diff --git a/CVE-2019-13616.patch b/CVE-2019-13616.patch new file mode 100644 index 0000000..19f0377 --- /dev/null +++ b/CVE-2019-13616.patch @@ -0,0 +1,30 @@ +From 636be06fa7f0cd2ee4d79c8e891b3bcbce331d7b Mon Sep 17 00:00:00 2001 +From: Ozkan Sezer +Date: Tue, 30 Jul 2019 21:30:24 +0300 +Subject: [PATCH] Fixed bug 4538 - validate image size when loading BMP files + +--HG-- +branch : SDL-1.2 +--- + src/video/SDL_bmp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c +index 758d4bb..6cadc8a 100644 +--- a/src/video/SDL_bmp.c ++++ b/src/video/SDL_bmp.c +@@ -143,6 +143,11 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) + (void) biYPelsPerMeter; + (void) biClrImportant; + ++ if (biWidth <= 0 || biHeight == 0) { ++ SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight); ++ was_error = SDL_TRUE; ++ goto done; ++ } + if (biHeight < 0) { + topDown = SDL_TRUE; + biHeight = -biHeight; +-- +1.8.3.1 + diff --git a/SDL-1.2.10-GrabNotViewable.patch b/SDL-1.2.10-GrabNotViewable.patch new file mode 100644 index 0000000..128cf35 --- /dev/null +++ b/SDL-1.2.10-GrabNotViewable.patch @@ -0,0 +1,22 @@ +Makes SDL-1.2 SDL_WM_GrabInput() non-blocking in case of SDL window is not +viewable. Patch provided by . +See . + +--- ./src/video/x11/SDL_x11wm.c 2007-12-31 04:48:13.000000000 +0000 ++++ ./src/video/x11/SDL_x11wm.c 2009-01-15 10:27:14.000000000 +0000 +@@ -351,13 +351,14 @@ SDL_GrabMode X11_GrabInputNoLock(_THIS, + result = XGrabPointer(SDL_Display, SDL_Window, True, 0, + GrabModeAsync, GrabModeAsync, + SDL_Window, None, CurrentTime); +- if ( result == GrabSuccess ) { ++ if ( result == GrabSuccess || result == GrabNotViewable ) { + break; + } + SDL_Delay(100); + } + if ( result != GrabSuccess ) { + /* Uh, oh, what do we do here? */ ; ++ return(SDL_GRAB_OFF); + } + /* Now grab the keyboard */ + XGrabKeyboard(SDL_Display, WMwindow, True, diff --git a/SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch b/SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch new file mode 100644 index 0000000..fdf910e --- /dev/null +++ b/SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch @@ -0,0 +1,73 @@ +# HG changeset patch +# User Sam Lantinga +# Date 1397799374 25200 +# Thu Apr 17 22:36:14 2014 -0700 +# Branch SDL-1.2 +# Node ID 0aade9c0203f717fe4b823a176c3c040f1a709f8 +# Parent 22a7f096bb9d4d596f35a93e33608825693462b0 +Fixed bug 2325 - SDL_EnableUNICODE sometimes drops keyboard events completely + +Rafał Mużyło + +The most annoying part of this bug is that though I've found it in two separate apps, I don't have a trivial testcase for it. + +The problem seems to be a condition race, as it's triggered quite randomly (therefore it will be hard to tell whether it really gets fixed, if a probable fix is found). + +While it's specific to SDL 1.2, it seems quite similar to the problem described and fixed in http://forums.libsdl.org/viewtopic.php?p=40503. + +Now, I should start describing the problem. + +A game uses Escape to open menu (the exact key might not be important). Upon opening, it calls SDL_EnableUNICODE(1). Upon closing it calls SDL_EnableUNICODE(0). + +I have an IME running. + +Game uses SDL_PollEvent to get the events. + +If Escape is pressed repeatedly, menu is opened and closed, till it eventually