Date: Tuesday, August 31, 2021 @ 23:13:03 Author: heftig Revision: 1010235
1.2.15+387+gfbfcca32-1: Build from main As suggested in https://github.com/libsdl-org/sdl12-compat/blob/main/README.md Also for https://bugs.archlinux.org/task/71794 Added: sdl/trunk/0001-SDL-1.2.15-no-default-backing-store.patch (from rev 1010234, sdl/trunk/0005-SDL-1.2.15-no-default-backing-store.patch) sdl/trunk/0002-x11-Bypass-SetGammaRamp-when-changing-gamma.patch (from rev 1010234, sdl/trunk/0006-x11-Bypass-SetGammaRamp-when-changing-gamma.patch) sdl/trunk/0003-sdl-1.2.14-fix-mouse-clicking.patch (from rev 1010234, sdl/trunk/0007-sdl-1.2.14-fix-mouse-clicking.patch) sdl/trunk/0004-sdl-1.2.14-disable-mmx.patch (from rev 1010234, sdl/trunk/0008-sdl-1.2.14-disable-mmx.patch) Modified: sdl/trunk/PKGBUILD Deleted: sdl/trunk/0001-SDL-1.2.10-GrabNotViewable.patch sdl/trunk/0002-SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch sdl/trunk/0003-SDL-1.2.15-const_XData32.patch sdl/trunk/0004-SDL-1.2.15-ignore_insane_joystick_axis.patch sdl/trunk/0005-SDL-1.2.15-no-default-backing-store.patch sdl/trunk/0006-x11-Bypass-SetGammaRamp-when-changing-gamma.patch sdl/trunk/0007-sdl-1.2.14-fix-mouse-clicking.patch sdl/trunk/0008-sdl-1.2.14-disable-mmx.patch sdl/trunk/0009-libsdl-1.2.15-resizing.patch sdl/trunk/0010-X11_KeyToUnicode.patch sdl/trunk/0011-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch sdl/trunk/0012-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch sdl/trunk/0013-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch sdl/trunk/0014-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch sdl/trunk/0015-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch sdl/trunk/0016-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch sdl/trunk/0017-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch sdl/trunk/0018-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch sdl/trunk/0019-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch sdl/trunk/0020-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch sdl/trunk/0021-SDL-1.2.15-CVE-2019-13616-validate_image_size_when_l.patch sdl/trunk/0022-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch sdl/trunk/0023-Reject-2-3-5-6-7-bpp-BMP-images.patch -----------------------------------------------------------------+ 0001-SDL-1.2.10-GrabNotViewable.patch | 32 - 0001-SDL-1.2.15-no-default-backing-store.patch | 33 + 0002-SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch | 86 ---- 0002-x11-Bypass-SetGammaRamp-when-changing-gamma.patch | 41 + 0003-SDL-1.2.15-const_XData32.patch | 25 - 0003-sdl-1.2.14-fix-mouse-clicking.patch | 34 + 0004-SDL-1.2.15-ignore_insane_joystick_axis.patch | 29 - 0004-sdl-1.2.14-disable-mmx.patch | 23 + 0005-SDL-1.2.15-no-default-backing-store.patch | 33 - 0006-x11-Bypass-SetGammaRamp-when-changing-gamma.patch | 41 - 0007-sdl-1.2.14-fix-mouse-clicking.patch | 34 - 0008-sdl-1.2.14-disable-mmx.patch | 23 - 0009-libsdl-1.2.15-resizing.patch | 76 --- 0010-X11_KeyToUnicode.patch | 54 -- 0011-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch | 97 ---- 0012-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch | 141 ------ 0013-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch | 103 ----- 0014-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch | 60 -- 0015-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch | 95 ---- 0016-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch | 83 ---- 0017-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch | 65 --- 0018-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch | 53 -- 0019-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch | 206 ---------- 0020-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch | 67 --- 0021-SDL-1.2.15-CVE-2019-13616-validate_image_size_when_l.patch | 32 - 0022-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch | 54 -- 0023-Reject-2-3-5-6-7-bpp-BMP-images.patch | 39 - PKGBUILD | 87 ---- 28 files changed, 145 insertions(+), 1601 deletions(-) Deleted: 0001-SDL-1.2.10-GrabNotViewable.patch =================================================================== --- 0001-SDL-1.2.10-GrabNotViewable.patch 2021-08-31 23:13:02 UTC (rev 1010234) +++ 0001-SDL-1.2.10-GrabNotViewable.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -1,32 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" <jan.steff...@gmail.com> -Date: Tue, 31 Aug 2021 22:37:34 +0000 -Subject: [PATCH] SDL-1.2.10-GrabNotViewable - -Makes SDL-1.2 SDL_WM_GrabInput() non-blocking in case of SDL window is not -viewable. Patch provided by <pbonz...@redhat.com>. -See <http://bugzilla.libsdl.org/show_bug.cgi?id=1155>. ---- - src/video/x11/SDL_x11wm.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/video/x11/SDL_x11wm.c b/src/video/x11/SDL_x11wm.c -index 14c816b9..fe0f6a54 100644 ---- a/src/video/x11/SDL_x11wm.c -+++ b/src/video/x11/SDL_x11wm.c -@@ -352,13 +352,14 @@ SDL_GrabMode X11_GrabInputNoLock(_THIS, SDL_GrabMode mode) - result = XGrabPointer(SDL_Display, SDL_Window, True, 0, - GrabModeAsync, GrabModeAsync, - SDL_Window, None, CurrentTime); -- if ( result == GrabSuccess ) { -+ if ( result == GrabSuccess || result == GrabNotViewable ) { - break; - } - SDL_Delay(100); - } - if ( result != GrabSuccess ) { - /* Uh, oh, what do we do here? */ ; -+ return(SDL_GRAB_OFF); - } - /* Now grab the keyboard */ - XGrabKeyboard(SDL_Display, WMwindow, True, Copied: sdl/trunk/0001-SDL-1.2.15-no-default-backing-store.patch (from rev 1010234, sdl/trunk/0005-SDL-1.2.15-no-default-backing-store.patch) =================================================================== --- 0001-SDL-1.2.15-no-default-backing-store.patch (rev 0) +++ 0001-SDL-1.2.15-no-default-backing-store.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" <jan.steff...@gmail.com> +Date: Tue, 31 Aug 2021 22:40:44 +0000 +Subject: [PATCH] SDL-1.2.15-no-default-backing-store + +Do not harness backing store by default + +xorg-server 1.15 enables backing store if composite extension is enabled +(default settings). Harnessing backing store through compositor leads to +tearing effect. + +This patch reverts default harnessing backing store to conditional use if +SDL_VIDEO_X11_BACKINGSTORE environment variable exists. + +<https://bugzilla.libsdl.org/show_bug.cgi?id=2383> +<https://bugzilla.redhat.com/show_bug.cgi?id=1073057> +--- + src/video/x11/SDL_x11video.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/video/x11/SDL_x11video.c b/src/video/x11/SDL_x11video.c +index bbf0d5d0..c365e7a2 100644 +--- a/src/video/x11/SDL_x11video.c ++++ b/src/video/x11/SDL_x11video.c +@@ -1093,7 +1093,7 @@ static int X11_CreateWindow(_THIS, SDL_Surface *screen, + } + } + +-#if 0 /* This is an experiment - are the graphics faster now? - nope. */ ++#if 1 /* This is an experiment - are the graphics faster now? - nope. */ + if ( SDL_getenv("SDL_VIDEO_X11_BACKINGSTORE") ) + #endif + /* Cache the window in the server, when possible */ Deleted: 0002-SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch =================================================================== --- 0002-SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch 2021-08-31 23:13:02 UTC (rev 1010234) +++ 0002-SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -1,86 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" <jan.steff...@gmail.com> -Date: Tue, 31 Aug 2021 22:38:24 +0000 -Subject: [PATCH] SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Fixed bug 2325 - SDL_EnableUNICODE sometimes drops keyboard events completely - -Rafał Mużyło - -The most annoying part of this bug is that though I've found it in two separate apps, I don't have a trivial testcase for it. - -The problem seems to be a condition race, as it's triggered quite randomly (therefore it will be hard to tell whether it really gets fixed, if a probable fix is found). - -While it's specific to SDL 1.2, it seems quite similar to the problem described and fixed in http://forums.libsdl.org/viewtopic.php?p=40503. - -Now, I should start describing the problem. - -A game uses Escape to open menu (the exact key might not be important). Upon opening, it calls SDL_EnableUNICODE(1). Upon closing it calls SDL_EnableUNICODE(0). - -I have an IME running. - -Game uses SDL_PollEvent to get the events. - -If Escape is pressed repeatedly, menu is opened and closed, till it eventually freezes in open state. -"freezes" in this context means "app itself still runs, but no keyboard events are getting delivered (though - for example - mouse events still are)". "getting delivered" should mean "SDL_PollEvent is not receiving any". -If it matters, the last delivered keyboard event is a keypress, the release never arrives. - -It seems (no guarantees, due to random nature of the freeze) that unsetting XMODIFIERS (which - AFAIU - will disable IME as far as SDL is concerned) prevents the freeze, therefore the reference to that SDL2 thread. ---- - src/video/x11/SDL_x11events.