!19 Fix CVE-2020-14409 CVE-2020-14410

From: @starlet-dx Reviewed-by: @small_leek Signed-off-by: @small_leek
2022-04-12 11:14:50 +00:00 · 2022-04-12 11:14:50 +00:00 · 611ce9c248
commit 611ce9c248
parent 35e54e1186 98554f7772
2 changed files with 79 additions and 1 deletions
--- a/CVE-2020-14409_CVE-2020-14410.patch
+++ b/CVE-2020-14409_CVE-2020-14410.patch
@ -0,0 +1,73 @@
 From a7ff6e96155f550a5597621ebeddd03c98aa9294 Mon Sep 17 00:00:00 2001
 From: Sam Lantinga <slouken@libsdl.org>
 Date: Wed, 17 Jun 2020 08:44:45 -0700
 Subject: [PATCH] Fixed overflow in surface pitch calculation
 ---
 src/video/SDL_surface.c | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)
 diff --git a/src/video/SDL_surface.c b/src/video/SDL_surface.c
 index 085d9ff1e17..bff826f7cc6 100644
 --- a/src/video/SDL_surface.c
 +++ b/src/video/SDL_surface.c
@@ -28,24 +28,23 @@
 #include "SDL_yuv_c.h"
 -/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */
 -SDL_COMPILE_TIME_ASSERT(surface_size_assumptions,
 -    sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32));
 +/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow Sint64 */
 +SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, sizeof(int) == sizeof(Sint32));
 /* Public routines */
 /*
  * Calculate the pad-aligned scanline width of a surface
  */
 -static int
 +static Sint64
 SDL_CalculatePitch(Uint32 format, int width)
 {
 -    int pitch;
 +    Sint64 pitch;
     if (SDL_ISPIXELFORMAT_FOURCC(format) || SDL_BITSPERPIXEL(format) >= 8) {
 -        pitch = (width * SDL_BYTESPERPIXEL(format));
 +        pitch = ((Sint64)width * SDL_BYTESPERPIXEL(format));
     } else {
 -        pitch = ((width * SDL_BITSPERPIXEL(format)) + 7) / 8;
 +        pitch = (((Sint64)width * SDL_BITSPERPIXEL(format)) + 7) / 8;
     }
     pitch = (pitch + 3) & ~3;   /* 4-byte aligning for speed */
     return pitch;
@@ -59,11 +58,19 @@ SDL_Surface *
 SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth,
                                Uint32 format)
 {
 +    Sint64 pitch;
     SDL_Surface *surface;
     /* The flags are no longer used, make the compiler happy */
     (void)flags;
 +    pitch = SDL_CalculatePitch(format, width);
 +    if (pitch < 0 || pitch > SDL_MAX_SINT32) {
 +        /* Overflow... */
 +        SDL_OutOfMemory();
 +        return NULL;
 +    }
 +
     /* Allocate the surface */
     surface = (SDL_Surface *) SDL_calloc(1, sizeof(*surface));
     if (surface == NULL) {
@@ -78,7 +85,7 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth,
     }
     surface->w = width;
     surface->h = height;
 -    surface->pitch = SDL_CalculatePitch(format, width);
 +    surface->pitch = (int)pitch;
     SDL_SetClipRect(surface, NULL);
     if (SDL_ISPIXELFORMAT_INDEXED(surface->format->format)) {
--- a/SDL2.spec
+++ b/SDL2.spec
@ -1,6 +1,6 @@
 Name:           SDL2
 Version:        2.0.12
-Release:        3
+Release:        4
 Summary:        Cross-platform multimedia library
 License:        zlib and MIT
 URL:            http://www.libsdl.org/
@ -9,6 +9,8 @@ Source1:        SDL_config.h
 Patch0000:      multilib.patch
 Patch0001:      SDL2-2.0.9-khrplatform.patch
 Patch0002:	Fix-build-against-wayland-1.20.patch
 #https://github.com/libsdl-org/SDL/commit/a7ff6e96155f550a5597621ebeddd03c98aa9294
 Patch0003:      CVE-2020-14409_CVE-2020-14410.patch
 Patch6000:      backport-CVE-2021-33657.patch
 BuildRequires:  alsa-lib-devel audiofile-devel mesa-libGL-devel
@ -91,6 +93,9 @@ rm -vf %{buildroot}%{_libdir}/*.la
 %{_libdir}/lib*.a
 %changelog
 * Mon Apr 11 2022 yaoxin <yaoxin30@h-partners.com> - 2.0.12-4
 - Fix CVE-2020-14409 CVE-2020-14410
 * Tue Mar 15 2022 yuanxin <yuanxin24@h-partners.com> - 2.0.12-3
 - Type:CVE
 - ID:NA