From 98554f7772187d9153060341a9d8c2fb1be93147 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Mon, 11 Apr 2022 18:06:18 +0800 Subject: [PATCH] Fix CVE-2020-14409 CVE-2020-14410 --- CVE-2020-14409_CVE-2020-14410.patch | 73 +++++++++++++++++++++++++++++ SDL2.spec | 7 ++- 2 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-14409_CVE-2020-14410.patch diff --git a/CVE-2020-14409_CVE-2020-14410.patch b/CVE-2020-14409_CVE-2020-14410.patch new file mode 100644 index 0000000..4c9b59d --- /dev/null +++ b/CVE-2020-14409_CVE-2020-14410.patch @@ -0,0 +1,73 @@ +From a7ff6e96155f550a5597621ebeddd03c98aa9294 Mon Sep 17 00:00:00 2001 +From: Sam Lantinga +Date: Wed, 17 Jun 2020 08:44:45 -0700 +Subject: [PATCH] Fixed overflow in surface pitch calculation + +--- + src/video/SDL_surface.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/src/video/SDL_surface.c b/src/video/SDL_surface.c +index 085d9ff1e17..bff826f7cc6 100644 +--- a/src/video/SDL_surface.c ++++ b/src/video/SDL_surface.c +@@ -28,24 +28,23 @@ + #include "SDL_yuv_c.h" + + +-/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */ +-SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, +- sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32)); ++/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow Sint64 */ ++SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, sizeof(int) == sizeof(Sint32)); + + /* Public routines */ + + /* + * Calculate the pad-aligned scanline width of a surface + */ +-static int ++static Sint64 + SDL_CalculatePitch(Uint32 format, int width) + { +- int pitch; ++ Sint64 pitch; + + if (SDL_ISPIXELFORMAT_FOURCC(format) || SDL_BITSPERPIXEL(format) >= 8) { +- pitch = (width * SDL_BYTESPERPIXEL(format)); ++ pitch = ((Sint64)width * SDL_BYTESPERPIXEL(format)); + } else { +- pitch = ((width * SDL_BITSPERPIXEL(format)) + 7) / 8; ++ pitch = (((Sint64)width * SDL_BITSPERPIXEL(format)) + 7) / 8; + } + pitch = (pitch + 3) & ~3; /* 4-byte aligning for speed */ + return pitch; +@@ -59,11 +58,19 @@ SDL_Surface * + SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth, + Uint32 format) + { ++ Sint64 pitch; + SDL_Surface *surface; + + /* The flags are no longer used, make the compiler happy */ + (void)flags; + ++ pitch = SDL_CalculatePitch(format, width); ++ if (pitch < 0 || pitch > SDL_MAX_SINT32) { ++ /* Overflow... */ ++ SDL_OutOfMemory(); ++ return NULL; ++ } ++ + /* Allocate the surface */ + surface = (SDL_Surface *) SDL_calloc(1, sizeof(*surface)); + if (surface == NULL) { +@@ -78,7 +85,7 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth, + } + surface->w = width; + surface->h = height; +- surface->pitch = SDL_CalculatePitch(format, width); ++ surface->pitch = (int)pitch; + SDL_SetClipRect(surface, NULL); + + if (SDL_ISPIXELFORMAT_INDEXED(surface->format->format)) { diff --git a/SDL2.spec b/SDL2.spec index 518f8cf..652a269 100644 --- a/SDL2.spec +++ b/SDL2.spec @@ -1,6 +1,6 @@ Name: SDL2 Version: 2.0.12 -Release: 3 +Release: 4 Summary: Cross-platform multimedia library License: zlib and MIT URL: http://www.libsdl.org/ @@ -9,6 +9,8 @@ Source1: SDL_config.h Patch0000: multilib.patch Patch0001: SDL2-2.0.9-khrplatform.patch Patch0002: Fix-build-against-wayland-1.20.patch +#https://github.com/libsdl-org/SDL/commit/a7ff6e96155f550a5597621ebeddd03c98aa9294 +Patch0003: CVE-2020-14409_CVE-2020-14410.patch Patch6000: backport-CVE-2021-33657.patch BuildRequires: alsa-lib-devel audiofile-devel mesa-libGL-devel @@ -91,6 +93,9 @@ rm -vf %{buildroot}%{_libdir}/*.la %{_libdir}/lib*.a %changelog +* Mon Apr 11 2022 yaoxin - 2.0.12-4 +- Fix CVE-2020-14409 CVE-2020-14410 + * Tue Mar 15 2022 yuanxin - 2.0.12-3 - Type:CVE - ID:NA