2017-10-19 08:34:11 +02:00
|
|
|
# From: sreeves@suse.com
|
|
|
|
# CVE-2017-2888. Check for overflow when computing size.
|
2017-10-19 08:28:34 +02:00
|
|
|
# Based on upstream patch: 81a4950907a01359f2f9390875291eb3951e6c6b
|
|
|
|
|
|
|
|
Index: SDL2-2.0.6/include/SDL_stdinc.h
|
|
|
|
===================================================================
|
|
|
|
--- SDL2-2.0.6.orig/include/SDL_stdinc.h
|
|
|
|
+++ SDL2-2.0.6/include/SDL_stdinc.h
|
|
|
|
@@ -162,6 +162,7 @@ typedef uint16_t Uint16;
|
|
|
|
/**
|
|
|
|
* \brief A signed 32-bit integer type.
|
|
|
|
*/
|
|
|
|
+#define SDL_MAX_SINT32 ((Sint32)0x7FFFFFFF) /* 2147483647 */
|
|
|
|
typedef int32_t Sint32;
|
|
|
|
/**
|
|
|
|
* \brief An unsigned 32-bit integer type.
|
|
|
|
Index: SDL2-2.0.6/src/video/SDL_surface.c
|
|
|
|
===================================================================
|
|
|
|
--- SDL2-2.0.6.orig/src/video/SDL_surface.c
|
|
|
|
+++ SDL2-2.0.6/src/video/SDL_surface.c
|
|
|
|
@@ -26,6 +26,10 @@
|
|
|
|
#include "SDL_RLEaccel_c.h"
|
|
|
|
#include "SDL_pixels_c.h"
|
|
|
|
|
|
|
|
+/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */
|
|
|
|
+SDL_COMPILE_TIME_ASSERT(surface_size_assumptions,
|
|
|
|
+ sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32));
|
|
|
|
+
|
|
|
|
/* Public routines */
|
|
|
|
|
|
|
|
/*
|
|
|
|
@@ -80,7 +84,16 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 fl
|
|
|
|
|
|
|
|
/* Get the pixels */
|
|
|
|
if (surface->w && surface->h) {
|
|
|
|
- surface->pixels = SDL_malloc(surface->h * surface->pitch);
|
|
|
|
+ /* Assumptions checked in surface_size_assumptions assert above */
|
|
|
|
+ Sint64 size = ((Sint64)surface->h * surface->pitch);
|
|
|
|
+ if (size < 0 || size > SDL_MAX_SINT32) {
|
|
|
|
+ /* Overflow... */
|
|
|
|
+ SDL_FreeSurface(surface);
|
|
|
|
+ SDL_OutOfMemory();
|
|
|
|
+ return NULL;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ surface->pixels = SDL_malloc((size_t)size);
|
|
|
|
if (!surface->pixels) {
|
|
|
|
SDL_FreeSurface(surface);
|
|
|
|
SDL_OutOfMemory();
|