freezes in open state. +"freezes" in this context means "app itself still runs, but no keyboard events are getting delivered (though - for example - mouse events still are)". "getting delivered" should mean "SDL_PollEvent is not receiving any". +If it matters, the last delivered keyboard event is a keypress, the release never arrives. + +It seems (no guarantees, due to random nature of the freeze) that unsetting XMODIFIERS (which - AFAIU - will disable IME as far as SDL is concerned) prevents the freeze, therefore the reference to that SDL2 thread. + +diff -r 22a7f096bb9d -r 0aade9c0203f src/video/x11/SDL_x11events.c +--- a/src/video/x11/SDL_x11events.c Sun Dec 01 00:00:17 2013 -0500 ++++ b/src/video/x11/SDL_x11events.c Thu Apr 17 22:36:14 2014 -0700 +@@ -395,6 +395,8 @@ + { + int posted; + XEvent xevent; ++ int orig_event_type; ++ KeyCode orig_keycode; + + SDL_memset(&xevent, '\0', sizeof (XEvent)); /* valgrind fix. --ryan. */ + XNextEvent(SDL_Display, &xevent); +@@ -410,9 +412,29 @@ + #ifdef X_HAVE_UTF8_STRING + /* If we are translating with IM, we need to pass all events + to XFilterEvent, and discard those filtered events immediately. */ ++ orig_event_type = xevent.type; ++ if (orig_event_type == KeyPress || orig_event_type == KeyRelease) { ++ orig_keycode = xevent.xkey.keycode; ++ } else { ++ orig_keycode = 0; ++ } + if ( SDL_TranslateUNICODE + && SDL_IM != NULL + && XFilterEvent(&xevent, None) ) { ++ if (orig_keycode) { ++ SDL_keysym keysym; ++ static XComposeStatus state; ++ char keybuf[32]; ++ ++ keysym.scancode = xevent.xkey.keycode; ++ keysym.sym = X11_TranslateKeycode(SDL_Display, xevent.xkey.keycode); ++ keysym.mod = KMOD_NONE; ++ keysym.unicode = 0; ++ if (orig_event_type == KeyPress && XLookupString(&xevent.xkey, keybuf, sizeof(keybuf), NULL, &state)) ++ keysym.unicode = (Uint8)keybuf[0]; ++ ++ SDL_PrivateKeyboard(orig_event_type == KeyPress ? SDL_PRESSED : SDL_RELEASED, &keysym); ++ } + return 0; + } + #endif diff --git a/SDL-1.2.15-const_XData32.patch b/SDL-1.2.15-const_XData32.patch new file mode 100644 index 0000000..0f1c07c --- /dev/null +++ b/SDL-1.2.15-const_XData32.patch @@ -0,0 +1,16 @@ +libX11-1.5.99.901 has changed prototype of _XData32 + + + +diff -r b6b2829cd7ef src/video/x11/SDL_x11sym.h +--- a/src/video/x11/SDL_x11sym.h Wed Feb 27 15:20:31 2013 -0800 ++++ b/src/video/x11/SDL_x11sym.h Wed Mar 27 16:07:23 2013 +0100 +@@ -165,7 +165,7 @@ + */ + #ifdef LONG64 + SDL_X11_MODULE(IO_32BIT) +-SDL_X11_SYM(int,_XData32,(Display *dpy,register long *data,unsigned len),(dpy,data,len),return) ++SDL_X11_SYM(int,_XData32,(Display *dpy,register _Xconst long *data,unsigned len),(dpy,data,len),return) + SDL_X11_SYM(void,_XRead32,(Display *dpy,register long *data,long len),(dpy,data,len),) + #endif + diff --git a/SDL-1.2.15-ignore_insane_joystick_axis.patch b/SDL-1.2.15-ignore_insane_joystick_axis.patch new file mode 100644 index 0000000..33340fd --- /dev/null +++ b/SDL-1.2.15-ignore_insane_joystick_axis.patch @@ -0,0 +1,20 @@ +changeset: 6324:95abff7adcc2 +branch: SDL-1.2 +parent: 6306:2b923729fd01 +user: Ryan C. Gordon +date: Sun Jun 03 04:49:25 2012 -0400 +summary: Linux evdev: ignore joystick axis events if they aren't in a sane range. + +diff -r 2b923729fd01 -r 95abff7adcc2 