SHA256
1
0
forked from jengelh/SDL2

Accepting request 535131 from games

- Add SDL-bnc1062784-check-overflow-xcf-props.patch. CVE-2017-2888

OBS-URL: https://build.opensuse.org/request/show/535131
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/SDL2?expand=0&rev=18
This commit is contained in:
Dominique Leuenberger 2017-10-28 12:16:41 +00:00 committed by Git OBS Bridge
commit b7d0fe4075
3 changed files with 56 additions and 1 deletions

View File

@ -0,0 +1,49 @@
# From: sreeves@suse.com
# CVE-2017-2888. Check for overflow when computing size.
# Based on upstream patch: 81a4950907a01359f2f9390875291eb3951e6c6b
Index: SDL2-2.0.6/include/SDL_stdinc.h
===================================================================
--- SDL2-2.0.6.orig/include/SDL_stdinc.h
+++ SDL2-2.0.6/include/SDL_stdinc.h
@@ -162,6 +162,7 @@ typedef uint16_t Uint16;
/**
* \brief A signed 32-bit integer type.
*/
+#define SDL_MAX_SINT32 ((Sint32)0x7FFFFFFF) /* 2147483647 */
typedef int32_t Sint32;
/**
* \brief An unsigned 32-bit integer type.
Index: SDL2-2.0.6/src/video/SDL_surface.c
===================================================================
--- SDL2-2.0.6.orig/src/video/SDL_surface.c
+++ SDL2-2.0.6/src/video/SDL_surface.c
@@ -26,6 +26,10 @@
#include "SDL_RLEaccel_c.h"
#include "SDL_pixels_c.h"
+/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */
+SDL_COMPILE_TIME_ASSERT(surface_size_assumptions,
+ sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32));
+
/* Public routines */
/*
@@ -80,7 +84,16 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 fl
/* Get the pixels */
if (surface->w && surface->h) {
- surface->pixels = SDL_malloc(surface->h * surface->pitch);
+ /* Assumptions checked in surface_size_assumptions assert above */
+ Sint64 size = ((Sint64)surface->h * surface->pitch);
+ if (size < 0 || size > SDL_MAX_SINT32) {
+ /* Overflow... */
+ SDL_FreeSurface(surface);
+ SDL_OutOfMemory();
+ return NULL;
+ }
+
+ surface->pixels = SDL_malloc((size_t)size);
if (!surface->pixels) {
SDL_FreeSurface(surface);
SDL_OutOfMemory();

View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Thu Oct 19 04:00:09 UTC 2017 - sreeves@suse.com
- Add SDL-bnc1062784-check-overflow-xcf-props.patch. CVE-2017-2888
-------------------------------------------------------------------
Mon Oct 16 16:31:47 UTC 2017 - wbauer@tmo.at

View File

@ -32,6 +32,7 @@ Source3: %name.keyring
Source4: baselibs.conf
Patch1: dbus.diff
Patch2: %name-ppc64-declaration-after-statement.patch
Patch3: SDL-bnc1062784-check-overflow-xcf-props.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: cmake
BuildRequires: dos2unix
@ -105,7 +106,7 @@ library.
%prep
%setup -q
%patch -P 1 -p1
%patch -P 1 -P 3 -p1
%ifarch ppc64 ppc64le
%patch -P 2 -p1
%endif