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/src/video/x11/SDL_x11events.c b/src/video/x11/SDL_x11events.c -index 559a0014..22107577 100644 ---- a/src/video/x11/SDL_x11events.c -+++ b/src/video/x11/SDL_x11events.c -@@ -395,24 +395,46 @@ static int X11_DispatchEvent(_THIS) - { - int posted; - XEvent xevent; -+ int orig_event_type; -+ KeyCode orig_keycode; - - SDL_memset(&xevent, '\0', sizeof (XEvent)); /* valgrind fix. --ryan. */ - XNextEvent(SDL_Display, &xevent); - - /* Discard KeyRelease and KeyPress events generated by auto-repeat. - We need to do it before passing event to XFilterEvent. Otherwise, - KeyRelease aware IMs are confused... */ - if ( xevent.type == KeyRelease - && X11_KeyRepeat(SDL_Display, &xevent) ) { - return 0; - } - - #ifdef X_HAVE_UTF8_STRING - /* If we are translating with IM, we need to pass all events - to XFilterEvent, and discard those filtered events immediately. */ -+ orig_event_type = xevent.type; -+ if (orig_event_type == KeyPress || orig_event_type == KeyRelease) { -+ orig_keycode = xevent.xkey.keycode; -+ } else { -+ orig_keycode = 0; -+ } - if ( SDL_TranslateUNICODE - && SDL_IM != NULL - && XFilterEvent(&xevent, None) ) { -+ if (orig_keycode) { -+ SDL_keysym keysym; -+ static XComposeStatus state; -+ char keybuf[32]; -+ -+ keysym.scancode = xevent.xkey.keycode; -+ keysym.sym = X11_TranslateKeycode(SDL_Display, xevent.xkey.keycode); -+ keysym.mod = KMOD_NONE; -+ keysym.unicode = 0; -+ if (orig_event_type == KeyPress && XLookupString(&xevent.xkey, keybuf, sizeof(keybuf), NULL, &state)) -+ keysym.unicode = (Uint8)keybuf[0]; -+ -+ SDL_PrivateKeyboard(orig_event_type == KeyPress ? SDL_PRESSED : SDL_RELEASED, &keysym); -+ } - return 0; - } - #endif Copied: sdl/trunk/0002-x11-Bypass-SetGammaRamp-when-changing-gamma.patch (from rev 1010234, sdl/trunk/0006-x11-Bypass-SetGammaRamp-when-changing-gamma.patch) =================================================================== --- 0002-x11-Bypass-SetGammaRamp-when-changing-gamma.patch (rev 0) +++ 0002-x11-Bypass-SetGammaRamp-when-changing-gamma.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -0,0 +1,41 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <petr.pi...@atlas.cz> +Date: Tue, 1 Jan 2013 21:25:15 +0100 +Subject: [PATCH] x11: Bypass SetGammaRamp when changing gamma + +Recent Xorg has broken dynamic colors setting, so calling SDL_SetGamme() +does not have any effect here. Recent means xorg-server >= 1.7, since 2010. +See <https://bugs.freedesktop.org/show_bug.cgi?id=27222>. +--- + src/video/SDL_gamma.c | 15 ++------------- + 1 file changed, 2 insertions(+), 13 deletions(-) + +diff --git a/src/video/SDL_gamma.c b/src/video/SDL_gamma.c +index 4fd03701..464ab882 100644 +--- a/src/video/SDL_gamma.c ++++ b/src/video/SDL_gamma.c +@@ -92,22 +92,11 @@ static void CalculateGammaFromRamp(float *gamma, Uint16 *ramp) + + int SDL_SetGamma(float red, float green, float blue) + { +- int succeeded; ++ int succeeded = -1; + SDL_VideoDevice *video = current_video; + SDL_VideoDevice *this = current_video; + +- succeeded = -1; +- /* Prefer using SetGammaRamp(), as it's more flexible */ +- { +- Uint16 ramp[3][256]; +- +- CalculateGammaRamp(red, ramp[0]); +- CalculateGammaRamp(green, ramp[1]); +- CalculateGammaRamp(blue, ramp[2]); +- succeeded = SDL_SetGammaRamp(ramp[0], ramp[1], ramp[2]); +- } +- if ( (succeeded < 0) && video->SetGamma ) { +- SDL_ClearError(); ++ if ( video->SetGamma ) { + succeeded = video->SetGamma(this, red, green, blue); + } + return succeeded; Deleted: 0003-SDL-1.2.15-const_XData32.patch =================================================================== --- 0003-SDL-1.2.15-const_XData32.patch 2021-08-31 23:13:02 UTC (rev 1010234) +++ 0003-SDL-1.2.15-const_XData32.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -1,25 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" <jan.steff...@gmail.com> -Date: Tue, 31 Aug 2021 22:39:13 +0000 -Subject: [PATCH] SDL-1.2.15-const_XData32 - -libX11-1.5.99.901 has changed prototype of _XData32 - -<http://bugzilla.libsdl.org/show_bug.cgi?id=1769> ---- - src/video/x11/SDL_x11sym.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/video/x11/SDL_x11sym.h b/src/video/x11/SDL_x11sym.h -index 4875b989..cc58bd43 100644 ---- a/src/video/x11/SDL_x11sym.h -+++ b/src/video/x11/SDL_x11sym.h -@@ -165,7 +165,7 @@ SDL_X11_SYM(Bool,XShmQueryExtension,(Display* a),(a),return) - */ - #ifdef LONG64 - SDL_X11_MODULE(IO_32BIT) --SDL_X11_SYM(int,_XData32,(Display *dpy,register long *data,unsigned len),(dpy,data,len),return) -+SDL_X11_SYM(int,_XData32,(Display *dpy,register _Xconst long *data,unsigned len),(dpy,data,len),return) - SDL_X11_SYM(void,_XRead32,(Display *dpy,register long *data,long len),(dpy,data,len),) - #endif - Copied: sdl/trunk/0003-sdl-1.2.14-fix-mouse-clicking.patch (from rev 1010234, sdl/trunk/0007-sdl-1.2.14-fix-mouse-clicking.patch) =================================================================== --- 0003-sdl-1.2.14-fix-mouse-clicking.patch (rev 0) +++ 0003-sdl-1.2.14-fix-mouse-clicking.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -0,0 +1,34 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" <jan.steff...@gmail.com> +Date: Tue, 31 Aug 2021 22:41:53 +0000 +Subject: [PATCH] sdl-1.2.14-fix-mouse-clicking + +--- + src/video/x11/SDL_x11events.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/src/video/x11/SDL_x11events.c b/src/video/x11/SDL_x11events.c +index be19a69a..9f13b464 100644 +--- a/src/video/x11/SDL_x11events.c ++++ b/src/video/x11/SDL_x11events.c +@@ -451,12 +451,15 @@ printf("Mode: NotifyGrab\n"); + if ( xevent.xcrossing.mode == NotifyUngrab ) + printf("Mode: NotifyUngrab\n"); + #endif +- if ( this->input_grab == SDL_GRAB_OFF ) { +- posted = SDL_PrivateAppActive(1, SDL_APPMOUSEFOCUS); ++ if ( (xevent.xcrossing.mode != NotifyGrab) && ++ (xevent.xcrossing.mode != NotifyUngrab) ) { ++ if ( this->input_grab == SDL_GRAB_OFF ) { ++ posted = SDL_PrivateAppActive(1, SDL_APPMOUSEFOCUS); ++ } ++ posted = SDL_PrivateMouseMotion(0, 0, ++ xevent.xcrossing.x, ++ xevent.xcrossing.y); + } +- posted = SDL_PrivateMouseMotion(0, 0, +- xevent.xcrossing.x, +- xevent.xcrossing.y); + } + break; + Deleted: 0004-SDL-1.2.15-ignore_insane_joystick_axis.patch =================================================================== --- 0004-SDL-1.2.15-ignore_insane_joystick_axis.patch 2021-08-31 23:13:02 UTC (rev 1010234) +++ 0004-SDL-1.2.15-ignore_insane_joystick_axis.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -1,29 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" <jan.steff...@gmail.com> -Date: Tue, 31 Aug 2021 22:40:09 +0000 -Subject: [PATCH] SDL-1.2.15-ignore_insane_joystick_axis - -changeset: 6324:95abff7adcc2 -branch: SDL-1.2 -parent: 6306:2b923729fd01 -user: Ryan C. Gordon <iccu...@icculus.org> -date: Sun Jun 03 04:49:25 2012 -0400 -summary: Linux evdev: ignore joystick axis events if they aren't in a sane range. ---- - src/joystick/linux/SDL_sysjoystick.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/joystick/linux/SDL_sysjoystick.c b/src/joystick/linux/SDL_sysjoystick.c -index ee439747..2b763139 100644 ---- a/src/joystick/linux/SDL_sysjoystick.c -+++ b/src/joystick/linux/SDL_sysjoystick.c -@@ -1106,6 +1106,9 @@ static __inline__ void EV_HandleEvents(SDL_Joystick *joystick) - } - break; - case EV_ABS: -+ if (code > ABS_MISC) { -+ break; -+ } - switch (code) { - case ABS_HAT0X: - case ABS_HAT0Y: Copied: sdl/trunk/0004-sdl-1.2.14-disable-mmx.patch (from rev 1010234, sdl/trunk/0008-sdl-1.2.14-disable-mmx.patch) =================================================================== --- 0004-sdl-1.2.14-disable-mmx.patch (rev 0) +++ 0004-sdl-1.2.14-disable-mmx.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -0,0 +1,23 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" <jan.steff...@gmail.com> +Date: Tue, 31 Aug 2021 22:42:24 +0000 +Subject: [PATCH] sdl-1.2.14-disable-mmx + +and another one from FS#26020 +--- + src/video/SDL_yuv_sw.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/video/SDL_yuv_sw.c b/src/video/SDL_yuv_sw.c +index c555ce06..86f436b1 100644 +--- a/src/video/SDL_yuv_sw.c ++++ b/src/video/SDL_yuv_sw.c +@@ -89,6 +89,8 @@ + #include "SDL_yuvfuncs.h" + #include "SDL_yuv_sw_c.h" + ++#undef __OPTIMIZE__ ++ + /* The functions used to manipulate software video overlays */ + static struct private_yuvhwfuncs sw_yuvfuncs = { + SDL_LockYUV_SW, Deleted: 0005-SDL-1.2.15-no-default-backing-store.patch =================================================================== --- 0005-SDL-1.2.15-no-default-backing-store.patch 2021-08-31 23:13:02 UTC (rev 1010234) +++ 0005-SDL-1.2.15-no-default-backing-store.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -1,33 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" <jan.steff...@gmail.com> -Date: Tue, 31 Aug 2021 22:40:44 +0000 -Subject: [PATCH] SDL-1.2.15-no-default-backing-store - -Do not harness backing store by default - -xorg-server 1.15 enables backing store if composite extension is enabled -(default settings). Harnessing backing store through compositor leads to -tearing effect. - -This patch reverts default harnessing backing store to conditional use if -SDL_VIDEO_X11_BACKINGSTORE environment variable exists. - -<https://bugzilla.libsdl.org/show_bug.cgi?id=2383> -<https://bugzilla.redhat.com/show_bug.cgi?id=1073057> ---- - src/video/x11/SDL_x11video.