SDL/CVE-2019-7637.patch

--- a/src/video/SDL_pixels.c	Sat Mar 16 18:35:33 2019 -0700
+++ b/src/video/SDL_pixels.c	Sat Mar 16 19:16:24 2019 -0700
@@ -286,26 +286,53 @@
 	}
 }
 /* 
- * Calculate the pad-aligned scanline width of a surface
+ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of
+ * an error.
  */
 Uint16 SDL_CalculatePitch(SDL_Surface *surface)
 {
-	Uint16 pitch;
+	unsigned int pitch = 0;
 
 	/* Surface should be 4-byte aligned for speed */
-	pitch = surface->w*surface->format->BytesPerPixel;
+	/* The code tries to prevent from an Uint16 overflow. */;
+	for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) {
+		pitch += (unsigned int)surface->w;
+		if (pitch < surface->w) {
+			SDL_SetError("A scanline is too wide");
+			return(0);
+		}
+	}
 	switch (surface->format->BitsPerPixel) {
 		case 1:
-			pitch = (pitch+7)/8;
+			if (pitch % 8) {
+				pitch = pitch / 8 + 1;
+			} else {
+				pitch = pitch / 8;
+			}
 			break;
 		case 4:
-			pitch = (pitch+1)/2;
+			if (pitch % 2) {
+				pitch = pitch / 2 + 1;
+			} else {
+				pitch = pitch / 2;
+			}
 			break;
 		default:
 			break;
 	}
-	pitch = (pitch + 3) & ~3;	/* 4-byte aligning */
-	return(pitch);
+	/* 4-byte aligning */
+	if (pitch & 3) {
+		if (pitch + 3 < pitch) {
+			SDL_SetError("A scanline is too wide");
+			return(0);
+		}
+		pitch = (pitch + 3) & ~3;
+	}
+	if (pitch > 0xFFFF) {
+		SDL_SetError("A scanline is too wide");
+		return(0);
+	}
+	return((Uint16)pitch);
 }
 /*
  * Match an RGB value to a particular palette index
--- a/src/video/gapi/SDL_gapivideo.c	Sat Mar 16 18:35:33 2019 -0700
+++ b/src/video/gapi/SDL_gapivideo.c	Sat Mar 16 19:16:24 2019 -0700
@@ -733,6 +733,9 @@
 	video->w = gapi->w = width;
 	video->h = gapi->h = height;
 	video->pitch = SDL_CalculatePitch(video); 
+	if (!current->pitch) {
+		return(NULL);
+	}
 
 	/* Small fix for WinCE/Win32 - when activating window
 	   SDL_VideoSurface is equal to zero, so activating code
--- a/src/video/nanox/SDL_nxvideo.c	Sat Mar 16 18:35:33 2019 -0700
+++ b/src/video/nanox/SDL_nxvideo.c	Sat Mar 16 19:16:24 2019 -0700
@@ -378,6 +378,10 @@
         current -> w = width ;
         current -> h = height ;
         current -> pitch = SDL_CalculatePitch (current) ;
+        if (!current->pitch) {
+            current = NULL;
+            goto done;
+        }
         NX_ResizeImage (this, current, flags) ;
     }
 
--- a/src/video/ps2gs/SDL_gsvideo.c	Sat Mar 16 18:35:33 2019 -0700
+++ b/src/video/ps2gs/SDL_gsvideo.c	Sat Mar 16 19:16:24 2019 -0700
@@ -479,6 +479,9 @@
 	current->w = width;
 	current->h = height;
 	current->pitch = SDL_CalculatePitch(current);
+	if (!current->pitch) {
+		return(NULL);
+	}
 
 	/* Memory map the DMA area for block memory transfer */
 	if ( ! mapped_mem ) {
--- a/src/video/ps3/SDL_ps3video.c	Sat Mar 16 18:35:33 2019 -0700
+++ b/src/video/ps3/SDL_ps3video.c	Sat Mar 16 19:16:24 2019 -0700
@@ -339,6 +339,9 @@
 	current->w = width;
 	current->h = height;
 	current->pitch = SDL_CalculatePitch(current);
+	if (!current->pitch) {
+		return(NULL);
+	}
 
