fix CVE-2019-13616

CVE-2019-13616.patch

@@ -0,0 +1,23 @@
+# HG changeset patch
+# User Sam Lantinga <slouken@libsdl.org>
+# Date 1564509600 25200
+# Node ID e7ba650a643ad88dd8545511a18af1c9dcdfa2da
+# Parent  b810b78d32cc41a2384d0f14746ae889d443ffa7
+Fixed bug 4538 - validate image size when loading BMP files
+
+diff -r b810b78d32cc -r e7ba650a643a src/video/SDL_bmp.c
+--- a/src/video/SDL_bmp.c	Thu Jul 25 08:05:13 2019 -0500
++++ b/src/video/SDL_bmp.c	Tue Jul 30 11:00:00 2019 -0700
+@@ -226,6 +226,11 @@
+             SDL_RWseek(src, (biSize - headerSize), RW_SEEK_CUR);
+         }
+     }
++    if (biWidth <= 0 || biHeight == 0) {
++        SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight);
++        was_error = SDL_TRUE;
++        goto done;
++    }
+     if (biHeight < 0) {
+         topDown = SDL_TRUE;
+         biHeight = -biHeight;
+

SDL2.spec

@@ -1,6 +1,6 @@
 Name:           SDL2
 Version:        2.0.8
-Release:        8
+Release:        9
 Summary:        Cross-platform multimedia library
 License:        zlib and MIT
 URL:            http://www.libsdl.org/
@@ -8,6 +8,7 @@ Source0:        http://www.libsdl.org/release/%{name}-%{version}.tar.gz
 Source1:        SDL_config.h
 Patch0000:      multilib.patch
 Patch0001:      dynapi.patch
+Patch0002:      CVE-2019-13616.patch
 BuildRequires:  alsa-lib-devel audiofile-devel mesa-libGL-devel
 BuildRequires:  mesa-libGLU-devel mesa-libEGL-devel mesa-libGLES-devel
 BuildRequires:  libXext-devel libX11-devel libXi-devel libXrandr-devel
@@ -75,6 +76,12 @@ install -pm 0644 %{SOURCE1} %{buildroot}%{_includedir}/SDL2/SDL_config.h
 %{_datadir}/aclocal/*
 
 %changelog
+* Wed Mar 18 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.0.8-8
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC:Fix CVE-2019-13616
+
 * Mon Feb 24 2020 yuxiangyang <yuxiangyang4@huawei.com> - 2.0.8-8
 - Delete buildrequires for jack-audio-connection-kit