diff --git a/SDL-bnc1062784-check-overflow-xcf-props.patch b/SDL-bnc1062784-check-overflow-xcf-props.patch new file mode 100644 index 0000000..fe84615 --- /dev/null +++ b/SDL-bnc1062784-check-overflow-xcf-props.patch @@ -0,0 +1,49 @@ +# From: sreeves@suse.com +# CVE-2017-2888. Check for overflow when computing size. +# Based on upstream patch: 81a4950907a01359f2f9390875291eb3951e6c6b + +Index: SDL2-2.0.6/include/SDL_stdinc.h +=================================================================== +--- SDL2-2.0.6.orig/include/SDL_stdinc.h ++++ SDL2-2.0.6/include/SDL_stdinc.h +@@ -162,6 +162,7 @@ typedef uint16_t Uint16; + /** + * \brief A signed 32-bit integer type. + */ ++#define SDL_MAX_SINT32 ((Sint32)0x7FFFFFFF) /* 2147483647 */ + typedef int32_t Sint32; + /** + * \brief An unsigned 32-bit integer type. +Index: SDL2-2.0.6/src/video/SDL_surface.c +=================================================================== +--- SDL2-2.0.6.orig/src/video/SDL_surface.c ++++ SDL2-2.0.6/src/video/SDL_surface.c +@@ -26,6 +26,10 @@ + #include "SDL_RLEaccel_c.h" + #include "SDL_pixels_c.h" + ++/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */ ++SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, ++ sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32)); ++ + /* Public routines */ + + /* +@@ -80,7 +84,16 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 fl + + /* Get the pixels */ + if (surface->w && surface->h) { +- surface->pixels = SDL_malloc(surface->h * surface->pitch); ++ /* Assumptions checked in surface_size_assumptions assert above */ ++ Sint64 size = ((Sint64)surface->h * surface->pitch); ++ if (size < 0 || size > SDL_MAX_SINT32) { ++ /* Overflow... */ ++ SDL_FreeSurface(surface); ++ SDL_OutOfMemory(); ++ return NULL; ++ } ++ ++ surface->pixels = SDL_malloc((size_t)size); + if (!surface->pixels) { + SDL_FreeSurface(surface); + SDL_OutOfMemory(); diff --git a/SDL2.changes b/SDL2.changes index 9aa69ad..7455873 100644 --- a/SDL2.changes +++ b/SDL2.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Oct 19 04:00:09 UTC 2017 - sreeves@suse.com + +- Add SDL-bnc1062784-check-overflow-xcf-props.patch. CVE-2017-2888 + ------------------------------------------------------------------- Mon Oct 16 16:31:47 UTC 2017 - wbauer@tmo.at diff --git a/SDL2.spec b/SDL2.spec index 2db09f2..a8e285d 100644 --- a/SDL2.spec +++ b/SDL2.spec @@ -32,6 +32,7 @@ Source3: %name.keyring Source4: baselibs.conf Patch1: dbus.diff Patch2: %name-ppc64-declaration-after-statement.patch +Patch3: SDL-bnc1062784-check-overflow-xcf-props.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: cmake BuildRequires: dos2unix @@ -105,7 +106,7 @@ library. %prep %setup -q -%patch -P 1 -p1 +%patch -P 1 -P 3 -p1 %ifarch ppc64 ppc64le %patch -P 2 -p1 %endif