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/video/x11/SDL_x11video.c b/src/video/x11/SDL_x11video.c -index f7d80732..79e60f97 100644 ---- a/src/video/x11/SDL_x11video.c -+++ b/src/video/x11/SDL_x11video.c -@@ -1088,7 +1088,7 @@ static int X11_CreateWindow(_THIS, SDL_Surface *screen, - } - } - --#if 0 /* This is an experiment - are the graphics faster now? - nope. */ -+#if 1 /* This is an experiment - are the graphics faster now? - nope. */ - if ( SDL_getenv("SDL_VIDEO_X11_BACKINGSTORE") ) - #endif - /* Cache the window in the server, when possible */ Deleted: 0006-x11-Bypass-SetGammaRamp-when-changing-gamma.patch =================================================================== --- 0006-x11-Bypass-SetGammaRamp-when-changing-gamma.patch 2021-08-31 23:13:02 UTC (rev 1010234) +++ 0006-x11-Bypass-SetGammaRamp-when-changing-gamma.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -1,41 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <petr.pi...@atlas.cz> -Date: Tue, 1 Jan 2013 21:25:15 +0100 -Subject: [PATCH] x11: Bypass SetGammaRamp when changing gamma - -Recent Xorg has broken dynamic colors setting, so calling SDL_SetGamme() -does not have any effect here. Recent means xorg-server >= 1.7, since 2010. -See <https://bugs.freedesktop.org/show_bug.cgi?id=27222>. ---- - src/video/SDL_gamma.c | 15 ++------------- - 1 file changed, 2 insertions(+), 13 deletions(-) - -diff --git a/src/video/SDL_gamma.c b/src/video/SDL_gamma.c -index 4fd03701..464ab882 100644 ---- a/src/video/SDL_gamma.c -+++ b/src/video/SDL_gamma.c -@@ -92,22 +92,11 @@ static void CalculateGammaFromRamp(float *gamma, Uint16 *ramp) - - int SDL_SetGamma(float red, float green, float blue) - { -- int succeeded; -+ int succeeded = -1; - SDL_VideoDevice *video = current_video; - SDL_VideoDevice *this = current_video; - -- succeeded = -1; -- /* Prefer using SetGammaRamp(), as it's more flexible */ -- { -- Uint16 ramp[3][256]; -- -- CalculateGammaRamp(red, ramp[0]); -- CalculateGammaRamp(green, ramp[1]); -- CalculateGammaRamp(blue, ramp[2]); -- succeeded = SDL_SetGammaRamp(ramp[0], ramp[1], ramp[2]); -- } -- if ( (succeeded < 0) && video->SetGamma ) { -- SDL_ClearError(); -+ if ( video->SetGamma ) { - succeeded = video->SetGamma(this, red, green, blue); - } - return succeeded; Deleted: 0007-sdl-1.2.14-fix-mouse-clicking.patch =================================================================== --- 0007-sdl-1.2.14-fix-mouse-clicking.patch 2021-08-31 23:13:02 UTC (rev 1010234) +++ 0007-sdl-1.2.14-fix-mouse-clicking.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -1,34 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" <jan.steff...@gmail.com> -Date: Tue, 31 Aug 2021 22:41:53 +0000 -Subject: [PATCH] sdl-1.2.14-fix-mouse-clicking - ---- - src/video/x11/SDL_x11events.c | 13 ++++++++----- - 1 file changed, 8 insertions(+), 5 deletions(-) - -diff --git a/src/video/x11/SDL_x11events.c b/src/video/x11/SDL_x11events.c -index 22107577..be13cc57 100644 ---- a/src/video/x11/SDL_x11events.c -+++ b/src/video/x11/SDL_x11events.c -@@ -451,12 +451,15 @@ printf("Mode: NotifyGrab\n"); - if ( xevent.xcrossing.mode == NotifyUngrab ) - printf("Mode: NotifyUngrab\n"); - #endif -- if ( this->input_grab == SDL_GRAB_OFF ) { -- posted = SDL_PrivateAppActive(1, SDL_APPMOUSEFOCUS); -+ if ( (xevent.xcrossing.mode != NotifyGrab) && -+ (xevent.xcrossing.mode != NotifyUngrab) ) { -+ if ( this->input_grab == SDL_GRAB_OFF ) { -+ posted = SDL_PrivateAppActive(1, SDL_APPMOUSEFOCUS); -+ } -+ posted = SDL_PrivateMouseMotion(0, 0, -+ xevent.xcrossing.x, -+ xevent.xcrossing.y); - } -- posted = SDL_PrivateMouseMotion(0, 0, -- xevent.xcrossing.x, -- xevent.xcrossing.y); - } - break; - Deleted: 0008-sdl-1.2.14-disable-mmx.patch =================================================================== --- 0008-sdl-1.2.14-disable-mmx.patch 2021-08-31 23:13:02 UTC (rev 1010234) +++ 0008-sdl-1.2.14-disable-mmx.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -1,23 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" <jan.steff...@gmail.com> -Date: Tue, 31 Aug 2021 22:42:24 +0000 -Subject: [PATCH] sdl-1.2.14-disable-mmx - -and another one from FS#26020 ---- - src/video/SDL_yuv_sw.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/video/SDL_yuv_sw.c b/src/video/SDL_yuv_sw.c -index c555ce06..86f436b1 100644 ---- a/src/video/SDL_yuv_sw.c -+++ b/src/video/SDL_yuv_sw.c -@@ -89,6 +89,8 @@ - #include "SDL_yuvfuncs.h" - #include "SDL_yuv_sw_c.h" - -+#undef __OPTIMIZE__ -+ - /* The functions used to manipulate software video overlays */ - static struct private_yuvhwfuncs sw_yuvfuncs = { - SDL_LockYUV_SW, Deleted: 0009-libsdl-1.2.15-resizing.patch =================================================================== --- 0009-libsdl-1.2.15-resizing.patch 2021-08-31 23:13:02 UTC (rev 1010234) +++ 0009-libsdl-1.2.15-resizing.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -1,76 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" <jan.steff...@gmail.com> -Date: Tue, 31 Aug 2021 22:43:11 +0000 -Subject: [PATCH] libsdl-1.2.15-resizing - -Description: Revert change that breaks window corner resizing - http://bugzilla.libsdl.org/show_bug.cgi?id=1430 -Author: Andrew Caudwell <acaudw...@gmail.com> -Last-Update: 2012-04-10 -Bug-Debian: http://bugs.debian.org/665779 ---- - src/video/x11/SDL_x11events.c | 16 ---------------- - src/video/x11/SDL_x11events_c.h | 5 ----- - src/video/x11/SDL_x11video.c | 2 -- - 3 files changed, 23 deletions(-) - -diff --git a/src/video/x11/SDL_x11events.c b/src/video/x11/SDL_x11events.c -index be13cc57..85a71e7a 100644 ---- a/src/video/x11/SDL_x11events.c -+++ b/src/video/x11/SDL_x11events.c -@@ -57,12 +57,6 @@ static SDLKey ODD_keymap[256]; - static SDLKey MISC_keymap[256]; - SDLKey X11_TranslateKeycode(Display *display, KeyCode kc); - --/* -- Pending resize target for ConfigureNotify (so outdated events don't -- cause inappropriate resize events) --*/ --int X11_PendingConfigureNotifyWidth = -1; --int X11_PendingConfigureNotifyHeight = -1; - - #ifdef X_HAVE_UTF8_STRING - Uint32 Utf8ToUcs4(const Uint8 *utf8) -@@ -850,16 +844,6 @@ printf("MapNotify!\n"); - #ifdef DEBUG_XEVENTS - printf("ConfigureNotify! (resize: %dx%d)\n", xevent.xconfigure.width, xevent.xconfigure.height); - #endif -- if ((X11_PendingConfigureNotifyWidth != -1) && -- (X11_PendingConfigureNotifyHeight != -1)) { -- if ((xevent.xconfigure.width != X11_PendingConfigureNotifyWidth) && -- (xevent.xconfigure.height != X11_PendingConfigureNotifyHeight)) { -- /* Event is from before the resize, so ignore. */ -- break; -- } -- X11_PendingConfigureNotifyWidth = -1; -- X11_PendingConfigureNotifyHeight = -1; -- } - if ( SDL_VideoSurface ) { - if ((xevent.xconfigure.width != SDL_VideoSurface->w) || - (xevent.xconfigure.height != SDL_VideoSurface->h)) { -diff --git a/src/video/x11/SDL_x11events_c.h b/src/video/x11/SDL_x11events_c.h -index fe26d9c2..1177137d 100644 ---- a/src/video/x11/SDL_x11events_c.h -+++ b/src/video/x11/SDL_x11events_c.h -@@ -27,8 +27,3 @@ - extern void X11_InitOSKeymap(_THIS); - extern void X11_PumpEvents(_THIS); - extern void X11_SetKeyboardState(Display *display, const char *key_vec); -- --/* Variables to be exported */ --extern int X11_PendingConfigureNotifyWidth; --extern int X11_PendingConfigureNotifyHeight; -- -diff --git a/src/video/x11/SDL_x11video.c b/src/video/x11/SDL_x11video.c -index 79e60f97..670a2d84 100644 ---- a/src/video/x11/SDL_x11video.c -+++ b/src/video/x11/SDL_x11video.c -@@ -1177,8 +1177,6 @@ SDL_Surface *X11_SetVideoMode(_THIS, SDL_Surface *current, - current = NULL; - goto done; - } -- X11_PendingConfigureNotifyWidth = width; -- X11_PendingConfigureNotifyHeight = height; - } else { - if (X11_CreateWindow(this,current,width,height,bpp,flags) < 0) { - current = NULL; Deleted: 0010-X11_KeyToUnicode.patch =================================================================== --- 0010-X11_KeyToUnicode.patch 2021-08-31 23:13:02 UTC (rev 1010234) +++ 0010-X11_KeyToUnicode.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -1,54 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" <jan.steff...@gmail.com> -Date: Tue, 31 Aug 2021 22:43:41 +0000 -Subject: [PATCH] X11_KeyToUnicode - -Fixed bug 1390 - X11_KeyToUnicode - -manuel.montezelo 2012-01-22 08:56:18 PST - -We had the following bug report at Debian: -http://bugs.debian.org/376560 - -Same one in Ubuntu: -https://bugs.launchpad.net/ubuntu/+source/libsdl1.2/+bug/66217 - -We've been including a patch since then (attached) to actually export the -symbol, since 2006. In the last release the function seems to be there, alive -and kicking. - -It's affecting other people too: -http://www.garagegames.com/community/forums/viewthread/52287 ---- - src/video/x11/SDL_x11events.