uint16);
62 MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]);
63 rogue_feel += sizeof(Uint16);
64 }
65 return(0);
66+too_short:
67+ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format");
68+ return(-1);
69 }
70
71 static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
72@@ -495,7 +502,7 @@
73 break;
74 case MS_ADPCM_CODE:
75 /* Try to understand this */
76- if ( InitMS_ADPCM(format) < 0 ) {
77+ if ( InitMS_ADPCM(format, lenread) < 0 ) {
78 was_error = 1;
79 goto done;
80 }
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch
new file mode 100644
index 0000000000..92e40aec5e
--- /dev/null
+++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch
@@ -0,0 +1,123 @@
1# HG changeset patch
2# User Petr Písař <ppisar@redhat.com>
3# Date 1560182051 25200
4# Mon Jun 10 08:54:11 2019 -0700
5# Branch SDL-1.2
6# Node ID 416136310b88cbeeff8773e573e90ac1e22b3526
7# Parent a6e3d2f5183e1cc300ad993e10e9ce077e13bd9c
8CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
9If RIFF/WAV data chunk length is shorter then expected for an audio
10format defined in preceeding RIFF/WAV format headers, a buffer
11overread can happen.
12
13This patch fixes it by checking a MS ADPCM data to be decoded are not
14past the initialized buffer.
15
16CVE-2019-7577
17Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
18
19Signed-off-by: Petr Písař <ppisar@redhat.com>
20
21# HG changeset patch
22# User Petr Písař <ppisar@redhat.com>
23# Date 1560182069 25200
24# Mon Jun 10 08:54:29 2019 -0700
25# Branch SDL-1.2
26# Node ID faf9abbcfb5fe0d0ca23c4bf0394aa226ceccf02
27# Parent 416136310b88cbeeff8773e573e90ac1e22b3526
28CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble and MS_ADPCM_decode
29If a chunk of RIFF/WAV file with MS ADPCM encoding contains an invalid
30predictor (a valid predictor's value is between 0 and 6 inclusive),
31a buffer overread can happen when the predictor is used as an index
32into an array of MS ADPCM coefficients.
33
34The overead happens when indexing MS_ADPCM_state.aCoeff[] array in
35MS_ADPCM_decode() and later when dereferencing a coef pointer in
36MS_ADPCM_nibble().
37
38This patch fixes it by checking the MS ADPCM predictor values fit
39into the valid range.
40
41CVE-2019-7577
42Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
43
44Signed-off-by: Petr Písař <ppisar@redhat.com>
45
46CVE: CVE-2019-7577
47Upstream-Status: Backport
48Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
49
50diff -r a6e3d2f5183e -r 416136310b88 src/audio/SDL_wave.c
51--- a/src/audio/SDL_wave.c Mon Jun 10 08:50:59 2019 -0700
52+++ b/src/audio/SDL_wave.c Mon Jun 10 08:54:11 2019 -0700
53@@ -115,7 +115,7 @@
54 static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
55 {
56 struct MS_ADPCM_decodestate *state[2];
57- Uint8 *freeable, *encoded, *decoded;
58+ Uint8 *freeable, *encoded, *encoded_end, *decoded;
59 Sint32 encoded_len, samplesleft;
60 Sint8 nybble, stereo;
61 Sint16 *coeff[2];
62@@ -124,6 +124,7 @@
63 /* Allocate the proper sized output buffer */
64 encoded_len = *audio_len;
65 encoded = *audio_buf;
66+ encoded_end = encoded + encoded_len;
67 freeable = *audio_buf;
68 *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) *
69 MS_ADPCM_state.wSamplesPerBlock*
70@@ -141,6 +142,7 @@
71 state[1] = &MS_ADPCM_state.state[stereo];
72 while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
73 /* Grab the initial information for this block */
74+ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
75 state[0]->hPredictor = *encoded++;
