Accepting request 865485 from games

OBS-URL: https://build.opensuse.org/request/show/865485 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/SDL2_mixer?expand=0&rev=8
2021-01-21 20:57:48 +00:00 · 2021-01-21 20:57:48 +00:00 · 0e4ae1398c
commit 0e4ae1398c
parent 85476f0681 0e928cc603
3 changed files with 39 additions and 1 deletions
--- a/0001-use-after-free-fluidsynth.patch
+++ b/0001-use-after-free-fluidsynth.patch
@ -0,0 +1,30 @@
+From adee41d0c5211142c3422c889dcda8ccf9aad34f Mon Sep 17 00:00:00 2001
+From: Sam Lantinga <slouken@libsdl.org>
+Date: Wed, 20 Jan 2021 10:17:10 -0800
+Subject: [PATCH] Fixed use-after-free in music_fluidsynth.c
+
+Tom M.
+
+There is a dangerous use-after-free in FLUIDSYNTH_Delete(): the settings object is deleted **before** the synth. Since the settings have been created first to initialize the synth, you must first delete the synth and then delete the settings. This currently crashes all applications that use fluidsynth 2.1.6 and SDL2_mixer.
+
+Originally reported at https://github.com/FluidSynth/fluidsynth/issues/748
+---
+ src/codecs/music_fluidsynth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/codecs/music_fluidsynth.c b/src/codecs/music_fluidsynth.c
+index 8667f0d9..a47247f4 100644
+--- a/music_fluidsynth.c	2018-10-31 15:59:00.000000000 +0100
+++ b/music_fluidsynth.c	2021-01-20 18:29:11.610459000 +0100
+@@ -273,9 +273,10 @@
+ static void FLUIDSYNTH_Delete(void *context)
+ {
+     FLUIDSYNTH_Music *music = (FLUIDSYNTH_Music *)context;
+    fluid_settings_t *settings = fluidsynth.fluid_synth_get_settings(music->synth);
+     fluidsynth.delete_fluid_player(music->player);
+-    fluidsynth.delete_fluid_settings(fluidsynth.fluid_synth_get_settings(music->synth));
+     fluidsynth.delete_fluid_synth(music->synth);
+    fluidsynth.delete_fluid_settings(settings);
+     SDL_free(music);
+ }
+ 
--- a/SDL2_mixer.changes
+++ b/SDL2_mixer.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Jan 21 17:14:18 UTC 2021 - Tom Mbrt <tom.mbrt@googlemail.com>
+
+- Add 0001-use-after-free-fluidsynth.patch to prevent
+  fluidsynth >= 2.1.6 from crashing:
+  https://hg.libsdl.org/SDL_mixer/rev/b0afe341a91d
+
 -------------------------------------------------------------------
 Tue Sep 15 22:56:34 UTC 2020 - Jan Engelhardt <jengelh@inai.de>

--- a/SDL2_mixer.spec
+++ b/SDL2_mixer.spec
@ -1,7 +1,7 @@
 #
 # spec file for package SDL2_mixer
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -28,6 +28,7 @@ URL:            http://libsdl.org/projects/SDL_mixer/
 #Hg-Clone:	http://hg.libsdl.org/SDL_mixer/
 Source:         http://libsdl.org/projects/SDL_mixer/release/%name-%version.tar.gz
 Source1:        baselibs.conf
+Patch0:         0001-use-after-free-fluidsynth.patch
 BuildRequires:  dos2unix
 BuildRequires:  pkg-config
 BuildRequires:  pkgconfig(flac)