Accepting request 535102 from home:sreeves1:branches:games

fix for bnc1062784

OBS-URL: https://build.opensuse.org/request/show/535102
OBS-URL: https://build.opensuse.org/package/show/games/SDL2?expand=0&rev=66

SDL-bnc1062784-check-overflow-xcf-props.patch

@@ -0,0 +1,47 @@
+# Based on upstream patch: 81a4950907a01359f2f9390875291eb3951e6c6b
+
+Index: SDL2-2.0.6/include/SDL_stdinc.h
+===================================================================
+--- SDL2-2.0.6.orig/include/SDL_stdinc.h
++++ SDL2-2.0.6/include/SDL_stdinc.h
+@@ -162,6 +162,7 @@ typedef uint16_t Uint16;
+ /**
+  * \brief A signed 32-bit integer type.
+  */
++#define SDL_MAX_SINT32  ((Sint32)0x7FFFFFFF)    /* 2147483647 */
+ typedef int32_t Sint32;
+ /**
+  * \brief An unsigned 32-bit integer type.
+Index: SDL2-2.0.6/src/video/SDL_surface.c
+===================================================================
+--- SDL2-2.0.6.orig/src/video/SDL_surface.c
++++ SDL2-2.0.6/src/video/SDL_surface.c
+@@ -26,6 +26,10 @@
+ #include "SDL_RLEaccel_c.h"
+ #include "SDL_pixels_c.h"
+ 
++/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */
++SDL_COMPILE_TIME_ASSERT(surface_size_assumptions,
++    sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32));
++
+ /* Public routines */
+ 
+ /*
+@@ -80,7 +84,16 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 fl
+ 
+     /* Get the pixels */
+     if (surface->w && surface->h) {
+-        surface->pixels = SDL_malloc(surface->h * surface->pitch);
++        /* Assumptions checked in surface_size_assumptions assert above */
++        Sint64 size = ((Sint64)surface->h * surface->pitch);
++        if (size < 0 || size > SDL_MAX_SINT32) {
++            /* Overflow... */
++            SDL_FreeSurface(surface);
++            SDL_OutOfMemory();
++            return NULL;
++        }
++
++        surface->pixels = SDL_malloc((size_t)size);
+         if (!surface->pixels) {
+             SDL_FreeSurface(surface);
+             SDL_OutOfMemory();

SDL2.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Thu Oct 19 04:00:09 UTC 2017 - sreeves@suse.com
+
+- Add SDL-bnc1062784-check-overflow-xcf-props.patch. CVE-2017-2888
+
 -------------------------------------------------------------------
 Mon Oct 16 16:31:47 UTC 2017 - wbauer@tmo.at
 

SDL2.spec

@@ -32,6 +32,8 @@ Source3:        %name.keyring
 Source4:        baselibs.conf
 Patch1:         dbus.diff
 Patch2:         %name-ppc64-declaration-after-statement.patch
+# PATCH-FIX-UPSTREAM SDL-bnc1062784-check-overflow-xcf-props.patch sreeves@suse.com - CVE-2017-2888. Check for overflow when computing size.
+Patch3:         SDL-bnc1062784-check-overflow-xcf-props.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  cmake
 BuildRequires:  dos2unix
@@ -109,6 +111,7 @@ library.
 %ifarch ppc64 ppc64le
 %patch -P 2 -p1
 %endif
+%patch -P 3 -p1
 dos2unix WhatsNew.txt
 dos2unix TODO.txt
 dos2unix BUGS.txt