 	/* Alloc aligned mem for current->pixels */
 	s_pixels = memalign(16, current->h * current->pitch);
--- a/src/video/windib/SDL_dibvideo.c	Sat Mar 16 18:35:33 2019 -0700
+++ b/src/video/windib/SDL_dibvideo.c	Sat Mar 16 19:16:24 2019 -0700
@@ -675,6 +675,9 @@
 	video->w = width;
 	video->h = height;
 	video->pitch = SDL_CalculatePitch(video);
+	if (!current->pitch) {
+		return(NULL);
+	}
 
 	/* Small fix for WinCE/Win32 - when activating window
 	   SDL_VideoSurface is equal to zero, so activating code
--- a/src/video/windx5/SDL_dx5video.c	Sat Mar 16 18:35:33 2019 -0700
+++ b/src/video/windx5/SDL_dx5video.c	Sat Mar 16 19:16:24 2019 -0700
@@ -1127,6 +1127,9 @@
 		video->w = width;
 		video->h = height;
 		video->pitch = SDL_CalculatePitch(video);
+		if (!current->pitch) {
+			return(NULL);
+		}
 
 #ifndef NO_CHANGEDISPLAYSETTINGS
 		/* Set fullscreen mode if appropriate.
--- a/src/video/x11/SDL_x11video.c	Sat Mar 16 18:35:33 2019 -0700
+++ b/src/video/x11/SDL_x11video.c	Sat Mar 16 19:16:24 2019 -0700
@@ -1225,6 +1225,10 @@
 		current->w = width;
 		current->h = height;
 		current->pitch = SDL_CalculatePitch(current);
+		if (!current->pitch) {
+			current = NULL;
+			goto done;
+		}
 		if (X11_ResizeImage(this, current, flags) < 0) {
 			current = NULL;
 			goto done;
Package init 2019-11-19 11:57:04 +08:00			`--- a/src/video/SDL_pixels.c Sat Mar 16 18:35:33 2019 -0700`
			`+++ b/src/video/SDL_pixels.c Sat Mar 16 19:16:24 2019 -0700`
			`@@ -286,26 +286,53 @@`
			`}`
			`}`
			`/*`
			`- * Calculate the pad-aligned scanline width of a surface`
			`+ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of`
			`+ * an error.`
			`*/`
			`Uint16 SDL_CalculatePitch(SDL_Surface *surface)`
			`{`
			`- Uint16 pitch;`
			`+ unsigned int pitch = 0;`

			`/* Surface should be 4-byte aligned for speed */`
			`- pitch = surface->w*surface->format->BytesPerPixel;`
			`+ /* The code tries to prevent from an Uint16 overflow. */;`
			`+ for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) {`
			`+ pitch += (unsigned int)surface->w;`
			`+ if (pitch < surface->w) {`
			`+ SDL_SetError("A scanline is too wide");`
			`+ return(0);`
			`+ }`
			`+ }`
			`switch (surface->format->BitsPerPixel) {`
			`case 1:`
			`- pitch = (pitch+7)/8;`
			`+ if (pitch % 8) {`
			`+ pitch = pitch / 8 + 1;`
			`+ } else {`
			`+ pitch = pitch / 8;`
			`+ }`
			`break;`
			`case 4:`
			`- pitch = (pitch+1)/2;`
			`+ if (pitch % 2) {`
			`+ pitch = pitch / 2 + 1;`
			`+ } else {`
			`+ pitch = pitch / 2;`
			`+ }`
			`break;`
			`default:`
			`break;`
			`}`
			`- pitch = (pitch + 3) & ~3; /* 4-byte aligning */`
			`- return(pitch);`
			`+ /* 4-byte aligning */`
			`+ if (pitch & 3) {`
			`+ if (pitch + 3 < pitch) {`
			`+ SDL_SetError("A scanline is too wide");`
			`+ return(0);`
			`+ }`
			`+ pitch = (pitch + 3) & ~3;`
			`+ }`
			`+ if (pitch > 0xFFFF) {`
			`+ SDL_SetError("A scanline is too wide");`
			`+ return(0);`
			`+ }`
			`+ return((Uint16)pitch);`
			`}`
			`/*`
			`* Match an RGB value to a particular palette index`
			`--- a/src/video/gapi/SDL_gapivideo.c Sat Mar 16 18:35:33 2019 -0700`
			`+++ b/src/video/gapi/SDL_gapivideo.c Sat Mar 16 19:16:24 2019 -0700`
			`@@ -733,6 +733,9 @@`
			`video->w = gapi->w = width;`
			`video->h = gapi->h = height;`
			`video->pitch = SDL_CalculatePitch(video);`
			`+ if (!current->pitch) {`
			`+ return(NULL);`
			`+ }`