76 if ( stereo ) {
77 state[1]->hPredictor = *encoded++;
78@@ -188,6 +190,8 @@
79 samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
80 MS_ADPCM_state.wavefmt.channels;
81 while ( samplesleft > 0 ) {
82+ if (encoded + 1 > encoded_end) goto too_short;
83+
84 nybble = (*encoded)>>4;
85 new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
86 decoded[0] = new_sample&0xFF;
87@@ -209,6 +213,10 @@
88 }
89 SDL_free(freeable);
90 return(0);
91+too_short:
92+ SDL_SetError("Too short chunk for a MS ADPCM decoder");
93+ SDL_free(freeable);
94+ return(-1);
95 }
96
97 struct IMA_ADPCM_decodestate {
98
99
100diff -r 416136310b88 -r faf9abbcfb5f src/audio/SDL_wave.c
101--- a/src/audio/SDL_wave.c Mon Jun 10 08:54:11 2019 -0700
102+++ b/src/audio/SDL_wave.c Mon Jun 10 08:54:29 2019 -0700
103@@ -147,6 +147,9 @@
104 if ( stereo ) {
105 state[1]->hPredictor = *encoded++;
106 }
107+ if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) {
108+ goto invalid_predictor;
109+ }
110 state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
111 encoded += sizeof(Sint16);
112 if ( stereo ) {
113@@ -217,6 +220,10 @@
114 SDL_SetError("Too short chunk for a MS ADPCM decoder");
115 SDL_free(freeable);
116 return(-1);
117+invalid_predictor:
118+ SDL_SetError("Invalid predictor value for a MS ADPCM decoder");
119+ SDL_free(freeable);
120+ return(-1);
121 }
122
123 struct IMA_ADPCM_decodestate {
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7578.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7578.patch
new file mode 100644
index 0000000000..7028890333
--- /dev/null
+++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7578.patch
@@ -0,0 +1,64 @@
1# HG changeset patch
2# User Petr Písař <ppisar@redhat.com>
3# Date 1560042129 25200
4# Sat Jun 08 18:02:09 2019 -0700
5# Branch SDL-1.2
6# Node ID 388987dff7bf8f1e214e69c2e4f1aa31e06396b5
7# Parent e52413f5258600878f9a10d2f92605a729aa8976
8CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
9If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it
10could read past the end of chunk data. This patch fixes it.
11
12CVE-2019-7578
13https://bugzilla.libsdl.org/show_bug.cgi?id=4494
14
15Signed-off-by: Petr Písař <ppisar@redhat.com>
16
17CVE: CVE-2019-7578
18Upstream-Status: Backport
19Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
20
21diff -r e52413f52586 -r 388987dff7bf src/audio/SDL_wave.c
22--- a/src/audio/SDL_wave.c Sat Jun 08 17:57:43 2019 -0700
23+++ b/src/audio/SDL_wave.c Sat Jun 08 18:02:09 2019 -0700
24@@ -222,11 +222,12 @@
25 struct IMA_ADPCM_decodestate state[2];
26 } IMA_ADPCM_state;
27
28-static int InitIMA_ADPCM(WaveFMT *format)
29+static int InitIMA_ADPCM(WaveFMT *format, int length)
30 {
31- Uint8 *rogue_feel;
32+ Uint8 *rogue_feel, *rogue_feel_end;
33
34 /* Set the rogue pointer to the IMA_ADPCM specific data */
35+ if (length < sizeof(*format)) goto too_short;
36 IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
37 IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
38 IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
39@@ -235,11 +236,16 @@
40 IMA_ADPCM_state.wavefmt.bitspersample =
41 SDL_SwapLE16(format->bitspersample);
42 rogue_feel = (Uint8 *)format+sizeof(*format);
43+ rogue_feel_end = (Uint8 *)format + length;
44 if ( sizeof(*format) == 16 ) {
45 rogue_feel += sizeof(Uint16);
46 }
47+ if (rogue_feel + 2 > rogue_feel_end) goto too_short;
48 IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
49 return(0);
50+too_short:
51+ SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format");
