From dd6f816a7834656f22cfd7e53001cede496479a1241ab269411c09453a621869 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 19 Oct 2017 06:28:34 +0000 Subject: [PATCH] Accepting request 535102 from home:sreeves1:branches:games fix for bnc1062784 OBS-URL: https://build.opensuse.org/request/show/535102 OBS-URL: https://build.opensuse.org/package/show/games/SDL2?expand=0&rev=66 --- SDL-bnc1062784-check-overflow-xcf-props.patch | 47 +++++++++++++++++++ SDL2.changes | 5 ++ SDL2.spec | 3 ++ 3 files changed, 55 insertions(+) create mode 100644 SDL-bnc1062784-check-overflow-xcf-props.patch diff --git a/SDL-bnc1062784-check-overflow-xcf-props.patch b/SDL-bnc1062784-check-overflow-xcf-props.patch new file mode 100644 index 0000000..c220ece --- /dev/null +++ b/SDL-bnc1062784-check-overflow-xcf-props.patch @@ -0,0 +1,47 @@ +# Based on upstream patch: 81a4950907a01359f2f9390875291eb3951e6c6b + +Index: SDL2-2.0.6/include/SDL_stdinc.h +=================================================================== +--- SDL2-2.0.6.orig/include/SDL_stdinc.h ++++ SDL2-2.0.6/include/SDL_stdinc.h +@@ -162,6 +162,7 @@ typedef uint16_t Uint16; + /** + * \brief A signed 32-bit integer type. + */ ++#define SDL_MAX_SINT32 ((Sint32)0x7FFFFFFF) /* 2147483647 */ + typedef int32_t Sint32; + /** + * \brief An unsigned 32-bit integer type. +Index: SDL2-2.0.6/src/video/SDL_surface.c +=================================================================== +--- SDL2-2.0.6.orig/src/video/SDL_surface.c ++++ SDL2-2.0.6/src/video/SDL_surface.c +@@ -26,6 +26,10 @@ + #include "SDL_RLEaccel_c.h" + #include "SDL_pixels_c.h" + ++/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */ ++SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, ++ sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32)); ++ + /* Public routines */ + + /* +@@ -80,7 +84,16 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 fl + + /* Get the pixels */ + if (surface->w && surface->h) { +- surface->pixels = SDL_malloc(surface->h * surface->pitch); ++ /* Assumptions checked in surface_size_assumptions assert above */ ++ Sint64 size = ((Sint64)surface->h * surface->pitch); ++ if (size < 0 || size > SDL_MAX_SINT32) { ++ /* Overflow... */ ++ SDL_FreeSurface(surface); ++ SDL_OutOfMemory(); ++ return NULL; ++ } ++ ++ surface->pixels = SDL_malloc((size_t)size); + if (!surface->pixels) { + SDL_FreeSurface(surface); + SDL_OutOfMemory(); diff --git a/SDL2.changes b/SDL2.changes index 9aa69ad..7455873 100644 --- a/SDL2.changes +++ b/SDL2.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Oct 19 04:00:09 UTC 2017 - sreeves@suse.com + +- Add SDL-bnc1062784-check-overflow-xcf-props.patch. CVE-2017-2888 + ------------------------------------------------------------------- Mon Oct 16 16:31:47 UTC 2017 - wbauer@tmo.at diff --git a/SDL2.spec b/SDL2.spec index 2db09f2..45b1180 100644 --- a/SDL2.spec +++ b/SDL2.spec @@ -32,6 +32,8 @@ Source3: %name.keyring Source4: baselibs.conf Patch1: dbus.diff Patch2: %name-ppc64-declaration-after-statement.patch +# PATCH-FIX-UPSTREAM SDL-bnc1062784-check-overflow-xcf-props.patch sreeves@suse.com - CVE-2017-2888. Check for overflow when computing size. +Patch3: SDL-bnc1062784-check-overflow-xcf-props.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: cmake BuildRequires: dos2unix @@ -109,6 +111,7 @@ library. %ifarch ppc64 ppc64le %patch -P 2 -p1 %endif +%patch -P 3 -p1 dos2unix WhatsNew.txt dos2unix TODO.txt dos2unix BUGS.txt