			`/* Small fix for WinCE/Win32 - when activating window`
			`SDL_VideoSurface is equal to zero, so activating code`
			`--- a/src/video/nanox/SDL_nxvideo.c Sat Mar 16 18:35:33 2019 -0700`
			`+++ b/src/video/nanox/SDL_nxvideo.c Sat Mar 16 19:16:24 2019 -0700`
			`@@ -378,6 +378,10 @@`
			`current -> w = width ;`
			`current -> h = height ;`
			`current -> pitch = SDL_CalculatePitch (current) ;`
			`+ if (!current->pitch) {`
			`+ current = NULL;`
			`+ goto done;`
			`+ }`
			`NX_ResizeImage (this, current, flags) ;`
			`}`

			`--- a/src/video/ps2gs/SDL_gsvideo.c Sat Mar 16 18:35:33 2019 -0700`
			`+++ b/src/video/ps2gs/SDL_gsvideo.c Sat Mar 16 19:16:24 2019 -0700`
			`@@ -479,6 +479,9 @@`
			`current->w = width;`
			`current->h = height;`
			`current->pitch = SDL_CalculatePitch(current);`
			`+ if (!current->pitch) {`
			`+ return(NULL);`
			`+ }`

			`/* Memory map the DMA area for block memory transfer */`
			`if ( ! mapped_mem ) {`
			`--- a/src/video/ps3/SDL_ps3video.c Sat Mar 16 18:35:33 2019 -0700`
			`+++ b/src/video/ps3/SDL_ps3video.c Sat Mar 16 19:16:24 2019 -0700`
			`@@ -339,6 +339,9 @@`
			`current->w = width;`
			`current->h = height;`
			`current->pitch = SDL_CalculatePitch(current);`
			`+ if (!current->pitch) {`
			`+ return(NULL);`
			`+ }`

			`/* Alloc aligned mem for current->pixels */`
			`s_pixels = memalign(16, current->h * current->pitch);`
			`--- a/src/video/windib/SDL_dibvideo.c Sat Mar 16 18:35:33 2019 -0700`
			`+++ b/src/video/windib/SDL_dibvideo.c Sat Mar 16 19:16:24 2019 -0700`
			`@@ -675,6 +675,9 @@`
			`video->w = width;`
			`video->h = height;`
			`video->pitch = SDL_CalculatePitch(video);`
			`+ if (!current->pitch) {`
			`+ return(NULL);`
			`+ }`

			`/* Small fix for WinCE/Win32 - when activating window`
			`SDL_VideoSurface is equal to zero, so activating code`
			`--- a/src/video/windx5/SDL_dx5video.c Sat Mar 16 18:35:33 2019 -0700`
			`+++ b/src/video/windx5/SDL_dx5video.c Sat Mar 16 19:16:24 2019 -0700`
			`@@ -1127,6 +1127,9 @@`
			`video->w = width;`
			`video->h = height;`
			`video->pitch = SDL_CalculatePitch(video);`
			`+ if (!current->pitch) {`
			`+ return(NULL);`
			`+ }`

			`#ifndef NO_CHANGEDISPLAYSETTINGS`
			`/* Set fullscreen mode if appropriate.`
			`--- a/src/video/x11/SDL_x11video.c Sat Mar 16 18:35:33 2019 -0700`
			`+++ b/src/video/x11/SDL_x11video.c Sat Mar 16 19:16:24 2019 -0700`
			`@@ -1225,6 +1225,10 @@`
			`current->w = width;`
			`current->h = height;`
			`current->pitch = SDL_CalculatePitch(current);`
			`+ if (!current->pitch) {`
			`+ current = NULL;`
			`+ goto done;`
			`+ }`
			`if (X11_ResizeImage(this, current, flags) < 0) {`
			`current = NULL;`
			`goto done;`