52+ return(-1);
53 }
54
55 static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
56@@ -471,7 +477,7 @@
57 break;
58 case IMA_ADPCM_CODE:
59 /* Try to understand this */
60- if ( InitIMA_ADPCM(format) < 0 ) {
61+ if ( InitIMA_ADPCM(format, lenread) < 0 ) {
62 was_error = 1;
63 goto done;
64 }
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch
new file mode 100644
index 0000000000..78af1b061d
--- /dev/null
+++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch
@@ -0,0 +1,63 @@
1# HG changeset patch
2# User Petr Písař <ppisar@redhat.com>
3# Date 1560259692 25200
4# Tue Jun 11 06:28:12 2019 -0700
5# Branch SDL-1.2
6# Node ID f1f5878be5dbf63c1161a8ee52b8a86ece30e552
7# Parent a936f9bd3e381d67d8ddee8b9243f85799ea4798
8CVE-2019-7635: Reject BMP images with pixel colors out the palette
9If a 1-, 4-, or 8-bit per pixel BMP image declares less used colors
10than the palette offers an SDL_Surface with a palette of the indicated
11number of used colors is created. If some of the image's pixel
12refer to a color number higher then the maximal used colors, a subsequent
13bliting operation on the surface will look up a color past a blit map
14(that is based on the palette) memory. I.e. passing such SDL_Surface
15to e.g. an SDL_DisplayFormat() function will result in a buffer overread in
16a blit function.
17
18This patch fixes it by validing each pixel's color to be less than the
19maximal color number in the palette. A validation failure raises an
20error from a SDL_LoadBMP_RW() function.
21
22CVE-2019-7635
23https://bugzilla.libsdl.org/show_bug.cgi?id=4498
24
25Signed-off-by: Petr Písař <ppisar@redhat.com>
26
27CVE: CVE-2019-7635
28Upstream-Status: Backport
29Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
30
31diff -r a936f9bd3e38 -r f1f5878be5db src/video/SDL_bmp.c
32--- a/src/video/SDL_bmp.c Mon Jun 10 09:25:05 2019 -0700
33+++ b/src/video/SDL_bmp.c Tue Jun 11 06:28:12 2019 -0700
34@@ -308,6 +308,12 @@
35 }
36 *(bits+i) = (pixel>>shift);
37 pixel <<= ExpandBMP;
38+ if ( bits[i] >= biClrUsed ) {
39+ SDL_SetError(
40+ "A BMP image contains a pixel with a color out of the palette");
41+ was_error = SDL_TRUE;
42+ goto done;
43+ }
44 } }
45 break;
46
47@@ -318,6 +324,16 @@
48 was_error = SDL_TRUE;
49 goto done;
50 }
51+ if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) {
52+ for ( i=0; i<surface->w; ++i ) {
53+ if ( bits[i] >= biClrUsed ) {
54+ SDL_SetError(
55+ "A BMP image contains a pixel with a color out of the palette");
56+ was_error = SDL_TRUE;
57+ goto done;
58+ }
59+ }
60+ }
61 #if SDL_BYTEORDER == SDL_BIG_ENDIAN
62 /* Byte-swap the pixels if needed. Note that the 24bpp
63 case has already been taken care of above. */
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7637.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7637.patch
new file mode 100644
index 0000000000..c95338e61a
--- /dev/null
+++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7637.patch
@@ -0,0 +1,192 @@
1# HG changeset patch
2# User Petr Písař <ppisar@redhat.com>
3# Date 1552788984 25200
4# Sat Mar 16 19:16:24 2019 -0700
5# Branch SDL-1.2
6# Node ID 9b0e5c555c0f5ce6d2c3c19da6cc2c7fb5048bf2
7# Parent 4646533663ae1d80c2cc6b2d6dbfb37c62491c1e
8CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch
9If a too large width is passed to SDL_SetVideoMode() the width travels
10to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by
11BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch
12variable. During this arithmetics an integer overflow can happen (e.g.
