!6 修复CVE-2019-13616等问题

Merge pull request !6 from syyhao/next

CVE-2019-13616.patch

@@ -0,0 +1,30 @@
+From 636be06fa7f0cd2ee4d79c8e891b3bcbce331d7b Mon Sep 17 00:00:00 2001
+From: Ozkan Sezer <sezeroz@gmail.com>
+Date: Tue, 30 Jul 2019 21:30:24 +0300
+Subject: [PATCH] Fixed bug 4538 - validate image size when loading BMP files
+
+--HG--
+branch : SDL-1.2
+---
+ src/video/SDL_bmp.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
+index 758d4bb..6cadc8a 100644
+--- a/src/video/SDL_bmp.c
++++ b/src/video/SDL_bmp.c
+@@ -143,6 +143,11 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
+ 	(void) biYPelsPerMeter;
+ 	(void) biClrImportant;
+ 
++	if (biWidth <= 0 || biHeight == 0) {
++		SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight);
++		was_error = SDL_TRUE;
++		goto done;
++	}
+ 	if (biHeight < 0) {
+ 		topDown = SDL_TRUE;
+ 		biHeight = -biHeight;
+-- 
+1.8.3.1
+

SDL-1.2.10-GrabNotViewable.patch

@@ -0,0 +1,22 @@
+Makes SDL-1.2 SDL_WM_GrabInput() non-blocking in case of SDL window is not
+viewable. Patch provided by <pbonzini@redhat.com>.
+See <http://bugzilla.libsdl.org/show_bug.cgi?id=1155>.
+
+--- ./src/video/x11/SDL_x11wm.c	2007-12-31 04:48:13.000000000 +0000
++++ ./src/video/x11/SDL_x11wm.c	2009-01-15 10:27:14.000000000 +0000
+@@ -351,13 +351,14 @@ SDL_GrabMode X11_GrabInputNoLock(_THIS, 
+ 			result = XGrabPointer(SDL_Display, SDL_Window, True, 0,
+ 						GrabModeAsync, GrabModeAsync,
+ 						SDL_Window, None, CurrentTime);
+-			if ( result == GrabSuccess ) {
++			if ( result == GrabSuccess || result == GrabNotViewable ) {
+ 				break;
+ 			}
+ 			SDL_Delay(100);
+ 		}
+ 		if ( result != GrabSuccess ) {
+ 			/* Uh, oh, what do we do here? */ ;
++			return(SDL_GRAB_OFF);
+ 		}
+ 		/* Now grab the keyboard */
+ 		XGrabKeyboard(SDL_Display, WMwindow, True,

SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch

@@ -0,0 +1,73 @@
+# HG changeset patch
+# User Sam Lantinga <slouken@libsdl.org>
+# Date 1397799374 25200
+#      Thu Apr 17 22:36:14 2014 -0700
+# Branch SDL-1.2
+# Node ID 0aade9c0203f717fe4b823a176c3c040f1a709f8
+# Parent  22a7f096bb9d4d596f35a93e33608825693462b0
+Fixed bug 2325 - SDL_EnableUNICODE sometimes drops keyboard events completely
+
+Rafał Mużyło
+
+The most annoying part of this bug is that though I've found it in two separate apps, I don't have a trivial testcase for it.
+
+The problem seems to be a condition race, as it's triggered quite randomly (therefore it will be hard to tell whether it really gets fixed, if a probable fix is found).
+
+While it's specific to SDL 1.2, it seems quite similar to the problem described and fixed in http://forums.libsdl.org/viewtopic.php?p=40503.
+
+Now, I should start describing the problem.
+
+A game uses Escape to open menu (the exact key might not be important). Upon opening, it calls SDL_EnableUNICODE(1). Upon closing it calls SDL_EnableUNICODE(0).
+
+I have an IME running.
+
+Game uses SDL_PollEvent to get the events.
+
+If Escape is pressed repeatedly, menu is opened and closed, till it eventually freezes in open state.
+"freezes" in this context means "app itself still runs, but no keyboard events are getting delivered (though - for example - mouse events still are)". "getting delivered" should mean "SDL_PollEvent is not receiving any".
+If it matters, the last delivered keyboard event is a keypress, the release never arrives.
+
+It seems (no guarantees, due to random nature of the freeze) that unsetting XMODIFIERS (which - AFAIU - will disable IME as far as SDL is concerned) prevents the freeze, therefore the reference to that SDL2 thread.
+
+diff -r 22a7f096bb9d -r 0aade9c0203f src/video/x11/SDL_x11events.c
+--- a/src/video/x11/SDL_x11events.c	Sun Dec 01 00:00:17 2013 -0500
++++ b/src/video/x11/SDL_x11events.c	Thu Apr 17 22:36:14 2014 -0700
+@@ -395,6 +395,8 @@
+ {
+ 	int posted;
+ 	XEvent xevent;
++	int orig_event_type;
++	KeyCode orig_keycode;
+ 
+ 	SDL_memset(&xevent, '\0', sizeof (XEvent));  /* valgrind fix. --ryan. */
+ 	XNextEvent(SDL_Display, &xevent);
+@@ -410,9 +412,29 @@
+ #ifdef X_HAVE_UTF8_STRING
+ 	/* If we are translating with IM, we need to pass all events
+ 	   to XFilterEvent, and discard those filtered events immediately.  */
++	orig_event_type = xevent.type;
++	if (orig_event_type == KeyPress || orig_event_type == KeyRelease) {
++	     orig_keycode = xevent.xkey.keycode;
++	} else {
++	     orig_keycode = 0;
++	}
+ 	if ( SDL_TranslateUNICODE
+ 	     && SDL_IM != NULL
+ 	     && XFilterEvent(&xevent, None) ) {
++	        if (orig_keycode) {
++	            SDL_keysym keysym;
++	            static XComposeStatus state;
++	            char keybuf[32];
++
++	            keysym.scancode = xevent.xkey.keycode;
++	            keysym.sym = X11_TranslateKeycode(SDL_Display, xevent.xkey.keycode);
++	            keysym.mod = KMOD_NONE;
++	            keysym.unicode = 0;
++	            if (orig_event_type == KeyPress && XLookupString(&xevent.xkey, keybuf, sizeof(keybuf), NULL, &state))
++	                keysym.unicode = (Uint8)keybuf[0];
++
++	            SDL_PrivateKeyboard(orig_event_type == KeyPress ? SDL_PRESSED : SDL_RELEASED, &keysym);
++	        }
+ 		return 0;
+ 	}
+ #endif

SDL-1.2.15-const_XData32.patch

@@ -0,0 +1,16 @@
+libX11-1.5.99.901 has changed prototype of _XData32
+
+<http://bugzilla.libsdl.org/show_bug.cgi?id=1769>
+
+diff -r b6b2829cd7ef src/video/x11/SDL_x11sym.h
+--- a/src/video/x11/SDL_x11sym.h	Wed Feb 27 15:20:31 2013 -0800
++++ b/src/video/x11/SDL_x11sym.h	Wed Mar 27 16:07:23 2013 +0100
+@@ -165,7 +165,7 @@
+  */
+ #ifdef LONG64
+ SDL_X11_MODULE(IO_32BIT)
+-SDL_X11_SYM(int,_XData32,(Display *dpy,register long *data,unsigned len),(dpy,data,len),return)
++SDL_X11_SYM(int,_XData32,(Display *dpy,register _Xconst long *data,unsigned len),(dpy,data,len),return)
+ SDL_X11_SYM(void,_XRead32,(Display *dpy,register long *data,long len),(dpy,data,len),)
+ #endif
+ 

SDL-1.2.15-ignore_insane_joystick_axis.patch

@@ -0,0 +1,20 @@
+changeset:   6324:95abff7adcc2
+branch:      SDL-1.2
+parent:      6306:2b923729fd01
+user:        Ryan C. Gordon <icculus@icculus.org>
+date:        Sun Jun 03 04:49:25 2012 -0400
+summary:     Linux evdev: ignore joystick axis events if they aren't in a sane range.
+
+diff -r 2b923729fd01 -r 95abff7adcc2 src/joystick/linux/SDL_sysjoystick.c
+--- a/src/joystick/linux/SDL_sysjoystick.c	Sat May 12 23:32:51 2012 -0700
++++ b/src/joystick/linux/SDL_sysjoystick.c	Sun Jun 03 04:49:25 2012 -0400
+@@ -1106,6 +1106,9 @@
+ 				}
+ 				break;
+ 			    case EV_ABS:
++				if (code > ABS_MISC) {
++					break;
++				}
+ 				switch (code) {
+ 				    case ABS_HAT0X:
+ 				    case ABS_HAT0Y:

