Startsida Utforska Hjälp
Logga in
crispAudio
/
poky
spegling av git://git.yoctoproject.org/poky
5
0
Fork 0
Filer Ärenden 0 Wiki
Träd: ecc1ac5b04
Grenar Taggar
poky
/
meta
/
recipes-graphics
/
libsdl
/
libsdl-1.2.15
/
CVE-2019-7637.patch

CVE-2019-7637.patch 6.1 KB
Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192 
  1. # HG changeset patch
    2. 

  2. # User Petr Písař <ppisar@redhat.com>
    3. 

  3. # Date 1552788984 25200
    4. 

  4. #      Sat Mar 16 19:16:24 2019 -0700
    5. 

  5. # Branch SDL-1.2
    6. 

  6. # Node ID 9b0e5c555c0f5ce6d2c3c19da6cc2c7fb5048bf2
    7. 

  7. # Parent  4646533663ae1d80c2cc6b2d6dbfb37c62491c1e
    8. 

  8. CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch
    9. 

  9. If a too large width is passed to SDL_SetVideoMode() the width travels
    10. 

  10. to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by
    11. 

  11. BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch
    12. 

  12. variable. During this arithmetics an integer overflow can happen (e.g.
    13. 

  13. the value is clamped as 65532). As a result SDL_Surface with a pitch
    14. 

  14. smaller than width * BytesPerPixel is created, too small pixel buffer
    15. 

  15. is allocated and when the SDL_Surface is processed in SDL_FillRect()
    16. 

  16. a buffer overflow occurs.
    17. 

  17. 

  18. This can be reproduced with "./graywin -width 21312312313123213213213"
    19. 

  19. command.
    20. 

  20. 

  21. This patch fixes is by using a very careful arithmetics in
    22. 

  22. SDL_CalculatePitch(). If an overflow is detected, an error is reported
    23. 

  23. back as a special 0 value. We assume that 0-width surfaces do not
    24. 

  24. occur in the wild. Since SDL_CalculatePitch() is a private function,
    25. 

  25. we can change the semantics.
    26. 

  26. 

  27. CVE-2019-7637
    28. 

  28. https://bugzilla.libsdl.org/show_bug.cgi?id=4497
    29. 

  29. 

  30. Signed-off-by: Petr Písař <ppisar@redhat.com>
    31. 

  31. 

  32. CVE: CVE-2019-7637
    33. 

  33. Upstream-Status: Backport
    34. 

  34. Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
    35. 

  35. 

  36. diff -r 4646533663ae -r 9b0e5c555c0f src/video/SDL_pixels.c
    37. 

  37. --- a/src/video/SDL_pixels.c	Sat Mar 16 18:35:33 2019 -0700
    38. 

  38. +++ b/src/video/SDL_pixels.c	Sat Mar 16 19:16:24 2019 -0700
    39. 

  39. @@ -286,26 +286,53 @@
    40. 

  40.  	}
    41. 

  41.  }
    42. 

  42.  /* 
    43. 

  43. - * Calculate the pad-aligned scanline width of a surface
    44. 

  44. + * Calculate the pad-aligned scanline width of a surface. Return 0 in case of
    45. 

  45. + * an error.
    46. 

  46.   */
    47. 

  47.  Uint16 SDL_CalculatePitch(SDL_Surface *surface)
    48. 

  48.  {
    49. 

  49. -	Uint16 pitch;
    50. 

  50. +	unsigned int pitch = 0;
    51. 

  51.  
    52. 

  52.  	/* Surface should be 4-byte aligned for speed */
    53. 

  53. -	pitch = surface->w*surface->format->BytesPerPixel;
    54. 

  54. +	/* The code tries to prevent from an Uint16 overflow. */;
    55. 

  55. +	for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) {
    56. 

  56. +		pitch += (unsigned int)surface->w;
    57. 

  57. +		if (pitch < surface->w) {
    58. 

  58. +			SDL_SetError("A scanline is too wide");
    59. 

  59. +			return(0);
    60. 

  60. +		}
    61. 

  61. +	}
    62. 

  62.  	switch (surface->format->BitsPerPixel) {
    63. 

  63.  		case 1:
    64. 

