Hi. I've ported the CVE patches from Debian LTS for libsdl1.2 in unstable.
>From 3aa83f5059f9e8203177350101ab43415b901f93 Mon Sep 17 00:00:00 2001 From: Kari Pahula <k...@debian.org> Date: Wed, 24 Apr 2019 16:51:03 +0300 Subject: [PATCH] Port patches from Debian LTS release for CVE bugs.
Fixes for CVE-2019-7572, CVE-2019-7573, CVE-2019-7574, CVE-2019-7575, CVE-2019-7576, CVE-2019-7577, CVE-2019-7578, CVE-2019-7635, CVE-2019-7636, CVE-2019-7637, CVE-2019-7638. --- debian/patches/CVE-2019-7572_CVE-2019-7574.patch | 105 ++++++++++++ debian/patches/CVE-2019-7573.patch | 66 ++++++++ debian/patches/CVE-2019-7575_7577.patch | 78 +++++++++ debian/patches/CVE-2019-7577-1_2.patch | 32 ++++ debian/patches/CVE-2019-7578.patch | 53 ++++++ debian/patches/CVE-2019-7635_636_638.patch | 81 +++++++++ debian/patches/CVE-2019-7637.patch | 207 +++++++++++++++++++++++ debian/patches/series | 8 + 8 files changed, 630 insertions(+) create mode 100644 debian/patches/CVE-2019-7572_CVE-2019-7574.patch create mode 100644 debian/patches/CVE-2019-7573.patch create mode 100644 debian/patches/CVE-2019-7575_7577.patch create mode 100644 debian/patches/CVE-2019-7577-1_2.patch create mode 100644 debian/patches/CVE-2019-7578.patch create mode 100644 debian/patches/CVE-2019-7635_636_638.patch create mode 100644 debian/patches/CVE-2019-7637.patch diff --git a/debian/patches/CVE-2019-7572_CVE-2019-7574.patch b/debian/patches/CVE-2019-7572_CVE-2019-7574.patch new file mode 100644 index 0000000..c1ecdb9 --- /dev/null +++ b/debian/patches/CVE-2019-7572_CVE-2019-7574.patch @@ -0,0 +1,105 @@ +Description: CVE-2019-7572, CVE-2019-7574 + CVE-2019-7572: a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c. + CVE-2019-7574: a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c. + +--- +Author: Abhijith PA <abhij...@debian.org> +Origin: https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3610 + https://bugzilla.libsdl.org/attachment.cgi?id=3612 + https://bugzilla.libsdl.org/attachment.cgi?id=3618 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4496 + https://bugzilla.libsdl.org/show_bug.cgi?id=4495 +Last-Update: <2018-03-05> + +Index: libsdl1.2-1.2.15/src/audio/SDL_wave.c +=================================================================== +--- libsdl1.2-1.2.15.orig/src/audio/SDL_wave.c ++++ libsdl1.2-1.2.15/src/audio/SDL_wave.c +@@ -264,6 +264,14 @@ static Sint32 IMA_ADPCM_nibble(struct IM + }; + Sint32 delta, step; + ++ /* Clamp index value. The inital value can be invalid. */ ++ if ( state->index > 88 ) { ++ state->index = 88; ++ } else ++ if ( state->index < 0 ) { ++ state->index = 0; ++ } ++ + /* Compute difference and new sample value */ + step = step_table[state->index]; + delta = step >> 3; +@@ -275,12 +283,6 @@ static Sint32 IMA_ADPCM_nibble(struct IM + + /* Update index value */ + state->index += index_table[nybble]; +- if ( state->index > 88 ) { +- state->index = 88; +- } else +- if ( state->index < 0 ) { +- state->index = 0; +- } + + /* Clamp output sample */ + if ( state->sample > max_audioval ) { +@@ -323,7 +325,7 @@ static void Fill_IMA_ADPCM_block(Uint8 * + static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct IMA_ADPCM_decodestate *state; +- Uint8 *freeable, *encoded, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; + Sint32 encoded_len, samplesleft; + unsigned int c, channels; + +@@ -339,6 +341,7 @@ static int IMA_ADPCM_decode(Uint8 **audi + /* Allocate the proper sized output