SDL-1.2.15-no-default-backing-store.patch

@@ -0,0 +1,24 @@
+Do not harness backing store by default
+
+xorg-server 1.15 enables backing store if composite extension is enabled
+(default settings). Harnessing backing store through compositor leads to
+tearing effect.
+
+This patch reverts default harnessing backing store to conditional use if
+SDL_VIDEO_X11_BACKINGSTORE environment variable exists.
+
+<https://bugzilla.libsdl.org/show_bug.cgi?id=2383>
+<https://bugzilla.redhat.com/show_bug.cgi?id=1073057>
+
+diff -up SDL-1.2.15/src/video/x11/SDL_x11video.c.jx SDL-1.2.15/src/video/x11/SDL_x11video.c
+--- SDL-1.2.15/src/video/x11/SDL_x11video.c.jx	2012-01-19 01:30:06.000000000 -0500
++++ SDL-1.2.15/src/video/x11/SDL_x11video.c	2014-03-04 14:39:34.691545549 -0500
+@@ -1088,7 +1088,7 @@ static int X11_CreateWindow(_THIS, SDL_S
+ 		}
+ 	}
+ 
+-#if 0 /* This is an experiment - are the graphics faster now? - nope. */
++#if 1 /* This is an experiment - are the graphics faster now? - nope. */
+ 	if ( SDL_getenv("SDL_VIDEO_X11_BACKINGSTORE") )
+ #endif
+ 	/* Cache the window in the server, when possible */

SDL-1.2.15-vec_perm-ppc64le.patch

@@ -0,0 +1,87 @@
+Correct vec_perm() application on little-endian 64-bit PowerPC
+
+The LE transformation for vec_perm has an implicit assumption that the
+permutation is being used to reorder vector elements (in this case 4-byte
+integer word elements), not to reorder bytes within those elements.  Although
+this is legal behavior, it is not anticipated by the transformation performed
+by the compilers.
+
+This causes pygame-1.9.1 test failure on PPC64LE because blitted pixmaps are
+corrupted there due to how SDL uses vec_perm().
+
+<https://bugzilla.redhat.com/show_bug.cgi?id=1392465>
+
+--- SDL-1.2.15/src/video/SDL_blit_N.c.ori	2017-09-04 05:56:17.759347525 -0400
++++ SDL-1.2.15/src/video/SDL_blit_N.c	2017-09-06 05:36:20.570789610 -0400
+@@ -146,6 +146,32 @@ static vector unsigned char calc_swizzle
+     return(vswiz);
+ }
+ 
++/* reorder bytes for PowerPC little endian */
++static vector unsigned char reorder_ppc64le_vec(vector unsigned char vpermute)
++{
++    /* The result vector of calc_swizzle32 reorder bytes using vec_perm.
++       The LE transformation for vec_perm has an implicit assumption
++       that the permutation is being used to reorder vector elements,
++       not to reorder bytes within those elements.  
++       Unfortunatly the result order is not the expected one for powerpc
++       little endian when the two first vector parameters of vec_perm are
++       not of type 'vector char'. This is because the numbering from the
++       left for BE, and numbering from the right for LE, produces a
++       different interpretation of what the odd and even lanes are.
++       Refer to fedora bug 1392465
++     */
++
++    const vector unsigned char ppc64le_reorder = VECUINT8_LITERAL(
++                                      0x01, 0x00, 0x03, 0x02,
++                                      0x05, 0x04, 0x07, 0x06,
++                                      0x09, 0x08, 0x0B, 0x0A,
++                                      0x0D, 0x0C, 0x0F, 0x0E );
++
++    vector unsigned char vswiz_ppc64le;
++    vswiz_ppc64le = vec_perm(vpermute, vpermute, ppc64le_reorder);
++    return(vswiz_ppc64le);
++}
++
+ static void Blit_RGB888_RGB565(SDL_BlitInfo *info);
+ static void Blit_RGB888_RGB565Altivec(SDL_BlitInfo *info) {
+     int height = info->d_height;
+@@ -631,6 +657,12 @@ static void Blit32to32KeyAltivec(SDL_Bli
+                 vsel = (vector unsigned char)vec_and(vs, vrgbmask);
+                 vsel = (vector unsigned char)vec_cmpeq(vs, vckey);
+                 /* permute the src vec to the dest format */
++
++#if defined(__powerpc__) && (SDL_BYTEORDER == SDL_LIL_ENDIAN)
++            /* reorder bytes for PowerPC little endian */
++            vpermute = reorder_ppc64le_vec(vpermute);
++#endif
++
+                 vs = vec_perm(vs, valpha, vpermute);
+                 /* load the destination vec */
+                 vd = vec_ld(0, dstp);
+@@ -704,6 +736,12 @@ static void ConvertAltivec32to32_noprefe
+             src += 4;
+             width -= 4;
+             vbits = vec_perm(vbits, voverflow, valigner);  /* src is ready. */
++
++#if defined(__powerpc__) && (SDL_BYTEORDER == SDL_LIL_ENDIAN)
++            /* reorder bytes for PowerPC little endian */
++            vpermute = reorder_ppc64le_vec(vpermute);
++#endif
++
+             vbits = vec_perm(vbits, vzero, vpermute);  /* swizzle it. */
+             vec_st(vbits, 0, dst);  /* store it back out. */
+             dst += 4;
+@@ -786,6 +824,12 @@ static void ConvertAltivec32to32_prefetc
+             src += 4;
+             width -= 4;
+             vbits = vec_perm(vbits, voverflow, valigner);  /* src is ready. */
++
++#if defined(__powerpc__) && (SDL_BYTEORDER == SDL_LIL_ENDIAN) 
++            /* reorder bytes for PowerPC little endian */
++            vpermute = reorder_ppc64le_vec(vpermute);
++#endif
++
+             vbits = vec_perm(vbits, vzero, vpermute);  /* swizzle it. */
+             vec_st(vbits, 0, dst);  /* store it back out. */
+             dst += 4;