  64. -			pitch = (pitch+7)/8;
    65. 

  65. +			if (pitch % 8) {
    66. 

  66. +				pitch = pitch / 8 + 1;
    67. 

  67. +			} else {
    68. 

  68. +				pitch = pitch / 8;
    69. 

  69. +			}
    70. 

  70.  			break;
    71. 

  71.  		case 4:
    72. 

  72. -			pitch = (pitch+1)/2;
    73. 

  73. +			if (pitch % 2) {
    74. 

  74. +				pitch = pitch / 2 + 1;
    75. 

  75. +			} else {
    76. 

  76. +				pitch = pitch / 2;
    77. 

  77. +			}
    78. 

  78.  			break;
    79. 

  79.  		default:
    80. 

  80.  			break;
    81. 

  81.  	}
    82. 

  82. -	pitch = (pitch + 3) & ~3;	/* 4-byte aligning */
    83. 

  83. -	return(pitch);
    84. 

  84. +	/* 4-byte aligning */
    85. 

  85. +	if (pitch & 3) {
    86. 

  86. +		if (pitch + 3 < pitch) {
    87. 

  87. +			SDL_SetError("A scanline is too wide");
    88. 

  88. +			return(0);
    89. 

  89. +		}
    90. 

  90. +		pitch = (pitch + 3) & ~3;
    91. 

  91. +	}
    92. 

  92. +	if (pitch > 0xFFFF) {
    93. 

  93. +		SDL_SetError("A scanline is too wide");
    94. 

  94. +		return(0);
    95. 

  95. +	}
    96. 

  96. +	return((Uint16)pitch);
    97. 

  97.  }
    98. 

  98.  /*
    99. 

  99.   * Match an RGB value to a particular palette index
    100. 

  100. diff -r 4646533663ae -r 9b0e5c555c0f src/video/gapi/SDL_gapivideo.c
    101. 

  101. --- a/src/video/gapi/SDL_gapivideo.c	Sat Mar 16 18:35:33 2019 -0700
    102. 

  102. +++ b/src/video/gapi/SDL_gapivideo.c	Sat Mar 16 19:16:24 2019 -0700
    103. 

  103. @@ -733,6 +733,9 @@
    104. 

  104.  	video->w = gapi->w = width;
    105. 

  105.  	video->h = gapi->h = height;
    106. 

  106.  	video->pitch = SDL_CalculatePitch(video); 
    107. 

  107. +	if (!current->pitch) {
    108. 

  108. +		return(NULL);
    109. 

  109. +	}
    110. 

  110.  
    111. 

  111.  	/* Small fix for WinCE/Win32 - when activating window
    112. 

  112.  	   SDL_VideoSurface is equal to zero, so activating code
    113. 

  113. diff -r 4646533663ae -r 9b0e5c555c0f src/video/nanox/SDL_nxvideo.c
    114. 

  114. --- a/src/video/nanox/SDL_nxvideo.c	Sat Mar 16 18:35:33 2019 -0700
    115. 

  115. +++ b/src/video/nanox/SDL_nxvideo.c	Sat Mar 16 19:16:24 2019 -0700
    116. 

  116. @@ -378,6 +378,10 @@
    117. 

  117.          current -> w = width ;
    118. 

  118.          current -> h = height ;
    119. 

  119.          current -> pitch = SDL_CalculatePitch (current) ;
    120. 

  120. +        if (!current->pitch) {
    121. 

  121. +            current = NULL;
    122. 

  122. +            goto done;
    123. 

  123. +        }
    124. 

  124.          NX_ResizeImage (this, current, flags) ;
    125. 

  125.      }
    126. 

  126.  
    127. 

  127. diff -r 4646533663ae -r 9b0e5c555c0f src/video/ps2gs/SDL_gsvideo.c
    128. 

  128. --- a/src/video/ps2gs/SDL_gsvideo.c	Sat Mar 16 18:35:33 2019 -0700
    129. 

  129. +++ b/src/video/ps2gs/SDL_gsvideo.c	Sat Mar 16 19:16:24 2019 -0700
    130. 

  130. @@ -479,6 +479,9 @@
    131. 

  131.  	current->w = width;
    132. 