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/src/video/x11/SDL_x11events.c b/src/video/x11/SDL_x11events.c -index 85a71e7a..cfdbb157 100644 ---- a/src/video/x11/SDL_x11events.c -+++ b/src/video/x11/SDL_x11events.c -@@ -1255,15 +1255,24 @@ static void get_modifier_masks(Display *display) - * sequences (dead accents, compose key sequences) will not work since the - * state has been irrevocably lost. - */ -+extern DECLSPEC Uint16 SDLCALL X11_KeyToUnicode(SDLKey, SDLMod); -+ - Uint16 X11_KeyToUnicode(SDLKey keysym, SDLMod modifiers) - { -+ static int warning = 0; - struct SDL_VideoDevice *this = current_video; - char keybuf[32]; - int i; - KeySym xsym = 0; - XKeyEvent xkey; - Uint16 unicode; - -+ if ( warning ) { -+ warning = 0; -+ fprintf(stderr, "WARNING: Application is using X11_KeyToUnicode().\n"); -+ fprintf(stderr, "This is not an official SDL function, please report this as a bug.\n"); -+ } -+ - if ( !this || !SDL_Display ) { - return 0; - } Deleted: 0011-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch =================================================================== --- 0011-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch 2021-08-31 23:13:02 UTC (rev 1010234) +++ 0011-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -1,97 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> -Date: Thu, 14 Feb 2019 14:12:22 +0100 -Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If RIFF/WAV data chunk length is shorter then expected for an audio -format defined in preceeding RIFF/WAV format headers, a buffer -overread can happen. - -This patch fixes it by checking a MS ADPCM data to be decoded are not -past the initialized buffer. - -CVE-2019-7577 -Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 - -Signed-off-by: Petr Písař <ppi...@redhat.com> ---- - src/audio/SDL_wave.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c -index b4ad6c78..e42d01c9 100644 ---- a/src/audio/SDL_wave.c -+++ b/src/audio/SDL_wave.c -@@ -115,32 +115,34 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, - static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - { - struct MS_ADPCM_decodestate *state[2]; -- Uint8 *freeable, *encoded, *decoded; -+ Uint8 *freeable, *encoded, *encoded_end, *decoded; - Sint32 encoded_len, samplesleft; - Sint8 nybble, stereo; - Sint16 *coeff[2]; - Sint32 new_sample; - - /* Allocate the proper sized output buffer */ - encoded_len = *audio_len; - encoded = *audio_buf; -+ encoded_end = encoded + encoded_len; - freeable = *audio_buf; - *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) * - MS_ADPCM_state.wSamplesPerBlock* - MS_ADPCM_state.wavefmt.channels*sizeof(Sint16); - *audio_buf = (Uint8 *)SDL_malloc(*audio_len); - if ( *audio_buf == NULL ) { - SDL_Error(SDL_ENOMEM); - return(-1); - } - decoded = *audio_buf; - - /* Get ready... Go! */ - stereo = (MS_ADPCM_state.wavefmt.channels == 2); - state[0] = &MS_ADPCM_state.state[0]; - state[1] = &MS_ADPCM_state.state[stereo]; - while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) { - /* Grab the initial information for this block */ -+ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short; - state[0]->hPredictor = *encoded++; - if ( stereo ) { - state[1]->hPredictor = *encoded++; -@@ -188,27 +190,33 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)* - MS_ADPCM_state.wavefmt.channels; - while ( samplesleft > 0 ) { -+ if (encoded + 1 > encoded_end) goto too_short; -+ - nybble = (*encoded)>>4; - new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]); - decoded[0] = new_sample&0xFF; - new_sample >>= 8; - decoded[1] = new_sample&0xFF; - decoded += 2; - - nybble = (*encoded)&0x0F; - new_sample = MS_ADPCM_nibble(state[1],nybble,coeff[1]); - decoded[0] = new_sample&0xFF; - new_sample >>= 8; - decoded[1] = new_sample&0xFF; - decoded += 2; - - ++encoded; - samplesleft -= 2; - } - encoded_len -= MS_ADPCM_state.wavefmt.blockalign; - } - SDL_free(freeable); - return(0); -+too_short: -+ SDL_SetError("Too short chunk for a MS ADPCM decoder"); -+ SDL_free(freeable); -+ return(-1); - } - - struct IMA_ADPCM_decodestate { Deleted: 0012-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch =================================================================== --- 0012-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch 2021-08-31 23:13:02 UTC (rev 1010234) +++ 0012-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -1,141 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> -Date: Thu, 14 Feb 2019 14:51:52 +0100 -Subject: [PATCH] CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If a WAV format defines shorter audio stream and decoded MS ADPCM data chunk -is longer, decoding continued past the output audio buffer. - -This fix is based on a patch from -<https://bugzilla.libsdl.org/show_bug.cgi?id=4492>. - -https://bugzilla.libsdl.org/show_bug.cgi?id=4493 -CVE-2019-7575 - -Signed-off-by: Petr Písař <ppi...@redhat.com> ---- - src/audio/SDL_wave.c | 13 ++++++++----- - 1 file changed, 8 insertions(+), 5 deletions(-) - -diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c -index e42d01c9..b6c49dee 100644 ---- a/src/audio/SDL_wave.c -+++ b/src/audio/SDL_wave.c -@@ -115,106 +115,109 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, - static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - { - struct MS_ADPCM_decodestate *state[2]; -- Uint8 *freeable, *encoded, *encoded_end, *decoded; -+ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; - Sint32 encoded_len, samplesleft; - Sint8 nybble, stereo; - Sint16 *coeff[2]; - Sint32 new_sample; - - /* Allocate the proper sized output buffer */ - encoded_len = *audio_len; - encoded = *audio_buf; - encoded_end = encoded + encoded_len; - freeable = *audio_buf; - *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) * - MS_ADPCM_state.wSamplesPerBlock* - MS_ADPCM_state.wavefmt.channels*sizeof(Sint16); - *audio_buf = (Uint8 *)SDL_malloc(*audio_len); - if ( *audio_buf == NULL ) { - SDL_Error(SDL_ENOMEM); - return(-1); - } - decoded = *audio_buf; -+ decoded_end = decoded + *audio_len; - - /* Get ready... Go! */ - stereo = (MS_ADPCM_state.wavefmt.channels == 2); - state[0] = &MS_ADPCM_state.state[0]; - state[1] = &MS_ADPCM_state.state[stereo]; - while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) { - /* Grab the initial information for this block */ -- if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short; -+ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size; - state[0]->hPredictor = *encoded++; - if ( stereo ) { - state[1]->hPredictor = *encoded++; - } - state[0]->iDelta = ((encoded[1]<<8)|encoded[0]); - encoded += sizeof(Sint16); - if ( stereo ) { - state[1]->iDelta = ((encoded[1]<<8)|encoded[0]); - encoded += sizeof(Sint16); - } - state[0]->iSamp1 = ((encoded[1]<<8)|encoded[0]); - encoded += sizeof(Sint16); - if ( stereo ) { - state[1]->iSamp1 = ((encoded[1]<<8)|encoded[0]); - encoded += sizeof(Sint16); - } - state[0]->iSamp2 = ((encoded[1]<<8)|encoded[0]); - encoded += sizeof(Sint16); - if ( stereo ) { - state[1]->iSamp2 = ((encoded[1]<<8)|encoded[0]); - encoded += sizeof(Sint16); - } - coeff[0] = MS_ADPCM_state.aCoeff[state[0]->hPredictor]; - coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor]; - - /* Store the two initial samples we start with */ -+ if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size; - decoded[0] = state[0]->iSamp2&0xFF; - decoded[1] = state[0]->iSamp2>>8; - decoded += 2; - if ( stereo ) { - decoded[0] = state[1]->iSamp2&0xFF; - decoded[1] = state[1]->iSamp2>>8; - decoded += 2; - } - decoded[0] = state[0]->iSamp1&0xFF; - decoded[1] = state[0]->iSamp1>>8; - decoded += 2; - if ( stereo ) { - decoded[0] = state[1]->iSamp1&0xFF; - decoded[1] = state[1]->iSamp1>>8; - decoded += 2; - } - - /* Decode and store the other samples in this block */ - samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)* - MS_ADPCM_state.wavefmt.channels; - while ( samplesleft > 0 ) { -- if (encoded + 1 > encoded_end) goto too_short; -+ if (encoded + 1 > encoded_end) goto invalid_size; -+ if (decoded + 4 > decoded_end) goto invalid_size; - - nybble = (*encoded)>>4; - new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]); - decoded[0] = new_sample&0xFF; - new_sample >>= 8; - decoded[1] = new_sample&0xFF; - decoded += 2; - - nybble = (*encoded)&0x0F; - new_sample = MS_ADPCM_nibble(state[1],nybble,coeff[1]); - decoded[0] = new_sample&0xFF; - new_sample >>= 8; - decoded[1] = new_sample&0xFF; - decoded += 2; - - ++encoded; - samplesleft -= 2; - } - encoded_len -= MS_ADPCM_state.wavefmt.blockalign; - } - SDL_free(freeable); - return(0); --too_short: -- SDL_SetError("Too short chunk for a MS ADPCM decoder"); -+invalid_size: -+ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder"); - SDL_free(freeable); - return(-1); - } Deleted: 0013-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch =================================================================== --- 0013-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch 2021-08-31 23:13:02 UTC (rev 1010234) +++ 0013-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -1,103 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> -Date: Thu, 14 Feb 2019 15:41:47 +0100 -Subject: [PATCH] CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If data chunk was shorter than expected based on a WAV format -definition, IMA_ADPCM_decode() tried to read past the data chunk -buffer. This patch fixes it. - -CVE-2019-7574 -https://bugzilla.libsdl.org/show_bug.cgi?id=4496 - -Signed-off-by: Petr Písař <ppi...