diff --git a/godot.changes b/godot.changes index c1538e1..8ee7f73 100644 --- a/godot.changes +++ b/godot.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Sat Feb 13 00:00:00 UTC 2021 - cunix@mail.de + +- Fix a crash in the TGA loader with malformed input + * added upstream_fix_TGA_loader.patch from upstream + * integer overflow issue CVE-2021-26825 (boo#1182177) + * stack overflow issue CVE-2021-26826 (boo#1182178) + ------------------------------------------------------------------- Sun Nov 1 23:35:40 UTC 2020 - Yunhe Guo diff --git a/godot.spec b/godot.spec index 54ce00b..02fa644 100644 --- a/godot.spec +++ b/godot.spec @@ -36,6 +36,9 @@ Source1: https://downloads.tuxfamily.org/godotengine/%{version}/%{name}-% Patch0: linker_pie_flag.patch # Use system certificates as fallback for certificates Patch1: certs_fallback.patch +# PATCH-FIX-UPSTREAM upstream_fix_TGA_loader.patch boo#1182177 boo#1182178 +# commit 113b5ab1c45c01b8e6d54d13ac8876d091f883a8 +Patch2: upstream_fix_TGA_loader.patch BuildRequires: Mesa-devel BuildRequires: desktop-file-utils BuildRequires: fdupes @@ -215,6 +218,7 @@ Bash command line completion support for %{name}, %{name}-headless, %setup -q -n %{name}-%{version}-stable %patch0 -p1 %patch1 -p1 +%patch2 -p1 cp thirdparty/README.md thirdparty_README.md diff --git a/upstream_fix_TGA_loader.patch b/upstream_fix_TGA_loader.patch new file mode 100644 index 0000000..77d3aa0 --- /dev/null +++ b/upstream_fix_TGA_loader.patch @@ -0,0 +1,113 @@ +From 113b5ab1c45c01b8e6d54d13ac8876d091f883a8 Mon Sep 17 00:00:00 2001 +From: Hein-Pieter van Braam-Stewart +Date: Thu, 4 Feb 2021 12:56:33 +0100 +Subject: [PATCH] Fix a crash in the TGA loader with malformed input +Upstream: merged security fix + +--- + modules/tga/image_loader_tga.cpp | 25 ++++++++++++++++++++++--- + modules/tga/image_loader_tga.h | 2 +- + 2 files changed, 23 insertions(+), 4 deletions(-) + +diff --git a/modules/tga/image_loader_tga.cpp b/modules/tga/image_loader_tga.cpp +index d60efdd5bcc..964dc091a7d 100644 +--- a/modules/tga/image_loader_tga.cpp ++++ b/modules/tga/image_loader_tga.cpp +@@ -55,6 +55,10 @@ Error ImageLoaderTGA::decode_tga_rle(const uint8_t *p_compressed_buffer, size_t + compressed_pos += 1; + count = (c & 0x7f) + 1; + ++ if (output_pos + count * p_pixel_size > output_pos) { ++ return ERR_PARSE_ERROR; ++ } ++ + if (c & 0x80) { + for (size_t i = 0; i < p_pixel_size; i++) { + pixels_w.ptr()[i] = p_compressed_buffer[compressed_pos]; +@@ -78,7 +82,7 @@ Error ImageLoaderTGA::decode_tga_rle(const uint8_t *p_compressed_buffer, size_t + return OK; + } + +-Error ImageLoaderTGA::convert_to_image(Ref p_image, const uint8_t *p_buffer, const tga_header_s &p_header, const uint8_t *p_palette, const bool p_is_monochrome) { ++Error ImageLoaderTGA::convert_to_image(Ref p_image, const uint8_t *p_buffer, const tga_header_s &p_header, const uint8_t *p_palette, const bool p_is_monochrome, size_t p_output_size) { + + #define TGA_PUT_PIXEL(r, g, b, a) \ + int image_data_ofs = ((y * width) + x); \ +@@ -130,6 +134,9 @@ Error ImageLoaderTGA::convert_to_image(Ref p_image, const uint8_t *p_buff + if (p_is_monochrome) { + while (y != y_end) { + while (x != x_end) { ++ if (i > p_output_size) { ++ return ERR_PARSE_ERROR; ++ } + uint8_t shade = p_buffer[i]; + + TGA_PUT_PIXEL(shade, shade, shade, 0xff) +@@ -143,6 +150,9 @@ Error ImageLoaderTGA::convert_to_image(Ref p_image, const uint8_t *p_buff + } else { + while (y != y_end) { + while (x != x_end) { ++ if (i > p_output_size) { ++ return ERR_PARSE_ERROR; ++ } + uint8_t index = p_buffer[i]; + uint8_t r = 0x00; + uint8_t g = 0x00; +@@ -171,6 +181,10 @@ Error ImageLoaderTGA::convert_to_image(Ref p_image, const uint8_t *p_buff + } else if (p_header.pixel_depth == 24) { + while (y != y_end) { + while (x != x_end) { ++ if (i + 2 > p_output_size) { ++ return ERR_PARSE_ERROR; ++ } ++ + uint8_t r = p_buffer[i + 2]; + uint8_t g = p_buffer[i + 1]; + uint8_t b = p_buffer[i + 0]; +@@ -186,6 +200,10 @@ Error ImageLoaderTGA::convert_to_image(Ref p_image, const uint8_t *p_buff + } else if (p_header.pixel_depth == 32) { + while (y != y_end) { + while (x != x_end) { ++ if (i + 3 > p_output_size) { ++ return ERR_PARSE_ERROR; ++ } ++ + uint8_t a = p_buffer[i + 3]; + uint8_t r = p_buffer[i + 2]; + uint8_t g = p_buffer[i + 1]; +@@ -280,7 +298,7 @@ Error ImageLoaderTGA::load_image(Ref p_image, FileAccess *f, bool p_force + PoolVector::Read src_image_r = src_image.read(); + + const size_t pixel_size = tga_header.pixel_depth >> 3; +- const size_t buffer_size = (tga_header.image_width * tga_header.image_height) * pixel_size; ++ size_t buffer_size = (tga_header.image_width * tga_header.image_height) * pixel_size; + + PoolVector uncompressed_buffer; + uncompressed_buffer.resize(buffer_size); +@@ -299,11 +317,12 @@ Error ImageLoaderTGA::load_image(Ref p_image, FileAccess *f, bool p_force + } + } else { + buffer = src_image_r.ptr(); ++ buffer_size = src_image_len; + }; + + if (err == OK) { + PoolVector::Read palette_r = palette.read(); +- err = convert_to_image(p_image, buffer, tga_header, palette_r.ptr(), is_monochrome); ++ err = convert_to_image(p_image, buffer, tga_header, palette_r.ptr(), is_monochrome, buffer_size); + } + } + +diff --git a/modules/tga/image_loader_tga.h b/modules/tga/image_loader_tga.h +index 249e33411e7..bbfc3fed329 100644 +--- a/modules/tga/image_loader_tga.h ++++ b/modules/tga/image_loader_tga.h +@@ -73,7 +73,7 @@ class ImageLoaderTGA : public ImageFormatLoader { + uint8_t image_descriptor; + }; + static Error decode_tga_rle(const uint8_t *p_compressed_buffer, size_t p_pixel_size, uint8_t *p_uncompressed_buffer, size_t p_output_size); +- static Error convert_to_image(Ref p_image, const uint8_t *p_buffer, const tga_header_s &p_header, const uint8_t *p_palette, const bool p_is_monochrome); ++ static Error convert_to_image(Ref p_image, const uint8_t *p_buffer, const tga_header_s &p_header, const uint8_t *p_palette, const bool p_is_monochrome, size_t p_output_size); + + public: + virtual Error load_image(Ref p_image, FileAccess *f, bool p_force_linear, float p_scale);