[OE-core][PATCH] libsdl2: fix CVE-2020-14409 CVE-2020-14410

wenlin.k...@windriver.com Thu, 28 Jan 2021 01:48:27 -0800

From: Wenlin Kang <wenlin.k...@windriver.com>

CVE-2020-14409
SDL (Simple DirectMedia Layer) through 2.0.12 has an Integer Overflow (and
resultant SDL_memcpy heap corruption) in SDL_BlitCopy in video/SDL_blit_copy.c
via a crafted .BMP file.


CVE-2020-14410
SDL (Simple DirectMedia Layer) through 2.0.12 has a heap-based buffer over-read
in Blit_3or4_to_3or4__inversed_rgb in video/SDL_blit_N.c via a crafted .BMP 
file.

References:
https://nvd.nist.gov/vuln/detail/CVE-2020-14409
https://nvd.nist.gov/vuln/detail/CVE-2020-14410

Upstream patches:
https://hg.libsdl.org/SDL/rev/3f9b4e92c1d9
https://hg.libsdl.org/SDL/rev/ed0e044e308c

Signed-off-by: Wenlin Kang <wenlin.k...@windriver.com>
---
 .../CVE-2020-14409-CVE-2020-14410-1.patch     | 84 +++++++++++++++++++
 .../CVE-2020-14409-CVE-2020-14410-2.patch     | 35 ++++++++
 .../libsdl2/libsdl2_2.0.12.bb                 |  2 +
 3 files changed, 121 insertions(+)
 create mode 100644 
meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-CVE-2020-14410-1.patch
 create mode 100644 
meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-CVE-2020-14410-2.patch