13the value is clamped as 65532). As a result SDL_Surface with a pitch
14smaller than width * BytesPerPixel is created, too small pixel buffer
15is allocated and when the SDL_Surface is processed in SDL_FillRect()
16a buffer overflow occurs.
17
18This can be reproduced with "./graywin -width 21312312313123213213213"
19command.
20
21This patch fixes is by using a very careful arithmetics in
22SDL_CalculatePitch(). If an overflow is detected, an error is reported
23back as a special 0 value. We assume that 0-width surfaces do not
24occur in the wild. Since SDL_CalculatePitch() is a private function,
25we can change the semantics.
26
27CVE-2019-7637
28https://bugzilla.libsdl.org/show_bug.cgi?id=4497
29
30Signed-off-by: Petr Písař <ppisar@redhat.com>
31
32CVE: CVE-2019-7637
33Upstream-Status: Backport
34Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
35
36diff -r 4646533663ae -r 9b0e5c555c0f src/video/SDL_pixels.c
37--- a/src/video/SDL_pixels.c Sat Mar 16 18:35:33 2019 -0700
38+++ b/src/video/SDL_pixels.c Sat Mar 16 19:16:24 2019 -0700
39@@ -286,26 +286,53 @@
40 }
41 }
42 /*
43- * Calculate the pad-aligned scanline width of a surface
44+ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of
45+ * an error.
46 */
47 Uint16 SDL_CalculatePitch(SDL_Surface *surface)
48 {
49- Uint16 pitch;
50+ unsigned int pitch = 0;
51
52 /* Surface should be 4-byte aligned for speed */
53- pitch = surface->w*surface->format->BytesPerPixel;
54+ /* The code tries to prevent from an Uint16 overflow. */;
55+ for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) {
56+ pitch += (unsigned int)surface->w;
57+ if (pitch < surface->w) {
58+ SDL_SetError("A scanline is too wide");
59+ return(0);
60+ }
61+ }
62 switch (surface->format->BitsPerPixel) {
63 case 1:
64- pitch = (pitch+7)/8;
65+ if (pitch % 8) {
66+ pitch = pitch / 8 + 1;
67+ } else {
68+ pitch = pitch / 8;
69+ }
70 break;
71 case 4:
72- pitch = (pitch+1)/2;
73+ if (pitch % 2) {
74+ pitch = pitch / 2 + 1;
75+ } else {
76+ pitch = pitch / 2;
77+ }
78 break;
79 default:
80 break;
81 }
82- pitch = (pitch + 3) & ~3; /* 4-byte aligning */
83- return(pitch);
84+ /* 4-byte aligning */
85+ if (pitch & 3) {
86+ if (pitch + 3 < pitch) {
87+ SDL_SetError("A scanline is too wide");
88+ return(0);
89+ }
90+ pitch = (pitch + 3) & ~3;
91+ }
92+ if (pitch > 0xFFFF) {
93+ SDL_SetError("A scanline is too wide");
94+ return(0);
95+ }
96+ return((Uint16)pitch);
97 }
98 /*
99 * Match an RGB value to a particular palette index
100diff -r 4646533663ae -r 9b0e5c555c0f src/video/gapi/SDL_gapivideo.c
101--- a/src/video/gapi/SDL_gapivideo.c Sat Mar 16 18:35:33 2019 -0700
102+++ b/src/video/gapi/SDL_gapivideo.c Sat Mar 16 19:16:24 2019 -0700