@redhat.com> ---- - src/audio/SDL_wave.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c -index b6c49dee..2968b3d1 100644 ---- a/src/audio/SDL_wave.c -+++ b/src/audio/SDL_wave.c -@@ -334,70 +334,77 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded, - static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - { - struct IMA_ADPCM_decodestate *state; -- Uint8 *freeable, *encoded, *decoded; -+ Uint8 *freeable, *encoded, *encoded_end, *decoded; - Sint32 encoded_len, samplesleft; - unsigned int c, channels; - - /* Check to make sure we have enough variables in the state array */ - channels = IMA_ADPCM_state.wavefmt.channels; - if ( channels > SDL_arraysize(IMA_ADPCM_state.state) ) { - SDL_SetError("IMA ADPCM decoder can only handle %d channels", - SDL_arraysize(IMA_ADPCM_state.state)); - return(-1); - } - state = IMA_ADPCM_state.state; - - /* Allocate the proper sized output buffer */ - encoded_len = *audio_len; - encoded = *audio_buf; -+ encoded_end = encoded + encoded_len; - freeable = *audio_buf; - *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) * - IMA_ADPCM_state.wSamplesPerBlock* - IMA_ADPCM_state.wavefmt.channels*sizeof(Sint16); - *audio_buf = (Uint8 *)SDL_malloc(*audio_len); - if ( *audio_buf == NULL ) { - SDL_Error(SDL_ENOMEM); - return(-1); - } - decoded = *audio_buf; - - /* Get ready... Go! */ - while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) { - /* Grab the initial information for this block */ - for ( c=0; c<channels; ++c ) { -+ if (encoded + 4 > encoded_end) goto invalid_size; - /* Fill the state information for this block */ - state[c].sample = ((encoded[1]<<8)|encoded[0]); - encoded += 2; - if ( state[c].sample & 0x8000 ) { - state[c].sample -= 0x10000; - } - state[c].index = *encoded++; - /* Reserved byte in buffer header, should be 0 */ - if ( *encoded++ != 0 ) { - /* Uh oh, corrupt data? Buggy code? */; - } - - /* Store the initial sample we start with */ - decoded[0] = (Uint8)(state[c].sample&0xFF); - decoded[1] = (Uint8)(state[c].sample>>8); - decoded += 2; - } - - /* Decode and store the other samples in this block */ - samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels; - while ( samplesleft > 0 ) { - for ( c=0; c<channels; ++c ) { -+ if (encoded + 4 > encoded_end) goto invalid_size; - Fill_IMA_ADPCM_block(decoded, encoded, - c, channels, &state[c]); - encoded += 4; - samplesleft -= 8; - } - decoded += (channels * 8 * 2); - } - encoded_len -= IMA_ADPCM_state.wavefmt.blockalign; - } - SDL_free(freeable); - return(0); -+invalid_size: -+ SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder"); -+ SDL_free(freeable); -+ return(-1); - } - - SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, Deleted: 0014-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch =================================================================== --- 0014-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch 2021-08-31 23:13:02 UTC (rev 1010234) +++ 0014-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -1,60 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> -Date: Thu, 14 Feb 2019 16:51:54 +0100 -Subject: [PATCH] CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If an IMA ADPCM block contained an initial index out of step table -range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used -this bogus value and that lead to a buffer overread. - -This patch fixes it by moving clamping the index value at the -beginning of IMA_ADPCM_nibble() function instead of the end after -an update. - -CVE-2019-7572 -https://bugzilla.libsdl.org/show_bug.cgi?id=4495 - -Signed-off-by: Petr Písař <ppi...@redhat.com> ---- - src/audio/SDL_wave.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c -index 2968b3d1..69d62dc6 100644 ---- a/src/audio/SDL_wave.c -+++ b/src/audio/SDL_wave.c -@@ -275,23 +275,25 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) - }; - Sint32 delta, step; - -+ /* Clamp index value. The inital value can be invalid. */ -+ if ( state->index > 88 ) { -+ state->index = 88; -+ } else -+ if ( state->index < 0 ) { -+ state->index = 0; -+ } -+ - /* Compute difference and new sample value */ - step = step_table[state->index]; - delta = step >> 3; - if ( nybble & 0x04 ) delta += step; - if ( nybble & 0x02 ) delta += (step >> 1); - if ( nybble & 0x01 ) delta += (step >> 2); - if ( nybble & 0x08 ) delta = -delta; - state->sample += delta; - - /* Update index value */ - state->index += index_table[nybble]; -- if ( state->index > 88 ) { -- state->index = 88; -- } else -- if ( state->index < 0 ) { -- state->index = 0; -- } - - /* Clamp output sample */ - if ( state->sample > max_audioval ) { Deleted: 0015-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch =================================================================== --- 0015-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch 2021-08-31 23:13:02 UTC (rev 1010234) +++ 0015-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -1,95 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> -Date: Fri, 15 Feb 2019 09:21:45 +0100 -Subject: [PATCH] CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If data chunk was longer than expected based on a WAV format -definition, IMA_ADPCM_decode() tried to write past the output -buffer. This patch fixes it. - -Based on patch from -<https://bugzilla.libsdl.org/show_bug.cgi?id=4496>. - -CVE-2019-7572 -https://bugzilla.libsdl.org/show_bug.cgi?id=4495 - -Signed-off-by: Petr Písař <ppi...@redhat.com> ---- - src/audio/SDL_wave.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c -index 69d62dc6..91e89e84 100644 ---- a/src/audio/SDL_wave.c -+++ b/src/audio/SDL_wave.c -@@ -336,62 +336,66 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded, - static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - { - struct IMA_ADPCM_decodestate *state; -- Uint8 *freeable, *encoded, *encoded_end, *decoded; -+ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; - Sint32 encoded_len, samplesleft; - unsigned int c, channels; - - /* Check to make sure we have enough variables in the state array */ - channels = IMA_ADPCM_state.wavefmt.channels; - if ( channels > SDL_arraysize(IMA_ADPCM_state.state) ) { - SDL_SetError("IMA ADPCM decoder can only handle %d channels", - SDL_arraysize(IMA_ADPCM_state.state)); - return(-1); - } - state = IMA_ADPCM_state.state; - - /* Allocate the proper sized output buffer */ - encoded_len = *audio_len; - encoded = *audio_buf; - encoded_end = encoded + encoded_len; - freeable = *audio_buf; - *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) * - IMA_ADPCM_state.wSamplesPerBlock* - IMA_ADPCM_state.wavefmt.channels*sizeof(Sint16); - *audio_buf = (Uint8 *)SDL_malloc(*audio_len); - if ( *audio_buf == NULL ) { - SDL_Error(SDL_ENOMEM); - return(-1); - } - decoded = *audio_buf; -+ decoded_end = decoded + *audio_len; - - /* Get ready... Go! */ - while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) { - /* Grab the initial information for this block */ - for ( c=0; c<channels; ++c ) { - if (encoded + 4 > encoded_end) goto invalid_size; - /* Fill the state information for this block */ - state[c].sample = ((encoded[1]<<8)|encoded[0]); - encoded += 2; - if ( state[c].sample & 0x8000 ) { - state[c].sample -= 0x10000; - } - state[c].index = *encoded++; - /* Reserved byte in buffer header, should be 0 */ - if ( *encoded++ != 0 ) { - /* Uh oh, corrupt data? Buggy code? */; - } - - /* Store the initial sample we start with */ -+ if (decoded + 2 > decoded_end) goto invalid_size; - decoded[0] = (Uint8)(state[c].sample&0xFF); - decoded[1] = (Uint8)(state[c].sample>>8); - decoded += 2; - } - - /* Decode and store the other samples in this block */ - samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels; - while ( samplesleft > 0 ) { - for ( c=0; c<channels; ++c ) { - if (encoded + 4 > encoded_end) goto invalid_size; -+ if (decoded + 4 * 4 * channels > decoded_end) -+ goto invalid_size; - Fill_IMA_ADPCM_block(decoded, encoded, - c, channels, &state[c]); - encoded += 4; Deleted: 0016-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch =================================================================== --- 0016-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch 2021-08-31 23:13:02 UTC (rev 1010234) +++ 0016-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -1,83 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> -Date: Fri, 15 Feb 2019 10:36:13 +0100 -Subject: [PATCH] CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in - InitMS_ADPCM -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it -could read past the end of chunk data. This patch fixes it. - -CVE-2019-7573 -https://bugzilla.libsdl.org/show_bug.cgi?id=4491 -CVE-2019-7576 -https://bugzilla.libsdl.org/show_bug.cgi?id=4490 - -Signed-off-by: Petr Písař <ppi...