src/joystick/linux/SDL_sysjoystick.c +--- a/src/joystick/linux/SDL_sysjoystick.c Sat May 12 23:32:51 2012 -0700 ++++ b/src/joystick/linux/SDL_sysjoystick.c Sun Jun 03 04:49:25 2012 -0400 +@@ -1106,6 +1106,9 @@ + } + break; + case EV_ABS: ++ if (code > ABS_MISC) { ++ break; ++ } + switch (code) { + case ABS_HAT0X: + case ABS_HAT0Y: diff --git a/SDL-1.2.15-no-default-backing-store.patch b/SDL-1.2.15-no-default-backing-store.patch new file mode 100644 index 0000000..4d5209d --- /dev/null +++ b/SDL-1.2.15-no-default-backing-store.patch @@ -0,0 +1,24 @@ +Do not harness backing store by default + +xorg-server 1.15 enables backing store if composite extension is enabled +(default settings). Harnessing backing store through compositor leads to +tearing effect. + +This patch reverts default harnessing backing store to conditional use if +SDL_VIDEO_X11_BACKINGSTORE environment variable exists. + + + + +diff -up SDL-1.2.15/src/video/x11/SDL_x11video.c.jx SDL-1.2.15/src/video/x11/SDL_x11video.c +--- SDL-1.2.15/src/video/x11/SDL_x11video.c.jx 2012-01-19 01:30:06.000000000 -0500 ++++ SDL-1.2.15/src/video/x11/SDL_x11video.c 2014-03-04 14:39:34.691545549 -0500 +@@ -1088,7 +1088,7 @@ static int X11_CreateWindow(_THIS, SDL_S + } + } + +-#if 0 /* This is an experiment - are the graphics faster now? - nope. */ ++#if 1 /* This is an experiment - are the graphics faster now? - nope. */ + if ( SDL_getenv("SDL_VIDEO_X11_BACKINGSTORE") ) + #endif + /* Cache the window in the server, when possible */ diff --git a/SDL-1.2.15-vec_perm-ppc64le.patch b/SDL-1.2.15-vec_perm-ppc64le.patch new file mode 100644 index 0000000..77c915b --- /dev/null +++ b/SDL-1.2.15-vec_perm-ppc64le.patch @@ -0,0 +1,87 @@ +Correct vec_perm() application on little-endian 64-bit PowerPC + +The LE transformation for vec_perm has an implicit assumption that the +permutation is being used to reorder vector elements (in this case 4-byte +integer word elements), not to reorder bytes within those elements. Although +this is legal behavior, it is not anticipated by the transformation performed +by the compilers. + +This causes pygame-1.9.1 test failure on PPC64LE because blitted pixmaps are +corrupted there due to how SDL uses vec_perm(). + + + +--- SDL-1.2.15/src/video/SDL_blit_N.c.ori 2017-09-04 05:56:17.759347525 -0400 ++++ SDL-1.2.15/src/video/SDL_blit_N.c 2017-09-06 05:36:20.570789610 -0400 +@@ -146,6 +146,32 @@ static vector unsigned char calc_swizzle + return(vswiz); + } + ++/* reorder bytes for PowerPC little endian */ ++static vector unsigned char reorder_ppc64le_vec(vector unsigned char vpermute) ++{ ++ /* The result vector of calc_swizzle32 reorder bytes using vec_perm. ++ The LE transformation for vec_perm has an implicit assumption ++ that the permutation is being used to reorder vector elements, ++ not to reorder bytes within those elements. ++ Unfortunatly the result order is not the expected one for powerpc ++ little endian when the two first vector parameters of vec_perm are ++ not of type 'vector char'. This is because the numbering from the ++ left for BE, and numbering from the right for LE, produces a ++ different interpretation of what the odd and even lanes are. ++ Refer to fedora bug 1392465 ++ */ ++ ++ const vector unsigned char ppc64le_reorder = VECUINT8_LITERAL( ++ 0x01, 0x00, 0x03, 0x02, ++ 0x05, 0x04, 0x07, 0x06, ++ 0x09, 0x08, 0x0B, 0x0A, ++ 0x0D, 0x0C, 0x0F, 0x0E ); ++ ++ vector unsigned char vswiz_ppc64le; ++ vswiz_ppc64le = vec_perm(vpermute, vpermute, ppc64le_reorder); ++ return(vswiz_ppc64le); ++} ++ + static void Blit_RGB888_RGB565(SDL_BlitInfo *info); + static void Blit_RGB888_RGB565Altivec(SDL_BlitInfo *info) { + int height = info->d_height; +@@ -631,6 +657,12 @@ static void Blit32to32KeyAltivec(SDL_Bli + vsel = (vector unsigned char)vec_and(vs, vrgbmask); + vsel = (vector unsigned char)vec_cmpeq(vs, vckey); + /* permute the src vec to the dest format */ ++ ++#if defined(__powerpc__) && (SDL_BYTEORDER == SDL_LIL_ENDIAN) ++ /* reorder bytes for PowerPC little endian */ ++ vpermute = reorder_ppc64le_vec(vpermute); ++#endif ++ + vs = vec_perm(vs, valpha, vpermute); + /* load the destination vec */ + vd = vec_ld(0, dstp); +@@ -704,6 +736,12 @@ static void ConvertAltivec32to32_noprefe + src += 4; + width -= 4; + vbits = vec_perm(vbits, voverflow, valigner); /* src is ready. */ ++ ++#if defined(__powerpc__) && (SDL_BYTEORDER == SDL_LIL_ENDIAN) ++ /* reorder bytes for PowerPC little endian */ ++ vpermute = reorder_ppc64le_vec(vpermute); ++#endif ++ + vbits = vec_perm(vbits, vzero, vpermute); /* swizzle it. */ + vec_st(vbits, 0, dst); /* store it back out. */ + dst += 4; +@@ -786,6 +824,12 @@ static void ConvertAltivec32to32_prefetc + src += 4; + width -= 4; + vbits = vec_perm(vbits, voverflow, valigner); /* src is ready. */ ++ ++#if defined(__powerpc__) && (SDL_BYTEORDER == SDL_LIL_ENDIAN) ++ /* reorder bytes for PowerPC little endian */ ++ vpermute = reorder_ppc64le_vec(vpermute); ++#endif ++ + vbits = vec_perm(vbits, vzero, vpermute); /* swizzle it. */ + vec_st(vbits, 0, dst); /* store it back out. */ + dst += 4; diff --git a/SDL.spec b/SDL.spec index 1830c8f..8bcd905 100644 --- a/SDL.spec +++ b/SDL.spec @@ -1,21 +1,27 @@ Name: SDL Summary: A cross-platform multimedia library Version: 1.2.15 -Release: 35 +Release: 36 License: LGPLv2+ URL: http://www.libsdl.org/ Source0: %{name}-%{version}.tar.gz Source1: SDL_config.h Patch0: SDL-1.2.15-add_sdl_config_man.patch - -Patch9000: CVE-2019-7637.patch -Patch9001: CVE-2019-7636.patch -Patch9002: CVE-2019-7635_1.patch -Patch9003: CVE-2019-7635_2.patch -Patch9004: CVE-2019-7573_CVE-2019-7576.patch -Patch9005: CVE-2019-7578.patch -Patch9006: CVE-2019-7577.patch +Patch1: CVE-2019-7637.patch +Patch2: CVE-2019-7636.patch +Patch3: CVE-2019-7635_1.patch +Patch4: CVE-2019-7635_2.patch +Patch5: CVE-2019-7573_CVE-2019-7576.patch +Patch6: CVE-2019-7578.patch +Patch7: CVE-2019-7577.patch +Patch8: SDL-1.2.10-GrabNotViewable.patch +Patch9: SDL-1.2.15-const_XData32.patch +Patch10: SDL-1.2.15-ignore_insane_joystick_axis.patch +Patch11: SDL-1.2.15-no-default-backing-store.patch +Patch12: SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch +Patch13: SDL-1.2.15-vec_perm-ppc64le.patch +Patch14: CVE-2019-13616.patch BuildRequires: git alsa-lib-devel gdb-headless libtool @@ -97,6 +103,12 @@ rm -f %{buildroot}%{_libdir}/*.la %{_mandir}/man3/SDL*.3* %changelog +* Wed Mar 18 2020 openEuler Buildteam - 1.2.15-35 +- Type:CVE +- ID:NA +- SUG:NA +- DESC:Fix CVE-2019-13616 + * Thu Jan 16 2020 shijian - 1.2.15-35 - Modify Spec