  132.  	current->h = height;
    133. 

  133.  	current->pitch = SDL_CalculatePitch(current);
    134. 

  134. +	if (!current->pitch) {
    135. 

  135. +		return(NULL);
    136. 

  136. +	}
    137. 

  137.  
    138. 

  138.  	/* Memory map the DMA area for block memory transfer */
    139. 

  139.  	if ( ! mapped_mem ) {
    140. 

  140. diff -r 4646533663ae -r 9b0e5c555c0f src/video/ps3/SDL_ps3video.c
    141. 

  141. --- a/src/video/ps3/SDL_ps3video.c	Sat Mar 16 18:35:33 2019 -0700
    142. 

  142. +++ b/src/video/ps3/SDL_ps3video.c	Sat Mar 16 19:16:24 2019 -0700
    143. 

  143. @@ -339,6 +339,9 @@
    144. 

  144.  	current->w = width;
    145. 

  145.  	current->h = height;
    146. 

  146.  	current->pitch = SDL_CalculatePitch(current);
    147. 

  147. +	if (!current->pitch) {
    148. 

  148. +		return(NULL);
    149. 

  149. +	}
    150. 

  150.  
    151. 

  151.  	/* Alloc aligned mem for current->pixels */
    152. 

  152.  	s_pixels = memalign(16, current->h * current->pitch);
    153. 

  153. diff -r 4646533663ae -r 9b0e5c555c0f src/video/windib/SDL_dibvideo.c
    154. 

  154. --- a/src/video/windib/SDL_dibvideo.c	Sat Mar 16 18:35:33 2019 -0700
    155. 

  155. +++ b/src/video/windib/SDL_dibvideo.c	Sat Mar 16 19:16:24 2019 -0700
    156. 

  156. @@ -675,6 +675,9 @@
    157. 

  157.  	video->w = width;
    158. 

  158.  	video->h = height;
    159. 

  159.  	video->pitch = SDL_CalculatePitch(video);
    160. 

  160. +	if (!current->pitch) {
    161. 

  161. +		return(NULL);
    162. 

  162. +	}
    163. 

  163.  
    164. 

  164.  	/* Small fix for WinCE/Win32 - when activating window
    165. 

  165.  	   SDL_VideoSurface is equal to zero, so activating code
    166. 

  166. diff -r 4646533663ae -r 9b0e5c555c0f src/video/windx5/SDL_dx5video.c
    167. 

  167. --- a/src/video/windx5/SDL_dx5video.c	Sat Mar 16 18:35:33 2019 -0700
    168. 

  168. +++ b/src/video/windx5/SDL_dx5video.c	Sat Mar 16 19:16:24 2019 -0700
    169. 

  169. @@ -1127,6 +1127,9 @@
    170. 

  170.  		video->w = width;
    171. 

  171.  		video->h = height;
    172. 

  172.  		video->pitch = SDL_CalculatePitch(video);
    173. 

  173. +		if (!current->pitch) {
    174. 

  174. +			return(NULL);
    175. 

  175. +		}
    176. 

  176.  
    177. 

  177.  #ifndef NO_CHANGEDISPLAYSETTINGS
    178. 

  178.  		/* Set fullscreen mode if appropriate.
    179. 

  179. diff -r 4646533663ae -r 9b0e5c555c0f src/video/x11/SDL_x11video.c
    180. 

  180. --- a/src/video/x11/SDL_x11video.c	Sat Mar 16 18:35:33 2019 -0700
    181. 

  181. +++ b/src/video/x11/SDL_x11video.c	Sat Mar 16 19:16:24 2019 -0700
    182. 

  182. @@ -1225,6 +1225,10 @@
    183. 

  183.  		current->w = width;
    184. 

  184.  		current->h = height;
    185. 

  185.  		current->pitch = SDL_CalculatePitch(current);
    186. 

  186. +		if (!current->pitch) {
    187. 

  187. +			current = NULL;
    188. 

  188. +			goto done;
    189. 

  189. +		}
    190. 

  190.  		if (X11_ResizeImage(this, current, flags) < 0) {
    191. 

  191.  			current = NULL;
    192. 

  192.  			goto done;
    193.