buffer */ + encoded_len = *audio_len; + encoded = *audio_buf; ++ encoded_end = encoded + encoded_len; + freeable = *audio_buf; + *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) * + IMA_ADPCM_state.wSamplesPerBlock* +@@ -349,11 +352,13 @@ static int IMA_ADPCM_decode(Uint8 **audi + return(-1); + } + decoded = *audio_buf; ++ decoded_end = decoded + *audio_len; + + /* Get ready... Go! */ + while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) { + /* Grab the initial information for this block */ + for ( c=0; c<channels; ++c ) { ++ if (encoded + 4 > encoded_end) goto invalid_size; + /* Fill the state information for this block */ + state[c].sample = ((encoded[1]<<8)|encoded[0]); + encoded += 2; +@@ -367,6 +372,7 @@ static int IMA_ADPCM_decode(Uint8 **audi + } + + /* Store the initial sample we start with */ ++ if (decoded + 2 > decoded_end) goto invalid_size; + decoded[0] = (Uint8)(state[c].sample&0xFF); + decoded[1] = (Uint8)(state[c].sample>>8); + decoded += 2; +@@ -376,6 +382,9 @@ static int IMA_ADPCM_decode(Uint8 **audi + samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels; + while ( samplesleft > 0 ) { + for ( c=0; c<channels; ++c ) { ++ if (encoded + 4 > encoded_end) goto invalid_size; ++ if (decoded + 4 * 4 * channels > decoded_end) ++ goto invalid_size; + Fill_IMA_ADPCM_block(decoded, encoded, + c, channels, &state[c]); + encoded += 4; +@@ -387,6 +396,10 @@ static int IMA_ADPCM_decode(Uint8 **audi + } + SDL_free(freeable); + return(0); ++ invalid_size: ++ SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); + } + + SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, diff --git a/debian/patches/CVE-2019-7573.patch b/debian/patches/CVE-2019-7573.patch new file mode 100644 index 0000000..a1c80b2 --- /dev/null +++ b/debian/patches/CVE-2019-7573.patch @@ -0,0 +1,66 @@ +Description: CVE-2019-7573 + a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (inside the + wNumCoef loop). + +--- +Author: Abhijith PA <abhij...@debian.org> +Origin: https://bugzilla.libsdl.org/attachment.cgi?id=3620 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4491 +Last-Update: 2019-03-05 + +--- libsdl1.2-1.2.15.orig/src/audio/SDL_wave.c ++++ libsdl1.2-1.2.15/src/audio/SDL_wave.c +@@ -44,12 +44,13 @@ static struct MS_ADPCM_decoder { + struct MS_ADPCM_decodestate state[2]; + } MS_ADPCM_state; + +-static int InitMS_ADPCM(WaveFMT *format) ++static int InitMS_ADPCM(WaveFMT *format, int length) + { +- Uint8 *rogue_feel; ++ Uint8 *rogue_feel, *rogue_feel_end; + int i; + + /* Set the rogue pointer to the MS_ADPCM specific data */ ++ if (length < sizeof(*format)) goto too_short; + MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); + MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); + MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); +@@ -58,9 +59,11 @@ static int InitMS_ADPCM(WaveFMT *format) + MS_ADPCM_state.wavefmt.bitspersample = + SDL_SwapLE16(format->bitspersample); + rogue_feel = (Uint8 *)format+sizeof(*format); ++ rogue_feel_end = (Uint8 *)format + length; + if ( sizeof(*format) == 16 ) { + rogue_feel += sizeof(Uint16); + } ++ if (rogue_feel + 4 > rogue_feel_end) goto too_short; + MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); + rogue_feel += sizeof(Uint16); + MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]); +@@ -70,12 +73,16 @@ static int InitMS_ADPCM(WaveFMT *format) + return(-1); + } + for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) { ++ if (rogue_feel + 4 > rogue_feel_end) goto too_short; + MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]); + rogue_feel += sizeof(Uint16); + MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]); + rogue_feel += sizeof(Uint16); + } + return(0); ++too_short: ++ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format"); ++ return(-1); + } + + static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, +@@ -474,7 +481,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWop + break; + case MS_ADPCM_CODE: + /* Try to understand this */ +- if ( InitMS_ADPCM(format) < 0 ) { ++ if ( InitMS_ADPCM(format, lenread) < 0 ) { + was_error = 1; + goto done; + } diff --git a/debian/patches/CVE-2019-7575_7577.patch b/debian/patches/CVE-2019-7575_7577.patch new file mode 100644 index 0000000..546dd4f --- /dev/null +++ b/debian/patches/CVE-2019-7575_7577.patch @@ -0,0 +1,78 @@ +Description: CVE-2019-7575, CVE-2019-7577 + CVE-2019-7575 +a heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c. + CVE-2019-7577 +a buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c. + +--- +Author: Abhijith PA <abhij...@debian.org> +Origin: https://bugzilla.libsdl.org/attachment.cgi?id=3609 + https://bugzilla.libsdl.org/attachment.cgi?id=3608 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4493 + https://bugzilla.libsdl.org/show_bug.cgi?id=4492 +Last-Update: 2019-03-05 + +--- libsdl1.2-1.2.15.orig/src/audio/SDL_wave.c ++++ libsdl1.2-1.2.15/src/audio/SDL_wave.c +@@ -122,7 +122,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ + static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct MS_ADPCM_decodestate *state[2]; +- Uint8 *freeable, *encoded, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; + Sint32 encoded_len, samplesleft; + Sint8 nybble, stereo; + Sint16 *coeff[2]; +@@ -131,6 +131,7 @@ static int MS_ADPCM_decode(Uint8 **audio + /* Allocate the proper sized output buffer */ + encoded_len = *audio_len; + encoded = *audio_buf; ++ encoded_end = encoded + encoded_len; + freeable = *audio_buf; + *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) * + MS_ADPCM_state.wSamplesPerBlock* +@@ -141,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio + return(-1); + } + decoded = *audio_buf; ++ decoded_end = decoded + *audio_len; + + /* Get ready... Go! */ + stereo = (MS_ADPCM_state.wavefmt.channels == 2); +@@ -148,6 +150,7 @@ static int MS_ADPCM_decode(Uint8 **audio + state[1] = &MS_ADPCM_state.state[stereo]; + while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) { + /* Grab the initial information for this block */ ++ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size; + state[0]->hPredictor = *encoded++; + if ( stereo ) { + state[1]->hPredictor = *encoded++; +@@ -174,6 +177,7 @@ static int MS_ADPCM_decode(Uint8 **audio + coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor]; + + /* Store the two initial samples we start with */ ++ if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size; + decoded[0] = state[0]->iSamp2&0xFF; + decoded[1] = state[0]->iSamp2>>8; + decoded += 2; +@@ -195,6 +199,9 @@ static int MS_ADPCM_decode(Uint8 **audio + samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)* + MS_ADPCM_state.wavefmt.channels; + while ( samplesleft > 0 ) { ++ if (encoded + 1 > encoded_end) goto invalid_size; ++ if (decoded + 4 > decoded_end) goto invalid_size; ++ + nybble = (*encoded)>>4; + new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]); + decoded[0] = new_sample&0xFF; +@@ -216,6 +223,10 @@ static int MS_ADPCM_decode(Uint8 **audio + } + SDL_free(freeable); + return(0); ++invalid_size: ++ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); + } + + struct IMA_ADPCM_decodestate { diff --git a/debian/patches/CVE-2019-7577-1_2.patch b/debian/patches/CVE-2019-7577-1_2.patch new file mode 100644 index 0000000..648c52b --- /dev/null +++ b/debian/patches/CVE-2019-7577-1_2.patch @@ -0,0 +1,32 @@ +Description: CVE-2019-7577 + a buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c. + +--- +Author: Abhijith PA <abhij...@debian.org> +Origin: https://bugzilla.libsdl.org/attachment.cgi?id=3694 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 +Last-Update: 2019-03-13 + +--- libsdl1.2-1.2.15.orig/src/audio/SDL_wave.c ++++ libsdl1.2-1.2.15/src/audio/SDL_wave.c +@@ -155,6 +155,9 @@ static int MS_ADPCM_decode(Uint8 **audio + if ( stereo ) { + state[1]->hPredictor = *encoded++; + } ++ if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) { ++ goto invalid_predictor; ++ } + state[0]->iDelta = ((encoded[1]<<8)|encoded[0]); + encoded += sizeof(Sint16); + if ( stereo ) { +@@ -227,6 +230,10 @@ invalid_size: + SDL_SetError("Unexpected chunk length for a MS ADPCM decoder"); + SDL_free(freeable); + return(-1); ++invalid_predictor: ++ SDL_SetError("Invalid predictor value for a MS ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); + } + + struct IMA_ADPCM_decodestate { diff --git a/debian/patches/CVE-2019-7578.patch b/debian/patches/CVE-2019-7578.patch new file mode 100644 index 0000000..cad7542 --- /dev/null +++ b/debian/patches/CVE-2019-7578.patch @@ -0,0 +1,53 @@ +Description: CVE-2019-7578 + + If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it + could read past the end of chunk data. This patch fixes it. +--- +Author: Abhijith PA <abhij...@debian.org> +Origin: https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3623 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4494 +Last-Update: 2019-03-05 + +--- libsdl1.2-1.2.15.orig/src/audio/SDL_wave.c ++++ libsdl1.2-1.2.15/src/audio/SDL_wave.c +@@ -240,11 +240,12 @@ static struct IMA_ADPCM_decoder { + struct IMA_ADPCM_decodestate state[2]; + } IMA_ADPCM_state; + +-static int InitIMA_ADPCM(WaveFMT *format) ++static int InitIMA_ADPCM(WaveFMT *format, int length) + { +- Uint8 *rogue_feel; ++ Uint8 *rogue_feel, *rogue_feel_end; + + /* Set the rogue pointer to the IMA_ADPCM specific data */ ++ if (length < sizeof(*format)) goto too_short; + IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); + IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); + IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); +@@ -253,11 +254,16 @@ static int InitIMA_ADPCM(WaveFMT *format + IMA_ADPCM_state.wavefmt.bitspersample = + SDL_SwapLE16(format->bitspersample); + rogue_feel = (Uint8 *)format+sizeof(*format); ++ rogue_feel_end = (Uint8 *)format + length; + if ( sizeof(*format) == 16 ) { + rogue_feel += sizeof(Uint16); + } ++ if (rogue_feel + 2 > rogue_feel_end) goto too_short; + IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); + return(0); ++too_short: ++ SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format"); ++ return(-1); + } + + static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) +@@ -500,7 +506,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWop + break; + case IMA_ADPCM_CODE: + /* Try to understand this */ +- if ( InitIMA_ADPCM(format) < 0 ) { ++ if ( InitIMA_ADPCM(format, lenread) < 0 ) { + was_error = 1; + goto done; + } diff --git a/debian/patches/CVE-2019-7635_636_638.patch b/debian/patches/CVE-2019-7635_636_638.patch new file mode 100644 index 0000000..39f274f --- /dev/null +++ b/debian/patches/CVE-2019-7635_636_638.patch @@ -0,0 +1,81 @@ +Description: CVE-2019-7635_CVE-2019-7636, CVE-2019-7638 + CVE-2019-7635 +a heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c + CVE-2019-7636 +a heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c + CVE-2019-7638 +buffer overwrite when the SDL_LoadBMP_RW() +loads colors from a file. + +--- +Author: Abhijith PA <abhij...@debian.org> +Origin: https://bugzilla.libsdl.org/attachment.cgi?id=3637 + https://bugzilla.libsdl.org/attachment.cgi?id=3645 + https://hg.libsdl.org/SDL/rev/19d8c3b9c251 + +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4499 + https://bugzilla.libsdl.org/show_bug.cgi?id=4498 + https://bugzilla.libsdl.org/show_bug.cgi?id=4500 +Last-Update: 2019-03-08 + +Index: libsdl1.2-1.2.15/src/video/SDL_bmp.c +=================================================================== +--- libsdl1.2-1.2.15.orig/src/video/SDL_bmp.c ++++ libsdl1.2-1.2.15/src/video/SDL_bmp.c +@@ -163,6 +163,14 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops + ExpandBMP = biBitCount; + biBitCount = 8; + break; ++ case 2: ++ case 3: ++ case 5: ++ case 6: ++ case 7: ++ SDL_SetError("%d-bpp BMP images are not supported", biBitCount); ++ was_error = SDL_TRUE; ++ goto done; + default: + ExpandBMP = 0; + break; +@@ -233,6 +241,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops + if ( palette ) { + if ( biClrUsed == 0 ) { + biClrUsed = 1 << biBitCount; ++ } else if ( biClrUsed > (1 << biBitCount) ) { ++ SDL_SetError("BMP file has an invalid number of colors"); ++ was_error = SDL_TRUE; ++ goto done; + } + if ( biSize == 12 ) { + for ( i = 0; i < (int)biClrUsed; ++i ) { +@@ -296,6 +308,12 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops + } + *(bits+i) = (pixel>>shift); + pixel <<= ExpandBMP; ++ if ( bits[i] >= biClrUsed ) { ++ SDL_SetError( ++ "A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } + } } + break; + +@@ -306,6 +324,17 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops + was_error = SDL_TRUE; + goto done; + } ++ ++ if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) { ++ for ( i=0; i<surface->w; ++i ) { ++ if ( bits[i] >= biClrUsed ) { ++ SDL_SetError( ++ "A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } ++ } ++ } + #if SDL_BYTEORDER == SDL_BIG_ENDIAN + /* Byte-swap the pixels if needed. Note that the 24bpp + case has already been taken care of above. */ diff --git a/debian/patches/CVE-2019-7637.patch b/debian/patches/CVE-2019-7637.patch new file mode 100644 index 0000000..79384df --- /dev/null +++ b/debian/patches/CVE-2019-7637.patch @@ -0,0 +1,207 @@ +From 66950da7432b1743e60bebf5bd7fa6108c6585f1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> +Date: Mon, 18 Feb 2019 13:53:16 +0100 +Subject: [PATCH] CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a too large width is passed to SDL_SetVideoMode() the width travels +to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by +BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch +variable. During this arithmetics an integer overflow can happen (e.g. +the value is clamped as 65532). As a result SDL_Surface with a pitch +smaller than width * BytesPerPixel