@redhat.com> ---- - src/audio/SDL_wave.c | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c -index 91e89e84..1d446edb 100644 ---- a/src/audio/SDL_wave.c -+++ b/src/audio/SDL_wave.c -@@ -44,38 +44,45 @@ static struct MS_ADPCM_decoder { - struct MS_ADPCM_decodestate state[2]; - } MS_ADPCM_state; - --static int InitMS_ADPCM(WaveFMT *format) -+static int InitMS_ADPCM(WaveFMT *format, int length) - { -- Uint8 *rogue_feel; -+ Uint8 *rogue_feel, *rogue_feel_end; - int i; - - /* Set the rogue pointer to the MS_ADPCM specific data */ -+ if (length < sizeof(*format)) goto too_short; - MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); - MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); - MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); - MS_ADPCM_state.wavefmt.byterate = SDL_SwapLE32(format->byterate); - MS_ADPCM_state.wavefmt.blockalign = SDL_SwapLE16(format->blockalign); - MS_ADPCM_state.wavefmt.bitspersample = - SDL_SwapLE16(format->bitspersample); - rogue_feel = (Uint8 *)format+sizeof(*format); -+ rogue_feel_end = (Uint8 *)format + length; - if ( sizeof(*format) == 16 ) { - rogue_feel += sizeof(Uint16); - } -+ if (rogue_feel + 4 > rogue_feel_end) goto too_short; - MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); - rogue_feel += sizeof(Uint16); - MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]); - rogue_feel += sizeof(Uint16); - if ( MS_ADPCM_state.wNumCoef != 7 ) { - SDL_SetError("Unknown set of MS_ADPCM coefficients"); - return(-1); - } - for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) { -+ if (rogue_feel + 4 > rogue_feel_end) goto too_short; - MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]); - rogue_feel += sizeof(Uint16); - MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]); - rogue_feel += sizeof(Uint16); - } - return(0); -+too_short: -+ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format"); -+ return(-1); - } - - static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, -@@ -485,7 +492,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, - break; - case MS_ADPCM_CODE: - /* Try to understand this */ -- if ( InitMS_ADPCM(format) < 0 ) { -+ if ( InitMS_ADPCM(format, lenread) < 0 ) { - was_error = 1; - goto done; - } Deleted: 0017-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch =================================================================== --- 0017-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch 2021-08-31 23:13:02 UTC (rev 1010234) +++ 0017-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -1,65 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> -Date: Fri, 15 Feb 2019 10:56:59 +0100 -Subject: [PATCH] CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it -could read past the end of chunk data. This patch fixes it. - -CVE-2019-7578 -https://bugzilla.libsdl.org/show_bug.cgi?id=4494 - -Signed-off-by: Petr Písař <ppi...@redhat.com> ---- - src/audio/SDL_wave.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c -index 1d446edb..08f65cbc 100644 ---- a/src/audio/SDL_wave.c -+++ b/src/audio/SDL_wave.c -@@ -240,24 +240,30 @@ static struct IMA_ADPCM_decoder { - struct IMA_ADPCM_decodestate state[2]; - } IMA_ADPCM_state; - --static int InitIMA_ADPCM(WaveFMT *format) -+static int InitIMA_ADPCM(WaveFMT *format, int length) - { -- Uint8 *rogue_feel; -+ Uint8 *rogue_feel, *rogue_feel_end; - - /* Set the rogue pointer to the IMA_ADPCM specific data */ -+ if (length < sizeof(*format)) goto too_short; - IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); - IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); - IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); - IMA_ADPCM_state.wavefmt.byterate = SDL_SwapLE32(format->byterate); - IMA_ADPCM_state.wavefmt.blockalign = SDL_SwapLE16(format->blockalign); - IMA_ADPCM_state.wavefmt.bitspersample = - SDL_SwapLE16(format->bitspersample); - rogue_feel = (Uint8 *)format+sizeof(*format); -+ rogue_feel_end = (Uint8 *)format + length; - if ( sizeof(*format) == 16 ) { - rogue_feel += sizeof(Uint16); - } -+ if (rogue_feel + 2 > rogue_feel_end) goto too_short; - IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); - return(0); -+too_short: -+ SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format"); -+ return(-1); - } - - static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) -@@ -500,7 +506,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, - break; - case IMA_ADPCM_CODE: - /* Try to understand this */ -- if ( InitIMA_ADPCM(format) < 0 ) { -+ if ( InitIMA_ADPCM(format, lenread) < 0 ) { - was_error = 1; - goto done; - } Deleted: 0018-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch =================================================================== --- 0018-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch 2021-08-31 23:13:02 UTC (rev 1010234) +++ 0018-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -1,53 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> -Date: Fri, 15 Feb 2019 16:52:27 +0100 -Subject: [PATCH] CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images with - too high number of colors -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If a BMP file that defines more colors than can fit into -a palette of color depth defined in the same BMP file is loaded by -SDL_LoadBMP_RW() function, invalid number of colors is set into -resulting SDL surface. - -Then if the SDL surface is passed to SDL_DisplayFormat() function to -convert the surface format into a native video format, a buffer -overread will happen in Map1to1() or Map1toN() function -(CVE-2019-7638). (The choice of the mapping function depends on -a actual video hardware.) - -In addition SDL_GetRGB() called indirectly from SDL_DisplayFormat() -performs the same buffer overread (CVE-2019-7636). - -There is also probably a buffer overwrite when the SDL_LoadBMP_RW() -loads colors from a file. - -This patch fixes it by refusing loading such badly damaged BMP files. - -CVE-2019-7638 -https://bugzilla.libsdl.org/show_bug.cgi?id=4500 -CVE-2019-7636 -https://bugzilla.libsdl.org/show_bug.cgi?id=4499 - -Signed-off-by: Petr Písař <ppi...@redhat.com> ---- - src/video/SDL_bmp.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c -index d56cfd83..3accded2 100644 ---- a/src/video/SDL_bmp.c -+++ b/src/video/SDL_bmp.c -@@ -233,6 +233,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) - if ( palette ) { - if ( biClrUsed == 0 ) { - biClrUsed = 1 << biBitCount; -+ } else if ( biClrUsed > (1 << biBitCount) ) { -+ SDL_SetError("BMP file has an invalid number of colors"); -+ was_error = SDL_TRUE; -+ goto done; - } - if ( biSize == 12 ) { - for ( i = 0; i < (int)biClrUsed; ++i ) { Deleted: 0019-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch =================================================================== --- 0019-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch 2021-08-31 23:13:02 UTC (rev 1010234) +++ 0019-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -1,206 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> -Date: Mon, 18 Feb 2019 13:53:16 +0100 -Subject: [PATCH] CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If a too large width is passed to SDL_SetVideoMode() the width travels -to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by -BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch -variable. During this arithmetics an integer overflow can happen (e.g. -the value is clamped as 65532). As a result SDL_Surface with a pitch -smaller than width * BytesPerPixel is created, too small pixel buffer -is allocated and when the SDL_Surface is processed in SDL_FillRect() -a buffer overflow occurs. - -This can be reproduced with "./graywin -width 21312312313123213213213" -command. - -This patch fixes is by using a very careful arithmetics in -SDL_CalculatePitch(). If an overflow is detected, an error is reported -back as a special 0 value. We assume that 0-width surfaces do not -occur in the wild. Since SDL_CalculatePitch() is a private function, -we can change the semantics. - -CVE-2019-7637 -https://bugzilla.libsdl.org/show_bug.cgi?id=4497 - -Signed-off-by: Petr Písař <ppi...