forked from jengelh/SDL2
Accepting request 535131 from games
- Add SDL-bnc1062784-check-overflow-xcf-props.patch. CVE-2017-2888 OBS-URL: https://build.opensuse.org/request/show/535131 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/SDL2?expand=0&rev=18
This commit is contained in:
commit
b7d0fe4075
49
SDL-bnc1062784-check-overflow-xcf-props.patch
Normal file
49
SDL-bnc1062784-check-overflow-xcf-props.patch
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
# From: sreeves@suse.com
|
||||||
|
# CVE-2017-2888. Check for overflow when computing size.
|
||||||
|
# Based on upstream patch: 81a4950907a01359f2f9390875291eb3951e6c6b
|
||||||
|
|
||||||
|
Index: SDL2-2.0.6/include/SDL_stdinc.h
|
||||||
|
===================================================================
|
||||||
|
--- SDL2-2.0.6.orig/include/SDL_stdinc.h
|
||||||
|
+++ SDL2-2.0.6/include/SDL_stdinc.h
|
||||||
|
@@ -162,6 +162,7 @@ typedef uint16_t Uint16;
|
||||||
|
/**
|
||||||
|
* \brief A signed 32-bit integer type.
|
||||||
|
*/
|
||||||
|
+#define SDL_MAX_SINT32 ((Sint32)0x7FFFFFFF) /* 2147483647 */
|
||||||
|
typedef int32_t Sint32;
|
||||||
|
/**
|
||||||
|
* \brief An unsigned 32-bit integer type.
|
||||||
|
Index: SDL2-2.0.6/src/video/SDL_surface.c
|
||||||
|
===================================================================
|
||||||
|
--- SDL2-2.0.6.orig/src/video/SDL_surface.c
|
||||||
|
+++ SDL2-2.0.6/src/video/SDL_surface.c
|
||||||
|
@@ -26,6 +26,10 @@
|
||||||
|
#include "SDL_RLEaccel_c.h"
|
||||||
|
#include "SDL_pixels_c.h"
|
||||||
|
|
||||||
|
+/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */
|
||||||
|
+SDL_COMPILE_TIME_ASSERT(surface_size_assumptions,
|
||||||
|
+ sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32));
|
||||||
|
+
|
||||||
|
/* Public routines */
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -80,7 +84,16 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 fl
|
||||||
|
|
||||||
|
/* Get the pixels */
|
||||||
|
if (surface->w && surface->h) {
|
||||||
|
- surface->pixels = SDL_malloc(surface->h * surface->pitch);
|
||||||
|
+ /* Assumptions checked in surface_size_assumptions assert above */
|
||||||
|
+ Sint64 size = ((Sint64)surface->h * surface->pitch);
|
||||||
|
+ if (size < 0 || size > SDL_MAX_SINT32) {
|
||||||
|
+ /* Overflow... */
|
||||||
|
+ SDL_FreeSurface(surface);
|
||||||
|
+ SDL_OutOfMemory();
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ surface->pixels = SDL_malloc((size_t)size);
|
||||||
|
if (!surface->pixels) {
|
||||||
|
SDL_FreeSurface(surface);
|
||||||
|
SDL_OutOfMemory();
|
@ -1,3 +1,8 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Oct 19 04:00:09 UTC 2017 - sreeves@suse.com
|
||||||
|
|
||||||
|
- Add SDL-bnc1062784-check-overflow-xcf-props.patch. CVE-2017-2888
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Oct 16 16:31:47 UTC 2017 - wbauer@tmo.at
|
Mon Oct 16 16:31:47 UTC 2017 - wbauer@tmo.at
|
||||||
|
|
||||||
|
@ -32,6 +32,7 @@ Source3: %name.keyring
|
|||||||
Source4: baselibs.conf
|
Source4: baselibs.conf
|
||||||
Patch1: dbus.diff
|
Patch1: dbus.diff
|
||||||
Patch2: %name-ppc64-declaration-after-statement.patch
|
Patch2: %name-ppc64-declaration-after-statement.patch
|
||||||
|
Patch3: SDL-bnc1062784-check-overflow-xcf-props.patch
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
BuildRequires: cmake
|
BuildRequires: cmake
|
||||||
BuildRequires: dos2unix
|
BuildRequires: dos2unix
|
||||||
@ -105,7 +106,7 @@ library.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
%patch -P 1 -p1
|
%patch -P 1 -P 3 -p1
|
||||||
%ifarch ppc64 ppc64le
|
%ifarch ppc64 ppc64le
|
||||||
%patch -P 2 -p1
|
%patch -P 2 -p1
|
||||||
%endif
|
%endif
|
||||||
|
Loading…
Reference in New Issue
Block a user