From 77058ce592c6dbb14aaf8b58eaa78c4b5ad89109 Mon Sep 17 00:00:00 2001
From: xinyingchao <yuanxin24@h-partners.com>
Date: Tue, 15 Mar 2022 17:33:22 +0800
Subject: [PATCH] Fix CVE-2021-33657

(cherry picked from commit d8f524d4a650dff8b9ea6cc084973d39795d99cc)
---
 SDL2.spec                     |  9 ++++++++-
 backport-CVE-2021-33657.patch | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2021-33657.patch

diff --git a/SDL2.spec b/SDL2.spec
index f9df0d7..518f8cf 100644
--- a/SDL2.spec
+++ b/SDL2.spec
@@ -1,6 +1,6 @@
 Name:           SDL2
 Version:        2.0.12
-Release:        2
+Release:        3
 Summary:        Cross-platform multimedia library
 License:        zlib and MIT
 URL:            http://www.libsdl.org/
@@ -9,6 +9,7 @@ Source1:        SDL_config.h
 Patch0000:      multilib.patch
 Patch0001:      SDL2-2.0.9-khrplatform.patch
 Patch0002:	Fix-build-against-wayland-1.20.patch
+Patch6000:      backport-CVE-2021-33657.patch
 
 BuildRequires:  alsa-lib-devel audiofile-devel mesa-libGL-devel
 BuildRequires:  mesa-libGLU-devel mesa-libEGL-devel libglvnd-devel
@@ -90,6 +91,12 @@ rm -vf %{buildroot}%{_libdir}/*.la
 %{_libdir}/lib*.a
 
 %changelog
+* Tue Mar 15 2022 yuanxin <yuanxin24@h-partners.com> - 2.0.12-3
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC:Fix CVE-2021-33657
+
 * Sat Jan 8 2022 zhouwenpei <zhouwenpei1@huawei.com> - 2.0.12-2
 - Fix build against wayland
 
diff --git a/backport-CVE-2021-33657.patch b/backport-CVE-2021-33657.patch
new file mode 100644
index 0000000..31c0c52
--- /dev/null
+++ b/backport-CVE-2021-33657.patch
@@ -0,0 +1,33 @@
+From 8c91cf7dba5193f5ce12d06db1336515851c9ee9 Mon Sep 17 00:00:00 2001
+From: Sam Lantinga <slouken@libsdl.org>
+Date: Tue, 30 Nov 2021 12:36:46 -0800
+Subject: [PATCH] Always create a full 256-entry map in case color values are
+ out of range
+
+Fixes https://github.com/libsdl-org/SDL/issues/5042
+---
+ src/video/SDL_pixels.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c
+index ac04533c5d5..9bb02f771d0 100644
+--- a/src/video/SDL_pixels.c
++++ b/src/video/SDL_pixels.c
+@@ -947,7 +947,7 @@ Map1to1(SDL_Palette * src, SDL_Palette * dst, int *identical)
+         }
+         *identical = 0;
+     }
+-    map = (Uint8 *) SDL_malloc(src->ncolors);
++    map = (Uint8 *) SDL_calloc(256, sizeof(Uint8));
+     if (map == NULL) {
+         SDL_OutOfMemory();
+         return (NULL);
+@@ -971,7 +971,7 @@ Map1toN(SDL_PixelFormat * src, Uint8 Rmod, Uint8 Gmod, Uint8 Bmod, Uint8 Amod,
+     SDL_Palette *pal = src->palette;
+ 
+     bpp = ((dst->BytesPerPixel == 3) ? 4 : dst->BytesPerPixel);
+-    map = (Uint8 *) SDL_malloc(pal->ncolors * bpp);
++    map = (Uint8 *) SDL_calloc(256, bpp);
+     if (map == NULL) {
+         SDL_OutOfMemory();
+         return (NULL);