103@@ -733,6 +733,9 @@
104 video->w = gapi->w = width;
105 video->h = gapi->h = height;
106 video->pitch = SDL_CalculatePitch(video);
107+ if (!current->pitch) {
108+ return(NULL);
109+ }
110
111 /* Small fix for WinCE/Win32 - when activating window
112 SDL_VideoSurface is equal to zero, so activating code
113diff -r 4646533663ae -r 9b0e5c555c0f src/video/nanox/SDL_nxvideo.c
114--- a/src/video/nanox/SDL_nxvideo.c Sat Mar 16 18:35:33 2019 -0700
115+++ b/src/video/nanox/SDL_nxvideo.c Sat Mar 16 19:16:24 2019 -0700
116@@ -378,6 +378,10 @@
117 current -> w = width ;
118 current -> h = height ;
119 current -> pitch = SDL_CalculatePitch (current) ;
120+ if (!current->pitch) {
121+ current = NULL;
122+ goto done;
123+ }
124 NX_ResizeImage (this, current, flags) ;
125 }
126
127diff -r 4646533663ae -r 9b0e5c555c0f src/video/ps2gs/SDL_gsvideo.c
128--- a/src/video/ps2gs/SDL_gsvideo.c Sat Mar 16 18:35:33 2019 -0700
129+++ b/src/video/ps2gs/SDL_gsvideo.c Sat Mar 16 19:16:24 2019 -0700
130@@ -479,6 +479,9 @@
131 current->w = width;
132 current->h = height;
133 current->pitch = SDL_CalculatePitch(current);
134+ if (!current->pitch) {
135+ return(NULL);
136+ }
137
138 /* Memory map the DMA area for block memory transfer */
139 if ( ! mapped_mem ) {
140diff -r 4646533663ae -r 9b0e5c555c0f src/video/ps3/SDL_ps3video.c
141--- a/src/video/ps3/SDL_ps3video.c Sat Mar 16 18:35:33 2019 -0700
142+++ b/src/video/ps3/SDL_ps3video.c Sat Mar 16 19:16:24 2019 -0700
143@@ -339,6 +339,9 @@
144 current->w = width;
145 current->h = height;
146 current->pitch = SDL_CalculatePitch(current);
147+ if (!current->pitch) {
148+ return(NULL);
149+ }
150
151 /* Alloc aligned mem for current->pixels */
152 s_pixels = memalign(16, current->h * current->pitch);
153diff -r 4646533663ae -r 9b0e5c555c0f src/video/windib/SDL_dibvideo.c
154--- a/src/video/windib/SDL_dibvideo.c Sat Mar 16 18:35:33 2019 -0700
155+++ b/src/video/windib/SDL_dibvideo.c Sat Mar 16 19:16:24 2019 -0700
156@@ -675,6 +675,9 @@
157 video->w = width;
158 video->h = height;
159 video->pitch = SDL_CalculatePitch(video);
160+ if (!current->pitch) {
161+ return(NULL);
162+ }
163
164 /* Small fix for WinCE/Win32 - when activating window
165 SDL_VideoSurface is equal to zero, so activating code
166diff -r 4646533663ae -r 9b0e5c555c0f src/video/windx5/SDL_dx5video.c
167--- a/src/video/windx5/SDL_dx5video.c Sat Mar 16 18:35:33 2019 -0700
168+++ b/src/video/windx5/SDL_dx5video.c Sat Mar 16 19:16:24 2019 -0700
169@@ -1127,6 +1127,9 @@
170 video->w = width;
171 video->h = height;
172 video->pitch = SDL_CalculatePitch(video);
173+ if (!current->pitch) {
174+ return(NULL);
175+ }
176
177 #ifndef NO_CHANGEDISPLAYSETTINGS
178 /* Set fullscreen mode if appropriate.