@redhat.com> ---- - src/video/SDL_pixels.c | 41 +++++++++++++++++++++++++++------ - src/video/gapi/SDL_gapivideo.c | 3 +++ - src/video/nanox/SDL_nxvideo.c | 4 ++++ - src/video/ps2gs/SDL_gsvideo.c | 3 +++ - src/video/ps3/SDL_ps3video.c | 3 +++ - src/video/windib/SDL_dibvideo.c | 3 +++ - src/video/windx5/SDL_dx5video.c | 3 +++ - src/video/x11/SDL_x11video.c | 4 ++++ - 8 files changed, 57 insertions(+), 7 deletions(-) - -diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c -index 1a7fd518..44626b74 100644 ---- a/src/video/SDL_pixels.c -+++ b/src/video/SDL_pixels.c -@@ -286,26 +286,53 @@ void SDL_DitherColors(SDL_Color *colors, int bpp) - } - } - /* -- * Calculate the pad-aligned scanline width of a surface -+ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of -+ * an error. - */ - Uint16 SDL_CalculatePitch(SDL_Surface *surface) - { -- Uint16 pitch; -+ unsigned int pitch = 0; - - /* Surface should be 4-byte aligned for speed */ -- pitch = surface->w*surface->format->BytesPerPixel; -+ /* The code tries to prevent from an Uint16 overflow. */; -+ for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) { -+ pitch += (unsigned int)surface->w; -+ if (pitch < surface->w) { -+ SDL_SetError("A scanline is too wide"); -+ return(0); -+ } -+ } - switch (surface->format->BitsPerPixel) { - case 1: -- pitch = (pitch+7)/8; -+ if (pitch % 8) { -+ pitch = pitch / 8 + 1; -+ } else { -+ pitch = pitch / 8; -+ } - break; - case 4: -- pitch = (pitch+1)/2; -+ if (pitch % 2) { -+ pitch = pitch / 2 + 1; -+ } else { -+ pitch = pitch / 2; -+ } - break; - default: - break; - } -- pitch = (pitch + 3) & ~3; /* 4-byte aligning */ -- return(pitch); -+ /* 4-byte aligning */ -+ if (pitch & 3) { -+ if (pitch + 3 < pitch) { -+ SDL_SetError("A scanline is too wide"); -+ return(0); -+ } -+ pitch = (pitch + 3) & ~3; -+ } -+ if (pitch > 0xFFFF) { -+ SDL_SetError("A scanline is too wide"); -+ return(0); -+ } -+ return((Uint16)pitch); - } - /* - * Match an RGB value to a particular palette index -diff --git a/src/video/gapi/SDL_gapivideo.c b/src/video/gapi/SDL_gapivideo.c -index 86deadc7..8a064853 100644 ---- a/src/video/gapi/SDL_gapivideo.c -+++ b/src/video/gapi/SDL_gapivideo.c -@@ -733,6 +733,9 @@ SDL_Surface *GAPI_SetVideoMode(_THIS, SDL_Surface *current, - video->w = gapi->w = width; - video->h = gapi->h = height; - video->pitch = SDL_CalculatePitch(video); -+ if (!current->pitch) { -+ return(NULL); -+ } - - /* Small fix for WinCE/Win32 - when activating window - SDL_VideoSurface is equal to zero, so activating code -diff --git a/src/video/nanox/SDL_nxvideo.c b/src/video/nanox/SDL_nxvideo.c -index b188e095..cbdd09a0 100644 ---- a/src/video/nanox/SDL_nxvideo.c -+++ b/src/video/nanox/SDL_nxvideo.c -@@ -378,6 +378,10 @@ SDL_Surface * NX_SetVideoMode (_THIS, SDL_Surface * current, - current -> w = width ; - current -> h = height ; - current -> pitch = SDL_CalculatePitch (current) ; -+ if (!current->pitch) { -+ current = NULL; -+ goto done; -+ } - NX_ResizeImage (this, current, flags) ; - } - -diff --git a/src/video/ps2gs/SDL_gsvideo.c b/src/video/ps2gs/SDL_gsvideo.c -index e172c60d..32908668 100644 ---- a/src/video/ps2gs/SDL_gsvideo.c -+++ b/src/video/ps2gs/SDL_gsvideo.c -@@ -479,6 +479,9 @@ static SDL_Surface *GS_SetVideoMode(_THIS, SDL_Surface *current, - current->w = width; - current->h = height; - current->pitch = SDL_CalculatePitch(current); -+ if (!current->pitch) { -+ return(NULL); -+ } - - /* Memory map the DMA area for block memory transfer */ - if ( ! mapped_mem ) { -diff --git a/src/video/ps3/SDL_ps3video.c b/src/video/ps3/SDL_ps3video.c -index d5519e05..17848e33 100644 ---- a/src/video/ps3/SDL_ps3video.c -+++ b/src/video/ps3/SDL_ps3video.c -@@ -339,6 +339,9 @@ static SDL_Surface *PS3_SetVideoMode(_THIS, SDL_Surface * current, int width, in - current->w = width; - current->h = height; - current->pitch = SDL_CalculatePitch(current); -+ if (!current->pitch) { -+ return(NULL); -+ } - - /* Alloc aligned mem for current->pixels */ - s_pixels = memalign(16, current->h * current->pitch); -diff --git a/src/video/windib/SDL_dibvideo.c b/src/video/windib/SDL_dibvideo.c -index 6187bfcf..86ebb12a 100644 ---- a/src/video/windib/SDL_dibvideo.c -+++ b/src/video/windib/SDL_dibvideo.c -@@ -675,6 +675,9 @@ SDL_Surface *DIB_SetVideoMode(_THIS, SDL_Surface *current, - video->w = width; - video->h = height; - video->pitch = SDL_CalculatePitch(video); -+ if (!current->pitch) { -+ return(NULL); -+ } - - /* Small fix for WinCE/Win32 - when activating window - SDL_VideoSurface is equal to zero, so activating code -diff --git a/src/video/windx5/SDL_dx5video.c b/src/video/windx5/SDL_dx5video.c -index f80ca97b..39fc4fc3 100644 ---- a/src/video/windx5/SDL_dx5video.c -+++ b/src/video/windx5/SDL_dx5video.c -@@ -1127,6 +1127,9 @@ SDL_Surface *DX5_SetVideoMode(_THIS, SDL_Surface *current, - video->w = width; - video->h = height; - video->pitch = SDL_CalculatePitch(video); -+ if (!current->pitch) { -+ return(NULL); -+ } - - #ifndef NO_CHANGEDISPLAYSETTINGS - /* Set fullscreen mode if appropriate. -diff --git a/src/video/x11/SDL_x11video.c b/src/video/x11/SDL_x11video.c -index 670a2d84..9521b497 100644 ---- a/src/video/x11/SDL_x11video.c -+++ b/src/video/x11/SDL_x11video.c -@@ -1218,6 +1218,10 @@ SDL_Surface *X11_SetVideoMode(_THIS, SDL_Surface *current, - current->w = width; - current->h = height; - current->pitch = SDL_CalculatePitch(current); -+ if (!current->pitch) { -+ current = NULL; -+ goto done; -+ } - if (X11_ResizeImage(this, current, flags) < 0) { - current = NULL; - goto done; Deleted: 0020-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch =================================================================== --- 0020-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch 2021-08-31 23:13:02 UTC (rev 1010234) +++ 0020-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -1,67 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> -Date: Tue, 19 Feb 2019 14:52:52 +0100 -Subject: [PATCH] CVE-2019-7635: Reject BMP images with pixel colors out the - palette -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If a 1-, 4-, or 8-bit per pixel BMP image declares less used colors -than the palette offers an SDL_Surface with a palette of the indicated -number of used colors is created. If some of the image's pixel -refer to a color number higher then the maximal used colors, a subsequent -bliting operation on the surface will look up a color past a blit map -(that is based on the palette) memory. I.e. passing such SDL_Surface -to e.g. an SDL_DisplayFormat() function will result in a buffer overread in -a blit function. - -This patch fixes it by validing each pixel's color to be less than the -maximal color number in the palette. A validation failure raises an -error from a SDL_LoadBMP_RW() function. - -CVE-2019-7635 -https://bugzilla.libsdl.org/show_bug.cgi?id=4498 - -Signed-off-by: Petr Písař <ppi...@redhat.com> ---- - src/video/SDL_bmp.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c -index 3accded2..8eadc5f6 100644 ---- a/src/video/SDL_bmp.c -+++ b/src/video/SDL_bmp.c -@@ -300,16 +300,32 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) - } - *(bits+i) = (pixel>>shift); - pixel <<= ExpandBMP; -+ if ( bits[i] >= biClrUsed ) { -+ SDL_SetError( -+ "A BMP image contains a pixel with a color out of the palette"); -+ was_error = SDL_TRUE; -+ goto done; -+ } - } } - break; - - default: - if ( SDL_RWread(src, bits, 1, surface->pitch) - != surface->pitch ) { - SDL_Error(SDL_EFREAD); - was_error = SDL_TRUE; - goto done; - } -+ if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) { -+ for ( i=0; i<surface->w; ++i ) { -+ if ( bits[i] >= biClrUsed ) { -+ SDL_SetError( -+ "A BMP image contains a pixel with a color out of the palette"); -+ was_error = SDL_TRUE; -+ goto done; -+ } -+ } -+ } - #if SDL_BYTEORDER == SDL_BIG_ENDIAN - /* Byte-swap the pixels if needed. Note that the 24bpp - case has already been taken care of above. */ Deleted: 0021-SDL-1.2.15-CVE-2019-13616-validate_image_size_when_l.patch =================================================================== --- 0021-SDL-1.2.15-CVE-2019-13616-validate_image_size_when_l.patch 2021-08-31 23:13:02 UTC (rev 1010234) +++ 0021-SDL-1.2.15-CVE-2019-13616-validate_image_size_when_l.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -1,32 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" <jan.steff...@gmail.com> -Date: Tue, 31 Aug 2021 22:46:23 +0000 -Subject: [PATCH] - SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files - -changeset: 12960:ad1bbfbca760 -branch: SDL-1.2 -parent: 12914:87d60cae0273 -user: Ozkan Sezer <seze...@gmail.com> -date: Tue Jul 30 21:30:24 2019 +0300 -summary: Fixed bug 4538 - validate image size when loading BMP files ---- - src/video/SDL_bmp.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c -index 8eadc5f6..118181b5 100644 ---- a/src/video/SDL_bmp.c -+++ b/src/video/SDL_bmp.c -@@ -143,6 +143,11 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) - (void) biYPelsPerMeter; - (void) biClrImportant; - -+ if (biWidth <= 0 || biHeight == 0) { -+ SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight); -+ was_error = SDL_TRUE; -+ goto done; -+ } - if (biHeight < 0) { - topDown = SDL_TRUE; - biHeight = -biHeight; Deleted: 0022-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch =================================================================== --- 0022-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch 2021-08-31 23:13:02 UTC (rev 1010234) +++ 0022-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -1,54 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> -Date: Tue, 12 Mar 2019 16:21:41 +0100 -Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble and - MS_ADPCM_decode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If a chunk of RIFF/WAV file with MS ADPCM encoding contains an invalid -predictor (a valid predictor's value is between 0 and 6 inclusive), -a buffer overread can happen when the predictor is used as an index -into an array of MS ADPCM coefficients. - -The overead happens when indexing MS_ADPCM_state.aCoeff[] array in -MS_ADPCM_decode() and later when dereferencing a coef pointer in -MS_ADPCM_nibble(). - -This patch fixes it by checking the MS ADPCM predictor values fit -into the valid range. - -CVE-2019-7577 -Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 - -Signed-off-by: Petr Písař <ppi...