- Apply "cve-2016-9957.patch" to fix an arbitrary code execution

vulnerability that could have been exploited using specially crafted SPC music files. [CVE-2016-9957, CVE-2016-9958, CVE-2016-9959, CVE-2016-9960, CVE-2016-9961, bsc#1015941] OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libgme?expand=0&rev=14
2017-01-09 14:11:58 +00:00 · 2017-01-09 14:11:58 +00:00 · 4526e3b58c
commit 4526e3b58c
parent 7520ae6bb8
3 changed files with 61 additions and 0 deletions
--- a/cve-2016-9957.patch
+++ b/cve-2016-9957.patch
@ -0,0 +1,51 @@
+ diff -rubB gme-old/Spc_Cpu.h gme/Spc_Cpu.h
+Index: game-music-emu-0.6.0/gme/Spc_Cpu.h
+===================================================================
+--- game-music-emu-0.6.0.orig/gme/Spc_Cpu.h	2016-12-16 12:06:53.981779435 +0100
+++ game-music-emu-0.6.0/gme/Spc_Cpu.h	2016-12-16 12:09:35.995506135 +0100
+@@ -76,8 +76,8 @@ Inc., 51 Franklin Street, Fifth Floor, B
+ // TODO: remove non-wrapping versions?
+ #define SPC_NO_SP_WRAPAROUND 0
+ 
+-#define SET_SP( v )     (sp = ram + 0x101 + (v))
+-#define GET_SP()        (sp - 0x101 - ram)
+#define SET_SP( v )     (sp = ram + 0x101 + ((uint8_t) v))
+#define GET_SP()        (uint8_t) (sp - 0x101 - ram)
+ 
+ #if SPC_NO_SP_WRAPAROUND
+ #define PUSH16( v )     (sp -= 2, SET_LE16( sp, v ))
+@@ -485,7 +485,7 @@ loop:
+ 	
+ 	case 0xAF: // MOV (X)+,A
+ 		WRITE_DP( 0, x, a + no_read_before_write  );
+-		x++;
+		x = (uint8_t) (x + 1);
+ 		goto loop;
+ 	
+ // 5. 8-BIT LOGIC OPERATION COMMANDS
+@@ -808,7 +808,7 @@ loop:
+ 		unsigned temp = y * a;
+ 		a = (uint8_t) temp;
+ 		nz = ((temp >> 1) | temp) & 0x7F;
+-		y = temp >> 8;
+		y = (uint8_t) (temp >> 8);
+ 		nz |= y;
+ 		goto loop;
+ 	}
+@@ -838,6 +838,7 @@ loop:
+ 		
+ 		nz = (uint8_t) a;
+ 		a = (uint8_t) a;
+		y = (uint8_t) y;
+ 		
+ 		goto loop;
+ 	}
+@@ -1004,7 +1005,7 @@ loop:
+ 	case 0x7F: // RET1
+ 		temp = *sp;
+ 		SET_PC( GET_LE16( sp + 1 ) );
+-		sp += 3;
+		SET_SP(GET_SP() + 3);
+ 		goto set_psw;
+ 	case 0x8E: // POP PSW
+ 		POP( temp );
--- a/libgme.changes
+++ b/libgme.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Dec 16 11:16:04 UTC 2016 - psimons@suse.com
+
+- Apply "cve-2016-9957.patch" to fix an arbitrary code execution
+  vulnerability that could have been exploited using specially
+  crafted SPC music files. [CVE-2016-9957, CVE-2016-9958,
+  CVE-2016-9959, CVE-2016-9960, CVE-2016-9961, bsc#1015941]
+
 -------------------------------------------------------------------
 Wed Dec 23 13:09:47 UTC 2015 - mpluskal@suse.com

--- a/libgme.spec
+++ b/libgme.spec
@ -28,6 +28,7 @@ Source0:        https://bitbucket.org/mpyne/game-music-emu/downloads/game-music-
 Source1:        baselibs.conf
 # PATCH-FIX-UPSTREAM libgme-0.6.0-pkgconfig_path.patch http://code.google.com/p/game-music-emu/issues/detail?id=19 reddwarf@opensuse.org -- Fix .pc installation path
 Patch0:         libgme-0.6.0-pkgconfig_path.patch
+Patch1:         cve-2016-9957.patch
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
 BuildRequires:  pkg-config
@ -75,6 +76,7 @@ which use libgme.
 %prep
 %setup -q -n game-music-emu-%{version}
 %patch0
+%patch1 -p1
 sed -i 's/\r$//' changes.txt design.txt gme.txt license.txt readme.txt

 %build