diff --git 
a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-CVE-2020-14410-1.patch 
b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-CVE-2020-14410-1.patch
new file mode 100644
index 0000000000..aba21581de
--- /dev/null
+++ 
b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-CVE-2020-14410-1.patch
@@ -0,0 +1,84 @@
+From 1ede8ee20669d2c103c9568f75733b376b69e2d2 Mon Sep 17 00:00:00 2001
+From: Sam Lantinga <slou...@libsdl.org>
+Date: Wed, 27 Jan 2021 07:08:36 +0000
+Subject: [PATCH 1/2] Fixed overflow in surface pitch calculation
+
+Upstream-Status: Backport
+CVE: CVE-2020-14409,CVE-2020-14410
+
+Reference to upstream patch:
+https://hg.libsdl.org/SDL/rev/3f9b4e92c1d9
+
+Signed-off-by: Wenlin Kang <wenlin.k...@windriver.com>
+---
+ src/video/SDL_surface.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+diff --git a/src/video/SDL_surface.c b/src/video/SDL_surface.c
+index 3795b94..c8075f1 100644
+--- a/src/video/SDL_surface.c
++++ b/src/video/SDL_surface.c
+@@ -27,25 +27,23 @@
+ #include "SDL_pixels_c.h"
+ #include "SDL_yuv_c.h"
+ 
+-
+-/* Check to make sure we can safely check multiplication of surface w and 
pitch and it won't overflow size_t */
+-SDL_COMPILE_TIME_ASSERT(surface_size_assumptions,
+-    sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32));
++/* Check to make sure we can safely check multiplication of surface w and 
pitch and it won't overflow Sint64 */
++SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, sizeof(int) == 
sizeof(Sint32));
+ 
+ /* Public routines */
+ 
+ /*
+  * Calculate the pad-aligned scanline width of a surface
+  */
+-static int
++static Sint64
+ SDL_CalculatePitch(Uint32 format, int width)
+ {
+-    int pitch;
++    Sint64 pitch;
+ 
+     if (SDL_ISPIXELFORMAT_FOURCC(format) || SDL_BITSPERPIXEL(format) >= 8) {
+-        pitch = (width * SDL_BYTESPERPIXEL(format));
++        pitch = ((Sint64)width * SDL_BYTESPERPIXEL(format));
+     } else {
+-        pitch = ((width * SDL_BITSPERPIXEL(format)) + 7) / 8;
++      pitch = (((Sint64)width * SDL_BITSPERPIXEL(format)) + 7) / 8;
+     }
+     pitch = (pitch + 3) & ~3;   /* 4-byte aligning for speed */
+     return pitch;
+@@ -59,11 +57,19 @@ SDL_Surface *
+ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth,
+                                Uint32 format)
+ {
++    Sint64 pitch;
+     SDL_Surface *surface;
+ 
+     /* The flags are no longer used, make the compiler happy */
+     (void)flags;
+ 
++    pitch = SDL_CalculatePitch(format, width);
++    if (pitch < 0 || pitch > SDL_MAX_SINT32) {
++        /* Overflow... */
++        SDL_OutOfMemory();
++        return NULL;
++    }
++
+     /* Allocate the surface */
+     surface = (SDL_Surface *) SDL_calloc(1, sizeof(*surface));
+     if (surface == NULL) {
+@@ -78,7 +84,7 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int 
height, int depth,
+     }
+     surface->w = width;
+     surface->h = height;
+-    surface->pitch = SDL_CalculatePitch(format, width);
++    surface->pitch = (int)pitch;
+     SDL_SetClipRect(surface, NULL);
+ 
+     if (SDL_ISPIXELFORMAT_INDEXED(surface->format->format)) {
+-- 
+2.17.1
+
diff --git 
a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-CVE-2020-14410-2.patch 
b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-CVE-2020-14410-2.patch
new file mode 100644
index 0000000000..929be75457
--- /dev/null
+++ 
b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-CVE-2020-14410-2.patch
@@ -0,0 +1,35 @@
+From 2029bd75a501623106cfd0400cffe38d22f1b005 Mon Sep 17 00:00:00 2001
+From: Sam Lantinga <slou...@libsdl.org>
+Date: Wed, 27 Jan 2021 07:25:26 +0000
+Subject: [PATCH 2/2] Reverted comment change in previous commit
+
+Upstream-Status: Backport
+CVE: CVE-2020-14409,CVE-2020-14410
+
+Reference to upstream patch:
+https://hg.libsdl.org/SDL/rev/ed0e044e308c
+
+Signed-off-by: Wenlin Kang <wenlin.k...@windriver.com>
+---
+ src/video/SDL_surface.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/video/SDL_surface.c b/src/video/SDL_surface.c
+index c8075f1..8d63b54 100644
+--- a/src/video/SDL_surface.c
++++ b/src/video/SDL_surface.c
+@@ -27,8 +27,9 @@
+ #include "SDL_pixels_c.h"
+ #include "SDL_yuv_c.h"
+ 
+-/* Check to make sure we can safely check multiplication of surface w and 
pitch and it won't overflow Sint64 */
+-SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, sizeof(int) == 
sizeof(Sint32));
++/* Check to make sure we can safely check multiplication of surface w and 
pitch and it won't overflow size_t */
++SDL_COMPILE_TIME_ASSERT(surface_size_assumptions,
++    sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32));
+ 
+ /* Public routines */
+ 
+-- 
+2.17.1
+
diff --git a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb 
b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb
index 5fa99821c4..4262efa995 100644
--- a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb
+++ b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb
@@ -20,6 +20,8 @@ SRC_URI = "http://www.libsdl.org/release/SDL2-${PV}.tar.gz \
            file://more-gen-depends.patch \
            file://directfb-spurious-curly-brace-missing-e.patch \
            file://directfb-renderfillrect-fix.patch \
+           file://CVE-2020-14409-CVE-2020-14410-1.patch \
+           file://CVE-2020-14409-CVE-2020-14410-2.patch \
 "
 
 S = "${WORKDIR}/SDL2-${PV}"
-- 
2.17.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#147387): 
https://lists.openembedded.org/g/openembedded-core/message/147387
Mute This Topic: https://lists.openembedded.org/mt/80180048/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH] libsdl2: fix CVE-2020-14409 CVE-2020-14410

Reply via email to