From: Wenlin Kang <wenlin.k...@windriver.com> CVE-2020-14409 SDL (Simple DirectMedia Layer) through 2.0.12 has an Integer Overflow (and resultant SDL_memcpy heap corruption) in SDL_BlitCopy in video/SDL_blit_copy.c via a crafted .BMP file.
CVE-2020-14410 SDL (Simple DirectMedia Layer) through 2.0.12 has a heap-based buffer over-read in Blit_3or4_to_3or4__inversed_rgb in video/SDL_blit_N.c via a crafted .BMP file. References: https://nvd.nist.gov/vuln/detail/CVE-2020-14409 https://nvd.nist.gov/vuln/detail/CVE-2020-14410 Upstream patches: https://hg.libsdl.org/SDL/rev/3f9b4e92c1d9 https://hg.libsdl.org/SDL/rev/ed0e044e308c Signed-off-by: Wenlin Kang <wenlin.k...@windriver.com> --- .../CVE-2020-14409-CVE-2020-14410-1.patch | 84 +++++++++++++++++++ .../CVE-2020-14409-CVE-2020-14410-2.patch | 35 ++++++++ .../libsdl2/libsdl2_2.0.12.bb | 2 + 3 files changed, 121 insertions(+) create mode 100644 meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-CVE-2020-14410-1.patch create mode 100644 meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-CVE-2020-14410-2.patch diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-CVE-2020-14410-1.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-CVE-2020-14410-1.patch new file mode 100644 index 0000000000..aba21581de --- /dev/null +++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-CVE-2020-14410-1.patch @@ -0,0 +1,84 @@ +From 1ede8ee20669d2c103c9568f75733b376b69e2d2 Mon Sep 17 00:00:00 2001 +From: Sam Lantinga <slou...@libsdl.org> +Date: Wed, 27 Jan 2021 07:08:36 +0000 +Subject: [PATCH 1/2] Fixed overflow in surface pitch calculation + +Upstream-Status: Backport +CVE: CVE-2020-14409,CVE-2020-14410 + +Reference to upstream patch: +https://hg.libsdl.org/SDL/rev/3f9b4e92c1d9 + +Signed-off-by: Wenlin Kang <wenlin.k...@windriver.com> +--- + src/video/SDL_surface.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +diff --git a/src/video/SDL_surface.c b/src/video/SDL_surface.c +index 3795b94..c8075f1 100644 +--- a/src/video/SDL_surface.c ++++ b/src/video/SDL_surface.c +@@ -27,25 +27,23 @@ + #include "SDL_pixels_c.h" + #include "SDL_yuv_c.h" + +- +-/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */ +-SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, +- sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32)); ++/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow Sint64 */ ++SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, sizeof(int) == sizeof(Sint32)); + + /* Public routines */ + + /* + * Calculate the pad-aligned scanline width of a surface + */ +-static int ++static Sint64 + SDL_CalculatePitch(Uint32 format, int width) + { +- int pitch; ++ Sint64 pitch; + + if (SDL_ISPIXELFORMAT_FOURCC(format) || SDL_BITSPERPIXEL(format) >= 8) { +- pitch = (width * SDL_BYTESPERPIXEL(format)); ++ pitch = ((Sint64)width * SDL_BYTESPERPIXEL(format)); + } else { +- pitch = ((width * SDL_BITSPERPIXEL(format)) + 7) / 8; ++ pitch = (((Sint64)width * SDL_BITSPERPIXEL(format)) + 7) / 8; + } + pitch = (pitch + 3) & ~3; /* 4-byte aligning for speed */ + return pitch; +@@ -59,11 +57,19 @@ SDL_Surface * + SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth, + Uint32 format) + { ++ Sint64 pitch; + SDL_Surface *surface; + + /* The flags are no longer used, make the compiler happy */ + (void)flags; + ++ pitch = SDL_CalculatePitch(format, width); ++ if (pitch < 0 || pitch > SDL_MAX_SINT32) { ++ /* Overflow... */ ++ SDL_OutOfMemory(); ++ return NULL; ++ } ++ + /* Allocate the surface */ + surface = (SDL_Surface *) SDL_calloc(1, sizeof(*surface)); + if (surface == NULL) { +@@ -78,7 +84,7 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth, + } + surface->w = width; + surface->h = height; +- surface->pitch = SDL_CalculatePitch(format, width); ++ surface->pitch = (int)pitch; + SDL_SetClipRect(surface, NULL); + + if (SDL_ISPIXELFORMAT_INDEXED(surface->format->format)) { +-- +2.17.1 + diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-CVE-2020-14410-2.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-CVE-2020-14410-2.patch new file mode 100644 index 0000000000..929be75457 --- /dev/null +++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-CVE-2020-14410-2.patch @@ -0,0 +1,35 @@ +From 2029bd75a501623106cfd0400cffe38d22f1b005 Mon Sep 17 00:00:00 2001 +From: Sam Lantinga <slou...@libsdl.org> +Date: Wed, 27 Jan 2021 07:25:26 +0000 +Subject: [PATCH 2/2] Reverted comment change in previous commit + +Upstream-Status: Backport +CVE: CVE-2020-14409,CVE-2020-14410 + +Reference to upstream patch: +https://hg.libsdl.org/SDL/rev/ed0e044e308c + +Signed-off-by: Wenlin Kang <wenlin.k...@windriver.com> +--- + src/video/SDL_surface.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/video/SDL_surface.c b/src/video/SDL_surface.c +index c8075f1..8d63b54 100644 +--- a/src/video/SDL_surface.c ++++ b/src/video/SDL_surface.c +@@ -27,8 +27,9 @@ + #include "SDL_pixels_c.h" + #include "SDL_yuv_c.h" + +-/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow Sint64 */ +-SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, sizeof(int) == sizeof(Sint32)); ++/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */ ++SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, ++ sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32)); + + /* Public routines */ + +-- +2.17.1 + diff --git a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb index 5fa99821c4..4262efa995 100644 --- a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb +++ b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb @@ -20,6 +20,8 @@ SRC_URI = "http://www.libsdl.org/release/SDL2-${PV}.tar.gz \ file://more-gen-depends.patch \ file://directfb-spurious-curly-brace-missing-e.patch \ file://directfb-renderfillrect-fix.patch \ + file://CVE-2020-14409-CVE-2020-14410-1.patch \ + file://CVE-2020-14409-CVE-2020-14410-2.patch \ " S = "${WORKDIR}/SDL2-${PV}" -- 2.17.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#147387): https://lists.openembedded.org/g/openembedded-core/message/147387 Mute This Topic: https://lists.openembedded.org/mt/80180048/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-