SDL.spec

@@ -1,21 +1,27 @@
 Name:       SDL
 Summary:    A cross-platform multimedia library
 Version:    1.2.15
-Release:    35
+Release:    36
 License:    LGPLv2+
 URL:        http://www.libsdl.org/
 
 Source0:    %{name}-%{version}.tar.gz
 Source1:    SDL_config.h
 Patch0:     SDL-1.2.15-add_sdl_config_man.patch
-
-Patch9000: CVE-2019-7637.patch
-Patch9001: CVE-2019-7636.patch
-Patch9002: CVE-2019-7635_1.patch
-Patch9003: CVE-2019-7635_2.patch
-Patch9004: CVE-2019-7573_CVE-2019-7576.patch
-Patch9005: CVE-2019-7578.patch
-Patch9006: CVE-2019-7577.patch
+Patch1:     CVE-2019-7637.patch
+Patch2:     CVE-2019-7636.patch
+Patch3:     CVE-2019-7635_1.patch
+Patch4:     CVE-2019-7635_2.patch
+Patch5:     CVE-2019-7573_CVE-2019-7576.patch
+Patch6:     CVE-2019-7578.patch
+Patch7:     CVE-2019-7577.patch
+Patch8:     SDL-1.2.10-GrabNotViewable.patch
+Patch9:     SDL-1.2.15-const_XData32.patch
+Patch10:    SDL-1.2.15-ignore_insane_joystick_axis.patch
+Patch11:    SDL-1.2.15-no-default-backing-store.patch
+Patch12:    SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch
+Patch13:    SDL-1.2.15-vec_perm-ppc64le.patch
+Patch14:    CVE-2019-13616.patch
 
 BuildRequires:  git alsa-lib-devel gdb-headless libtool
 
@@ -97,6 +103,12 @@ rm -f %{buildroot}%{_libdir}/*.la
 %{_mandir}/man3/SDL*.3*
 
 %changelog
+* Wed Mar 18 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.2.15-35
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC:Fix CVE-2019-13616
+
 * Thu Jan 16 2020 shijian <shijian16@huawei.com> - 1.2.15-35
 - Modify Spec