@redhat.com> ---- - src/audio/SDL_wave.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c -index 08f65cbc..5f936514 100644 ---- a/src/audio/SDL_wave.c -+++ b/src/audio/SDL_wave.c -@@ -155,6 +155,9 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - if ( stereo ) { - state[1]->hPredictor = *encoded++; - } -+ if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) { -+ goto invalid_predictor; -+ } - state[0]->iDelta = ((encoded[1]<<8)|encoded[0]); - encoded += sizeof(Sint16); - if ( stereo ) { -@@ -227,6 +230,10 @@ invalid_size: - SDL_SetError("Unexpected chunk length for a MS ADPCM decoder"); - SDL_free(freeable); - return(-1); -+invalid_predictor: -+ SDL_SetError("Invalid predictor value for a MS ADPCM decoder"); -+ SDL_free(freeable); -+ return(-1); - } - - struct IMA_ADPCM_decodestate { Deleted: 0023-Reject-2-3-5-6-7-bpp-BMP-images.patch =================================================================== --- 0023-Reject-2-3-5-6-7-bpp-BMP-images.patch 2021-08-31 23:13:02 UTC (rev 1010234) +++ 0023-Reject-2-3-5-6-7-bpp-BMP-images.patch 2021-08-31 23:13:03 UTC (rev 1010235) @@ -1,39 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> -Date: Thu, 21 Feb 2019 10:57:41 +0100 -Subject: [PATCH] Reject 2, 3, 5, 6, 7-bpp BMP images -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BMP decoder assumes less than 8 bit depth images have 1 or 4 bits -per pixel. No other depths are correctly translated to an 8bpp -surface. - -This patch rejects loading these images. - -https://bugzilla.libsdl.org/show_bug.cgi?id=4498 -Signed-off-by: Petr Písař <ppi...@redhat.com> ---- - src/video/SDL_bmp.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c -index 118181b5..6cadc8a5 100644 ---- a/src/video/SDL_bmp.c -+++ b/src/video/SDL_bmp.c -@@ -168,6 +168,14 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) - ExpandBMP = biBitCount; - biBitCount = 8; - break; -+ case 2: -+ case 3: -+ case 5: -+ case 6: -+ case 7: -+ SDL_SetError("%d-bpp BMP images are not supported", biBitCount); -+ was_error = SDL_TRUE; -+ goto done; - default: - ExpandBMP = 0; - break; Modified: PKGBUILD =================================================================== --- PKGBUILD 2021-08-31 23:13:02 UTC (rev 1010234) +++ PKGBUILD 2021-08-31 23:13:03 UTC (rev 1010235) @@ -3,8 +3,8 @@ # Contributor: dorphell <dorph...@archlinux.org> pkgname=sdl -pkgver=1.2.15 -pkgrel=14 +pkgver=1.2.15+387+gfbfcca32 +pkgrel=1 pkgdesc="A library for portable low-level access to a video framebuffer, audio output, mouse, and keyboard" arch=('x86_64') url="https://www.libsdl.org" @@ -14,55 +14,17 @@ optdepends=('alsa-lib: ALSA audio driver' 'libpulse: PulseAudio audio driver') options=('staticlibs') -_commit=457d4e55ffe1b6ad4c4fa4559dbda8360bf8253d # tags/release-1.2.15 +_commit=fbfcca3277a5f13dd78f7d44ffe2dc65d4e2d048 # main source=("git+https://github.com/libsdl-org/SDL-1.2#commit=$_commit" - 0001-SDL-1.2.10-GrabNotViewable.patch - 0002-SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch - 0003-SDL-1.2.15-const_XData32.patch - 0004-SDL-1.2.15-ignore_insane_joystick_axis.patch - 0005-SDL-1.2.15-no-default-backing-store.patch - 0006-x11-Bypass-SetGammaRamp-when-changing-gamma.patch - 0007-sdl-1.2.14-fix-mouse-clicking.patch - 0008-sdl-1.2.14-disable-mmx.patch - 0009-libsdl-1.2.15-resizing.patch - 0010-X11_KeyToUnicode.patch - 0011-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch - 0012-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch - 0013-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch - 0014-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch - 0015-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch - 0016-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch - 0017-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch - 0018-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch - 0019-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch - 0020-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch - 0021-SDL-1.2.15-CVE-2019-13616-validate_image_size_when_l.patch - 0022-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch - 0023-Reject-2-3-5-6-7-bpp-BMP-images.patch) + 0001-SDL-1.2.15-no-default-backing-store.patch + 0002-x11-Bypass-SetGammaRamp-when-changing-gamma.patch + 0003-sdl-1.2.14-fix-mouse-clicking.patch + 0004-sdl-1.2.14-disable-mmx.patch) sha256sums=('SKIP' - 'f53a87ecd52913be7b1e2699d9d609725f6f857e98a68f55ed249e371673e7be' - '1e76d0c064a50b67f8f4406b995fd2f583be9959f1242fc01449be953e53f18d' - '42f53733e919b91e4f9b299732b5ef8a68cc23ee5c0cdd77c70f904461fb54a2' - '35c07231ff40b11f07cb022bd86b5dc31f322d66ba51c518b068890ab099eb27' - '5dbe8cbf81a021a01e2ec587330fd322ed4fdcdbf11f457bdda69fe56620d85a' + 'b242b28ab9b2d823d96f0939c6fb2fbaabb110b9e61be754f6cf502a34d57a2f' '0a5d00c1f75158b1838706a0733a51c8c1014983528bafb4a477327f7595e135' - '06761b7eb56d199477c25502d53504878580f15c30bd56726d46d8337ffad35a' - 'a99bb91981e091bb01bbedf5138008ef16155c9a6b24349a771555c9bb57fdcd' - 'd3be01d55f5d5dd7e9993ce1490831b0b2eea83833d0164a7242f59290514bb7' - '22f723f3db3de9e02727f0976c3a402e1a7d3656b6bba1e1909bbfc7a24f35c2' - '06fe75c9b15f3132019822f4670d93263fa2a0399b5f09afb4e11e2a7e0d30cb' - 'df0cac62bc99385cc595602368baa31c7a5616dbddc749ab8bebbc8e190ea52e' - '8ed73a71eee6c73e4839fe8030159a34d90f41b2b5d568beb8befb23226787ba' - '547fa0c3cdeae373c664d17ac1501392d6bdc2982edcebb4934cd7a73a2f8e53' - 'db325da88544fa6841dfec2d53fe629100786ba0fadac3b34538859d6ab82dbd' - '9b020883d15ab65b7645c1c0f87af68cb6b9b85ee4450dbcd94f7b9049d976c7' - '4c30311656c32c1a0655e22457a214d9900efe64a9241da835dc25488a355914' - 'c2c92fc40c55fcf628f943eb9509199f8c3968f6be13bf71ab1e12524c16cabf' - 'de2fce5f6803a08a2c55f3ce2ddf92394ad7366f5eff3cead4d7ec0035cee254' - 'd14dc355da691c41bf938c04e0111063a755719f41bbd047f4dbfaa8f2ff25bb' - 'd1f8f699d5e7ee933875380951fe0a756c1ad327fc376dd60511bd462e0781b0' - 'e4159c35b6814cfe2df23811179670ecd58f0276ebb23fa8251dcf3611cd9f2f' - '3439ba01895df428ad0fd00e49a131db35e6841ca41f5d30c455f583ec18075e') + '70e339886440f94f03a320c4b8605a2704f3e3117aa9e998f32b0cebc3e4bc59' + 'a99bb91981e091bb01bbedf5138008ef16155c9a6b24349a771555c9bb57fdcd') validpgpkeys=('1528635D8053A57F77D1E08630A59377A7763BE6') # Sam Lantinga <slou...@libsdl.org> pkgver() { @@ -73,35 +35,14 @@ prepare() { cd SDL-1.2 - git apply -3 ../0001-SDL-1.2.10-GrabNotViewable.patch - git apply -3 ../0002-SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch - git apply -3 ../0003-SDL-1.2.15-const_XData32.patch - git apply -3 ../0004-SDL-1.2.15-ignore_insane_joystick_axis.patch - git apply -3 ../0005-SDL-1.2.15-no-default-backing-store.patch + git apply -3 ../0001-SDL-1.2.15-no-default-backing-store.patch # https://bugs.freedesktop.org/show_bug.cgi?id=27222 - git apply -3 ../0006-x11-Bypass-SetGammaRamp-when-changing-gamma.patch + git apply -3 ../0002-x11-Bypass-SetGammaRamp-when-changing-gamma.patch - git apply -3 ../0007-sdl-1.2.14-fix-mouse-clicking.patch - git apply -3 ../0008-sdl-1.2.14-disable-mmx.patch - git apply -3 ../0009-libsdl-1.2.15-resizing.patch - git apply -3 ../0010-X11_KeyToUnicode.patch + git apply -3 ../0003-sdl-1.2.14-fix-mouse-clicking.patch + git apply -3 ../0004-sdl-1.2.14-disable-mmx.patch - # bunch of CVE fixes from Fedora - Thanks! - git apply -3 ../0011-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch - git apply -3 ../0012-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch - git apply -3 ../0013-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch - git apply -3 ../0014-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch - git apply -3 ../0015-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch - git apply -3 ../0016-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch - git apply -3 ../0017-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch - git apply -3 ../0018-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch - git apply -3 ../0019-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch - git apply -3 ../0020-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch - git apply -3 ../0021-SDL-1.2.15-CVE-2019-13616-validate_image_size_when_l.patch - git apply -3 ../0022-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch - git apply -3 ../0023-Reject-2-3-5-6-7-bpp-BMP-images.patch - ./autogen.sh }