179diff -r 4646533663ae -r 9b0e5c555c0f src/video/x11/SDL_x11video.c
180--- a/src/video/x11/SDL_x11video.c Sat Mar 16 18:35:33 2019 -0700
181+++ b/src/video/x11/SDL_x11video.c Sat Mar 16 19:16:24 2019 -0700
182@@ -1225,6 +1225,10 @@
183 current->w = width;
184 current->h = height;
185 current->pitch = SDL_CalculatePitch(current);
186+ if (!current->pitch) {
187+ current = NULL;
188+ goto done;
189+ }
190 if (X11_ResizeImage(this, current, flags) < 0) {
191 current = NULL;
192 goto done;
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7638.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7638.patch
new file mode 100644
index 0000000000..dab9aaeb2b
--- /dev/null
+++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7638.patch
@@ -0,0 +1,38 @@
1# HG changeset patch
2# User Sam Lantinga <slouken@libsdl.org>
3# Date 1550504903 28800
4# Mon Feb 18 07:48:23 2019 -0800
5# Branch SDL-1.2
6# Node ID 19d8c3b9c25143f71a34ff40ce1df91b4b3e3b78
7# Parent 8586f153eedec4c4e07066d6248ebdf67f10a229
8Fixed bug 4500 - Heap-Buffer Overflow in Map1toN pertaining to SDL_pixels.c
9
10Petr Pisar
11
12The reproducer has these data in BITMAPINFOHEADER:
13
14biSize = 40
15biBitCount = 8
16biClrUsed = 131075
17
18SDL_LoadBMP_RW() function passes biBitCount as a color depth to SDL_CreateRGBSurface(), thus 256-color pallete is allocated. But then biClrUsed colors are read from a file and stored into the palette. SDL_LoadBMP_RW should report an error if biClrUsed is greater than 2^biBitCount.
19
20CVE: CVE-2019-7638
21CVE: CVE-2019-7636
22Upstream-Status: Backport
23Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
24
25diff -r 8586f153eede -r 19d8c3b9c251 src/video/SDL_bmp.c
26--- a/src/video/SDL_bmp.c Sun Jan 13 15:27:50 2019 +0100
27+++ b/src/video/SDL_bmp.c Mon Feb 18 07:48:23 2019 -0800
28@@ -233,6 +233,10 @@
29 if ( palette ) {
30 if ( biClrUsed == 0 ) {
31 biClrUsed = 1 << biBitCount;
32+ } else if ( biClrUsed > (1 << biBitCount) ) {
33+ SDL_SetError("BMP file has an invalid number of colors");
34+ was_error = SDL_TRUE;
35+ goto done;
36 }
37 if ( biSize == 12 ) {
38 for ( i = 0; i < (int)biClrUsed; ++i ) {
diff --git a/meta/recipes-graphics/libsdl/libsdl_1.2.15.bb b/meta/recipes-graphics/libsdl/libsdl_1.2.15.bb
index 3680ea9d80..d61ee0f981 100644
--- a/meta/recipes-graphics/libsdl/libsdl_1.2.15.bb
+++ b/meta/recipes-graphics/libsdl/libsdl_1.2.15.bb
@@ -18,6 +18,15 @@ SRC_URI = "http://www.libsdl.org/release/SDL-${PV}.tar.gz \
18 file://libsdl-1.2.15-xdata32.patch \ 18 file://libsdl-1.2.15-xdata32.patch \
19 file://pkgconfig.patch \ 19 file://pkgconfig.patch \
20 file://0001-build-Pass-tag-CC-explictly-when-using-libtool.patch \ 20 file://0001-build-Pass-tag-CC-explictly-when-using-libtool.patch \
21 file://CVE-2019-7577.patch \
22 file://CVE-2019-7574.patch \
23 file://CVE-2019-7572.patch \
24 file://CVE-2019-7578.patch \
25 file://CVE-2019-7575.patch \
26 file://CVE-2019-7635.patch \
27 file://CVE-2019-7637.patch \
28 file://CVE-2019-7638.patch \
29 file://CVE-2019-7576.patch \
21 " 30 "
22 31
23UPSTREAM_CHECK_REGEX = "SDL-(?P<pver>\d+(\.\d+)+)\.tar" 32UPSTREAM_CHECK_REGEX = "SDL-(?P<pver>\d+(\.\d+)+)\.tar"