is created, too small pixel buffer +is allocated and when the SDL_Surface is processed in SDL_FillRect() +a buffer overflow occurs. + +This can be reproduced with "./graywin -width 21312312313123213213213" +command. + +This patch fixes is by using a very careful arithmetics in +SDL_CalculatePitch(). If an overflow is detected, an error is reported +back as a special 0 value. We assume that 0-width surfaces do not +occur in the wild. Since SDL_CalculatePitch() is a private function, +we can change the semantics. + +CVE-2019-7637 +https://bugzilla.libsdl.org/show_bug.cgi?id=4497 + +Signed-off-by: Petr Písař <ppi...@redhat.com> +--- + src/video/SDL_pixels.c | 41 +++++++++++++++++++++++++++------ + src/video/gapi/SDL_gapivideo.c | 3 +++ + src/video/nanox/SDL_nxvideo.c | 4 ++++ + src/video/ps2gs/SDL_gsvideo.c | 3 +++ + src/video/ps3/SDL_ps3video.c | 3 +++ + src/video/windib/SDL_dibvideo.c | 3 +++ + src/video/windx5/SDL_dx5video.c | 3 +++ + src/video/x11/SDL_x11video.c | 4 ++++ + 8 files changed, 57 insertions(+), 7 deletions(-) + +Index: libsdl1.2-1.2.15/src/video/SDL_pixels.c +=================================================================== +--- libsdl1.2-1.2.15.orig/src/video/SDL_pixels.c ++++ libsdl1.2-1.2.15/src/video/SDL_pixels.c +@@ -286,26 +286,54 @@ void SDL_DitherColors(SDL_Color *colors, + } + } + /* +- * Calculate the pad-aligned scanline width of a surface ++ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of ++ * an error. + */ + Uint16 SDL_CalculatePitch(SDL_Surface *surface) + { +- Uint16 pitch; ++ unsigned int pitch = 0; + + /* Surface should be 4-byte aligned for speed */ +- pitch = surface->w*surface->format->BytesPerPixel; ++ /* The code tries to prevent from an Uint16 overflow. */; ++ Uint8 byte; ++ for (byte = surface->format->BytesPerPixel; byte; byte--) { ++ pitch += (unsigned int)surface->w; ++ if (pitch < surface->w) { ++ SDL_SetError("A scanline is too wide"); ++ return(0); ++ } ++ } + switch (surface->format->BitsPerPixel) { + case 1: +- pitch = (pitch+7)/8; ++ if (pitch % 8) { ++ pitch = pitch / 8 + 1; ++ } else { ++ pitch = pitch / 8; ++ } + break; + case 4: +- pitch = (pitch+1)/2; ++ if (pitch % 2) { ++ pitch = pitch / 2 + 1; ++ } else { ++ pitch = pitch / 2; ++ } + break; + default: + break; + } +- pitch = (pitch + 3) & ~3; /* 4-byte aligning */ +- return(pitch); ++ /* 4-byte aligning */ ++ if (pitch & 3) { ++ if (pitch + 3 < pitch) { ++ SDL_SetError("A scanline is too wide"); ++ return(0); ++ } ++ pitch = (pitch + 3) & ~3; ++ } ++ if (pitch > 0xFFFF) { ++ SDL_SetError("A scanline is too wide"); ++ return(0); ++ } ++ return((Uint16)pitch); + } + /* + * Match an RGB value to a particular palette index +Index: libsdl1.2-1.2.15/src/video/gapi/SDL_gapivideo.c +=================================================================== +--- libsdl1.2-1.2.15.orig/src/video/gapi/SDL_gapivideo.c ++++ libsdl1.2-1.2.15/src/video/gapi/SDL_gapivideo.c +@@ -733,6 +733,9 @@ SDL_Surface *GAPI_SetVideoMode(_THIS, SD + video->w = gapi->w = width; + video->h = gapi->h = height; + video->pitch = SDL_CalculatePitch(video); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Small fix for WinCE/Win32 - when activating window + SDL_VideoSurface is equal to zero, so activating code +Index: libsdl1.2-1.2.15/src/video/nanox/SDL_nxvideo.c +=================================================================== +--- libsdl1.2-1.2.15.orig/src/video/nanox/SDL_nxvideo.c ++++ libsdl1.2-1.2.15/src/video/nanox/SDL_nxvideo.c +@@ -378,6 +378,10 @@ SDL_Surface * NX_SetVideoMode (_THIS, SD + current -> w = width ; + current -> h = height ; + current -> pitch = SDL_CalculatePitch (current) ; ++ if (!current->pitch) { ++ current = NULL; ++ goto done; ++ } + NX_ResizeImage (this, current, flags) ; + } + +Index: libsdl1.2-1.2.15/src/video/ps2gs/SDL_gsvideo.c +=================================================================== +--- libsdl1.2-1.2.15.orig/src/video/ps2gs/SDL_gsvideo.c ++++ libsdl1.2-1.2.15/src/video/ps2gs/SDL_gsvideo.c +@@ -479,6 +479,9 @@ static SDL_Surface *GS_SetVideoMode(_THI + current->w = width; + current->h = height; + current->pitch = SDL_CalculatePitch(current); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Memory map the DMA area for block memory transfer */ + if ( ! mapped_mem ) { +Index: libsdl1.2-1.2.15/src/video/ps3/SDL_ps3video.c +=================================================================== +--- libsdl1.2-1.2.15.orig/src/video/ps3/SDL_ps3video.c ++++ libsdl1.2-1.2.15/src/video/ps3/SDL_ps3video.c +@@ -339,6 +339,9 @@ static SDL_Surface *PS3_SetVideoMode(_TH + current->w = width; + current->h = height; + current->pitch = SDL_CalculatePitch(current); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Alloc aligned mem for current->pixels */ + s_pixels = memalign(16, current->h * current->pitch); +Index: libsdl1.2-1.2.15/src/video/windib/SDL_dibvideo.c +=================================================================== +--- libsdl1.2-1.2.15.orig/src/video/windib/SDL_dibvideo.c ++++ libsdl1.2-1.2.15/src/video/windib/SDL_dibvideo.c +@@ -675,6 +675,9 @@ SDL_Surface *DIB_SetVideoMode(_THIS, SDL + video->w = width; + video->h = height; + video->pitch = SDL_CalculatePitch(video); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Small fix for WinCE/Win32 - when activating window + SDL_VideoSurface is equal to zero, so activating code +Index: libsdl1.2-1.2.15/src/video/windx5/SDL_dx5video.c +=================================================================== +--- libsdl1.2-1.2.15.orig/src/video/windx5/SDL_dx5video.c ++++ libsdl1.2-1.2.15/src/video/windx5/SDL_dx5video.c +@@ -1127,6 +1127,9 @@ SDL_Surface *DX5_SetVideoMode(_THIS, SDL + video->w = width; + video->h = height; + video->pitch = SDL_CalculatePitch(video); ++ if (!current->pitch) { ++ return(NULL); ++ } + + #ifndef NO_CHANGEDISPLAYSETTINGS + /* Set fullscreen mode if appropriate. +Index: libsdl1.2-1.2.15/src/video/x11/SDL_x11video.c +=================================================================== +--- libsdl1.2-1.2.15.orig/src/video/x11/SDL_x11video.c ++++ libsdl1.2-1.2.15/src/video/x11/SDL_x11video.c +@@ -1216,6 +1216,10 @@ SDL_Surface *X11_SetVideoMode(_THIS, SDL + current->w = width; + current->h = height; + current->pitch = SDL_CalculatePitch(current); ++ if (!current->pitch) { ++ current = NULL; ++ goto done; ++ } + if (X11_ResizeImage(this, current, flags) < 0) { + current = NULL; + goto done; diff --git a/debian/patches/series b/debian/patches/series index fa84a76..fa2e79b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,11 @@ fix_joystick_misc_axes.diff sdl-check-for-SDL_VIDEO_X11_BACKINGSTORE.patch avoid_maybe_non-DFSG_file.patch SDL-1.2.15-vec_perm-ppc64le.patch +CVE-2019-7572_CVE-2019-7574.patch +CVE-2019-7573.patch +CVE-2019-7575_7577.patch +CVE-2019-7578.patch +CVE-2019-7635_636_638.patch +CVE-2019-7637.patch +CVE-2019-7577-1_2.patch + -- 2.11.0