diff -Nru libsdl1.2-1.2.15+dfsg1/debian/changelog libsdl1.2-1.2.15+dfsg1/debian/changelog --- libsdl1.2-1.2.15+dfsg1/debian/changelog 2016-03-12 00:36:50.000000000 +0000 +++ libsdl1.2-1.2.15+dfsg1/debian/changelog 2019-10-15 13:59:59.000000000 +0000 @@ -1,3 +1,14 @@ +libsdl1.2 (1.2.15+dfsg1-3ubuntu0.1) xenial-security; urgency=medium + + * SECURITY UPDATE: Multiple security issues + - debian/patches/*.patch: sync security patches with 1.2.15+dfsg2-5 + package. Thanks to Abhijith PA and Felix Geyer. + - CVE-2019-7572, CVE-2019-7573, CVE-2019-7574, CVE-2019-7575, + CVE-2019-7576, CVE-2019-7577, CVE-2019-7578, CVE-2019-7635, + CVE-2019-7636, CVE-2019-7637, CVE-2019-7638, CVE-2019-13616. + + -- Marc Deslauriers Tue, 15 Oct 2019 09:59:59 -0400 + libsdl1.2 (1.2.15+dfsg1-3) unstable; urgency=medium * Disable suppot for DirectFB (Closes: #816125) diff -Nru libsdl1.2-1.2.15+dfsg1/debian/control libsdl1.2-1.2.15+dfsg1/debian/control --- libsdl1.2-1.2.15+dfsg1/debian/control 2016-03-12 00:28:17.000000000 +0000 +++ libsdl1.2-1.2.15+dfsg1/debian/control 2019-10-15 14:00:11.000000000 +0000 @@ -1,7 +1,8 @@ Source: libsdl1.2 Priority: optional Section: libs -Maintainer: Debian SDL packages maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian SDL packages maintainers Uploaders: Felix Geyer , Manuel A. Fernandez Montecelo Standards-Version: 3.9.7 diff -Nru libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-13616.patch libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-13616.patch --- libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-13616.patch 1970-01-01 00:00:00.000000000 +0000 +++ libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-13616.patch 2019-08-14 16:40:48.000000000 +0000 @@ -0,0 +1,22 @@ +# HG changeset patch +# User Ozkan Sezer +# Date 1564511424 -10800 +# Node ID ad1bbfbca760cbf5bf8131580b24637e5e7d9411 +# Parent 87d60cae0273307b2721685daf3265de5dfda634 +Fixed bug 4538 - validate image size when loading BMP files + +diff -r 87d60cae0273 -r ad1bbfbca760 src/video/SDL_bmp.c +--- a/src/video/SDL_bmp.c Tue Jun 18 23:31:40 2019 +0100 ++++ b/src/video/SDL_bmp.c Tue Jul 30 21:30:24 2019 +0300 +@@ -143,6 +143,11 @@ + (void) biYPelsPerMeter; + (void) biClrImportant; + ++ if (biWidth <= 0 || biHeight == 0) { ++ SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight); ++ was_error = SDL_TRUE; ++ goto done; ++ } + if (biHeight < 0) { + topDown = SDL_TRUE; + biHeight = -biHeight; diff -Nru libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7572_CVE-2019-7574.patch libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7572_CVE-2019-7574.patch --- libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7572_CVE-2019-7574.patch 1970-01-01 00:00:00.000000000 +0000 +++ libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7572_CVE-2019-7574.patch 2019-08-14 16:40:48.000000000 +0000 @@ -0,0 +1,105 @@ +Description: CVE-2019-7572, CVE-2019-7574 + CVE-2019-7572: a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c. + CVE-2019-7574: a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c. + +--- +Author: Abhijith PA +Origin: https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3610 + https://bugzilla.libsdl.org/attachment.cgi?id=3612 + https://bugzilla.libsdl.org/attachment.cgi?id=3618 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4496 + https://bugzilla.libsdl.org/show_bug.cgi?id=4495 +Last-Update: <2018-03-05> + +Index: libsdl1.2-1.2.15/src/audio/SDL_wave.c +=================================================================== +--- libsdl1.2-1.2.15.orig/src/audio/SDL_wave.c ++++ libsdl1.2-1.2.15/src/audio/SDL_wave.c +@@ -264,6 +264,14 @@ static Sint32 IMA_ADPCM_nibble(struct IM + }; + Sint32 delta, step; + ++ /* Clamp index value. The inital value can be invalid. */ ++ if ( state->index > 88 ) { ++ state->index = 88; ++ } else ++ if ( state->index < 0 ) { ++ state->index = 0; ++ } ++ + /* Compute difference and new sample value */ + step = step_table[state->index]; + delta = step >> 3; +@@ -275,12 +283,6 @@ static Sint32 IMA_ADPCM_nibble(struct IM + + /* Update index value */ + state->index += index_table[nybble]; +- if ( state->index > 88 ) { +- state->index = 88; +- } else +- if ( state->index < 0 ) { +- state->index = 0; +- } + + /* Clamp output sample */ + if ( state->sample > max_audioval ) { +@@ -323,7 +325,7 @@ static void Fill_IMA_ADPCM_block(Uint8 * + static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct IMA_ADPCM_decodestate *state; +- Uint8 *freeable, *encoded, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; + Sint32 encoded_len, samplesleft; + unsigned int c, channels; + +@@ -339,6 +341,7 @@ static int IMA_ADPCM_decode(Uint8 **audi + /* Allocate the proper sized output buffer */ + encoded_len = *audio_len; + encoded = *audio_buf; ++ encoded_end = encoded + encoded_len; + freeable = *audio_buf; + *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) * + IMA_ADPCM_state.wSamplesPerBlock* +@@ -349,11 +352,13 @@ static int IMA_ADPCM_decode(Uint8 **audi + return(-1); + } + decoded = *audio_buf; ++ decoded_end = decoded + *audio_len; + + /* Get ready... Go! */ + while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) { + /* Grab the initial information for this block */ + for ( c=0; c encoded_end) goto invalid_size; + /* Fill the state information for this block */ + state[c].sample = ((encoded[1]<<8)|encoded[0]); + encoded += 2; +@@ -367,6 +372,7 @@ static int IMA_ADPCM_decode(Uint8 **audi + } + + /* Store the initial sample we start with */ ++ if (decoded + 2 > decoded_end) goto invalid_size; + decoded[0] = (Uint8)(state[c].sample&0xFF); + decoded[1] = (Uint8)(state[c].sample>>8); + decoded += 2; +@@ -376,6 +382,9 @@ static int IMA_ADPCM_decode(Uint8 **audi + samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels; + while ( samplesleft > 0 ) { + for ( c=0; c encoded_end) goto invalid_size; ++ if (decoded + 4 * 4 * channels > decoded_end) ++ goto invalid_size; + Fill_IMA_ADPCM_block(decoded, encoded, + c, channels, &state[c]); + encoded += 4; +@@ -387,6 +396,10 @@ static int IMA_ADPCM_decode(Uint8 **audi + } + SDL_free(freeable); + return(0); ++ invalid_size: ++ SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); + } + + SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, diff -Nru libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7573.patch libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7573.patch --- libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7573.patch 1970-01-01 00:00:00.000000000 +0000 +++ libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7573.patch 2019-08-14 16:40:48.000000000 +0000 @@ -0,0 +1,66 @@ +Description: CVE-2019-7573 + a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (inside the + wNumCoef loop). + +--- +Author: Abhijith PA +Origin: https://bugzilla.libsdl.org/attachment.cgi?id=3620 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4491 +Last-Update: 2019-03-05 + +--- libsdl1.2-1.2.15.orig/src/audio/SDL_wave.c ++++ libsdl1.2-1.2.15/src/audio/SDL_wave.c +@@ -44,12 +44,13 @@ static struct MS_ADPCM_decoder { + struct MS_ADPCM_decodestate state[2]; + } MS_ADPCM_state; + +-static int InitMS_ADPCM(WaveFMT *format) ++static int InitMS_ADPCM(WaveFMT *format, int length) + { +- Uint8 *rogue_feel; ++ Uint8 *rogue_feel, *rogue_feel_end; + int i; + + /* Set the rogue pointer to the MS_ADPCM specific data */ ++ if (length < sizeof(*format)) goto too_short; + MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); + MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); + MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); +@@ -58,9 +59,11 @@ static int InitMS_ADPCM(WaveFMT *format) + MS_ADPCM_state.wavefmt.bitspersample = + SDL_SwapLE16(format->bitspersample); + rogue_feel = (Uint8 *)format+sizeof(*format); ++ rogue_feel_end = (Uint8 *)format + length; + if ( sizeof(*format) == 16 ) { + rogue_feel += sizeof(Uint16); + } ++ if (rogue_feel + 4 > rogue_feel_end) goto too_short; + MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); + rogue_feel += sizeof(Uint16); + MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]); +@@ -70,12 +73,16 @@ static int InitMS_ADPCM(WaveFMT *format) + return(-1); + } + for ( i=0; i rogue_feel_end) goto too_short; + MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]); + rogue_feel += sizeof(Uint16); + MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]); + rogue_feel += sizeof(Uint16); + } + return(0); ++too_short: ++ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format"); ++ return(-1); + } + + static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, +@@ -474,7 +481,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWop + break; + case MS_ADPCM_CODE: + /* Try to understand this */ +- if ( InitMS_ADPCM(format) < 0 ) { ++ if ( InitMS_ADPCM(format, lenread) < 0 ) { + was_error = 1; + goto done; + } diff -Nru libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7575_7577.patch libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7575_7577.patch --- libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7575_7577.patch 1970-01-01 00:00:00.000000000 +0000 +++ libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7575_7577.patch 2019-08-14 16:40:48.000000000 +0000 @@ -0,0 +1,78 @@ +Description: CVE-2019-7575, CVE-2019-7577 + CVE-2019-7575 +a heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c. + CVE-2019-7577 +a buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c. + +--- +Author: Abhijith PA +Origin: https://bugzilla.libsdl.org/attachment.cgi?id=3609 + https://bugzilla.libsdl.org/attachment.cgi?id=3608 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4493 + https://bugzilla.libsdl.org/show_bug.cgi?id=4492 +Last-Update: 2019-03-05 + +--- libsdl1.2-1.2.15.orig/src/audio/SDL_wave.c ++++ libsdl1.2-1.2.15/src/audio/SDL_wave.c +@@ -122,7 +122,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ + static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct MS_ADPCM_decodestate *state[2]; +- Uint8 *freeable, *encoded, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; + Sint32 encoded_len, samplesleft; + Sint8 nybble, stereo; + Sint16 *coeff[2]; +@@ -131,6 +131,7 @@ static int MS_ADPCM_decode(Uint8 **audio + /* Allocate the proper sized output buffer */ + encoded_len = *audio_len; + encoded = *audio_buf; ++ encoded_end = encoded + encoded_len; + freeable = *audio_buf; + *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) * + MS_ADPCM_state.wSamplesPerBlock* +@@ -141,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio + return(-1); + } + decoded = *audio_buf; ++ decoded_end = decoded + *audio_len; + + /* Get ready... Go! */ + stereo = (MS_ADPCM_state.wavefmt.channels == 2); +@@ -148,6 +150,7 @@ static int MS_ADPCM_decode(Uint8 **audio + state[1] = &MS_ADPCM_state.state[stereo]; + while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) { + /* Grab the initial information for this block */ ++ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size; + state[0]->hPredictor = *encoded++; + if ( stereo ) { + state[1]->hPredictor = *encoded++; +@@ -174,6 +177,7 @@ static int MS_ADPCM_decode(Uint8 **audio + coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor]; + + /* Store the two initial samples we start with */ ++ if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size; + decoded[0] = state[0]->iSamp2&0xFF; + decoded[1] = state[0]->iSamp2>>8; + decoded += 2; +@@ -195,6 +199,9 @@ static int MS_ADPCM_decode(Uint8 **audio + samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)* + MS_ADPCM_state.wavefmt.channels; + while ( samplesleft > 0 ) { ++ if (encoded + 1 > encoded_end) goto invalid_size; ++ if (decoded + 4 > decoded_end) goto invalid_size; ++ + nybble = (*encoded)>>4; + new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]); + decoded[0] = new_sample&0xFF; +@@ -216,6 +223,10 @@ static int MS_ADPCM_decode(Uint8 **audio + } + SDL_free(freeable); + return(0); ++invalid_size: ++ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); + } + + struct IMA_ADPCM_decodestate { diff -Nru libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7577-1_2.patch libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7577-1_2.patch --- libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7577-1_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7577-1_2.patch 2019-08-14 16:40:48.000000000 +0000 @@ -0,0 +1,32 @@ +Description: CVE-2019-7577 + a buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c. + +--- +Author: Abhijith PA +Origin: https://bugzilla.libsdl.org/attachment.cgi?id=3694 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 +Last-Update: 2019-03-13 + +--- libsdl1.2-1.2.15.orig/src/audio/SDL_wave.c ++++ libsdl1.2-1.2.15/src/audio/SDL_wave.c +@@ -155,6 +155,9 @@ static int MS_ADPCM_decode(Uint8 **audio + if ( stereo ) { + state[1]->hPredictor = *encoded++; + } ++ if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) { ++ goto invalid_predictor; ++ } + state[0]->iDelta = ((encoded[1]<<8)|encoded[0]); + encoded += sizeof(Sint16); + if ( stereo ) { +@@ -227,6 +230,10 @@ invalid_size: + SDL_SetError("Unexpected chunk length for a MS ADPCM decoder"); + SDL_free(freeable); + return(-1); ++invalid_predictor: ++ SDL_SetError("Invalid predictor value for a MS ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); + } + + struct IMA_ADPCM_decodestate { diff -Nru libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7578.patch libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7578.patch --- libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7578.patch 1970-01-01 00:00:00.000000000 +0000 +++ libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7578.patch 2019-08-14 16:40:48.000000000 +0000 @@ -0,0 +1,53 @@ +Description: CVE-2019-7578 + + If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it + could read past the end of chunk data. This patch fixes it. +--- +Author: Abhijith PA +Origin: https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3623 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4494 +Last-Update: 2019-03-05 + +--- libsdl1.2-1.2.15.orig/src/audio/SDL_wave.c ++++ libsdl1.2-1.2.15/src/audio/SDL_wave.c +@@ -240,11 +240,12 @@ static struct IMA_ADPCM_decoder { + struct IMA_ADPCM_decodestate state[2]; + } IMA_ADPCM_state; + +-static int InitIMA_ADPCM(WaveFMT *format) ++static int InitIMA_ADPCM(WaveFMT *format, int length) + { +- Uint8 *rogue_feel; ++ Uint8 *rogue_feel, *rogue_feel_end; + + /* Set the rogue pointer to the IMA_ADPCM specific data */ ++ if (length < sizeof(*format)) goto too_short; + IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); + IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); + IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); +@@ -253,11 +254,16 @@ static int InitIMA_ADPCM(WaveFMT *format + IMA_ADPCM_state.wavefmt.bitspersample = + SDL_SwapLE16(format->bitspersample); + rogue_feel = (Uint8 *)format+sizeof(*format); ++ rogue_feel_end = (Uint8 *)format + length; + if ( sizeof(*format) == 16 ) { + rogue_feel += sizeof(Uint16); + } ++ if (rogue_feel + 2 > rogue_feel_end) goto too_short; + IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); + return(0); ++too_short: ++ SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format"); ++ return(-1); + } + + static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) +@@ -500,7 +506,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWop + break; + case IMA_ADPCM_CODE: + /* Try to understand this */ +- if ( InitIMA_ADPCM(format) < 0 ) { ++ if ( InitIMA_ADPCM(format, lenread) < 0 ) { + was_error = 1; + goto done; + } diff -Nru libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7635_636_638.patch libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7635_636_638.patch --- libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7635_636_638.patch 1970-01-01 00:00:00.000000000 +0000 +++ libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7635_636_638.patch 2019-08-14 16:40:48.000000000 +0000 @@ -0,0 +1,81 @@ +Description: CVE-2019-7635_CVE-2019-7636, CVE-2019-7638 + CVE-2019-7635 +a heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c + CVE-2019-7636 +a heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c + CVE-2019-7638 +buffer overwrite when the SDL_LoadBMP_RW() +loads colors from a file. + +--- +Author: Abhijith PA +Origin: https://bugzilla.libsdl.org/attachment.cgi?id=3637 + https://bugzilla.libsdl.org/attachment.cgi?id=3645 + https://hg.libsdl.org/SDL/rev/19d8c3b9c251 + +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4499 + https://bugzilla.libsdl.org/show_bug.cgi?id=4498 + https://bugzilla.libsdl.org/show_bug.cgi?id=4500 +Last-Update: 2019-03-08 + +Index: libsdl1.2-1.2.15/src/video/SDL_bmp.c +=================================================================== +--- libsdl1.2-1.2.15.orig/src/video/SDL_bmp.c ++++ libsdl1.2-1.2.15/src/video/SDL_bmp.c +@@ -163,6 +163,14 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops + ExpandBMP = biBitCount; + biBitCount = 8; + break; ++ case 2: ++ case 3: ++ case 5: ++ case 6: ++ case 7: ++ SDL_SetError("%d-bpp BMP images are not supported", biBitCount); ++ was_error = SDL_TRUE; ++ goto done; + default: + ExpandBMP = 0; + break; +@@ -233,6 +241,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops + if ( palette ) { + if ( biClrUsed == 0 ) { + biClrUsed = 1 << biBitCount; ++ } else if ( biClrUsed > (1 << biBitCount) ) { ++ SDL_SetError("BMP file has an invalid number of colors"); ++ was_error = SDL_TRUE; ++ goto done; + } + if ( biSize == 12 ) { + for ( i = 0; i < (int)biClrUsed; ++i ) { +@@ -296,6 +308,12 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops + } + *(bits+i) = (pixel>>shift); + pixel <<= ExpandBMP; ++ if ( bits[i] >= biClrUsed ) { ++ SDL_SetError( ++ "A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } + } } + break; + +@@ -306,6 +324,17 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops + was_error = SDL_TRUE; + goto done; + } ++ ++ if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) { ++ for ( i=0; iw; ++i ) { ++ if ( bits[i] >= biClrUsed ) { ++ SDL_SetError( ++ "A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } ++ } ++ } + #if SDL_BYTEORDER == SDL_BIG_ENDIAN + /* Byte-swap the pixels if needed. Note that the 24bpp + case has already been taken care of above. */ diff -Nru libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7637-2.patch libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7637-2.patch --- libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7637-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7637-2.patch 2019-08-14 16:52:36.000000000 +0000 @@ -0,0 +1,46 @@ +# HG changeset patch +# User Ozkan Sezer +# Date 1564695305 -10800 +# Node ID 32075e9e2135b4a244d13c8be9bb5e5c2ae554ec +# Parent 37d0eba8fa178404c8128850c26a06d47a2b75de +fix copy+paste mistakes in commit 9b0e5c555c0f (CVE-2019-7637 fix): + +http://hg.libsdl.org/SDL/rev/9b0e5c555c0f made copy+paste mistakes which +resulted in windows versions failing to set video mode. + +diff -r 37d0eba8fa17 -r 32075e9e2135 src/video/gapi/SDL_gapivideo.c +--- a/src/video/gapi/SDL_gapivideo.c Wed Jul 31 23:50:10 2019 +0300 ++++ b/src/video/gapi/SDL_gapivideo.c Fri Aug 02 00:35:05 2019 +0300 +@@ -733,7 +733,7 @@ + video->w = gapi->w = width; + video->h = gapi->h = height; + video->pitch = SDL_CalculatePitch(video); +- if (!current->pitch) { ++ if (!video->pitch) { + return(NULL); + } + +diff -r 37d0eba8fa17 -r 32075e9e2135 src/video/windib/SDL_dibvideo.c +--- a/src/video/windib/SDL_dibvideo.c Wed Jul 31 23:50:10 2019 +0300 ++++ b/src/video/windib/SDL_dibvideo.c Fri Aug 02 00:35:05 2019 +0300 +@@ -675,7 +675,7 @@ + video->w = width; + video->h = height; + video->pitch = SDL_CalculatePitch(video); +- if (!current->pitch) { ++ if (!video->pitch) { + return(NULL); + } + +diff -r 37d0eba8fa17 -r 32075e9e2135 src/video/windx5/SDL_dx5video.c +--- a/src/video/windx5/SDL_dx5video.c Wed Jul 31 23:50:10 2019 +0300 ++++ b/src/video/windx5/SDL_dx5video.c Fri Aug 02 00:35:05 2019 +0300 +@@ -1127,7 +1127,7 @@ + video->w = width; + video->h = height; + video->pitch = SDL_CalculatePitch(video); +- if (!current->pitch) { ++ if (!video->pitch) { + return(NULL); + } + diff -Nru libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7637.patch libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7637.patch --- libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7637.patch 1970-01-01 00:00:00.000000000 +0000 +++ libsdl1.2-1.2.15+dfsg1/debian/patches/CVE-2019-7637.patch 2019-08-14 16:40:48.000000000 +0000 @@ -0,0 +1,207 @@ +From 66950da7432b1743e60bebf5bd7fa6108c6585f1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 18 Feb 2019 13:53:16 +0100 +Subject: [PATCH] CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a too large width is passed to SDL_SetVideoMode() the width travels +to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by +BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch +variable. During this arithmetics an integer overflow can happen (e.g. +the value is clamped as 65532). As a result SDL_Surface with a pitch +smaller than width * BytesPerPixel is created, too small pixel buffer +is allocated and when the SDL_Surface is processed in SDL_FillRect() +a buffer overflow occurs. + +This can be reproduced with "./graywin -width 21312312313123213213213" +command. + +This patch fixes is by using a very careful arithmetics in +SDL_CalculatePitch(). If an overflow is detected, an error is reported +back as a special 0 value. We assume that 0-width surfaces do not +occur in the wild. Since SDL_CalculatePitch() is a private function, +we can change the semantics. + +CVE-2019-7637 +https://bugzilla.libsdl.org/show_bug.cgi?id=4497 + +Signed-off-by: Petr Písař +--- + src/video/SDL_pixels.c | 41 +++++++++++++++++++++++++++------ + src/video/gapi/SDL_gapivideo.c | 3 +++ + src/video/nanox/SDL_nxvideo.c | 4 ++++ + src/video/ps2gs/SDL_gsvideo.c | 3 +++ + src/video/ps3/SDL_ps3video.c | 3 +++ + src/video/windib/SDL_dibvideo.c | 3 +++ + src/video/windx5/SDL_dx5video.c | 3 +++ + src/video/x11/SDL_x11video.c | 4 ++++ + 8 files changed, 57 insertions(+), 7 deletions(-) + +Index: libsdl1.2-1.2.15/src/video/SDL_pixels.c +=================================================================== +--- libsdl1.2-1.2.15.orig/src/video/SDL_pixels.c ++++ libsdl1.2-1.2.15/src/video/SDL_pixels.c +@@ -286,26 +286,54 @@ void SDL_DitherColors(SDL_Color *colors, + } + } + /* +- * Calculate the pad-aligned scanline width of a surface ++ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of ++ * an error. + */ + Uint16 SDL_CalculatePitch(SDL_Surface *surface) + { +- Uint16 pitch; ++ unsigned int pitch = 0; + + /* Surface should be 4-byte aligned for speed */ +- pitch = surface->w*surface->format->BytesPerPixel; ++ /* The code tries to prevent from an Uint16 overflow. */; ++ Uint8 byte; ++ for (byte = surface->format->BytesPerPixel; byte; byte--) { ++ pitch += (unsigned int)surface->w; ++ if (pitch < surface->w) { ++ SDL_SetError("A scanline is too wide"); ++ return(0); ++ } ++ } + switch (surface->format->BitsPerPixel) { + case 1: +- pitch = (pitch+7)/8; ++ if (pitch % 8) { ++ pitch = pitch / 8 + 1; ++ } else { ++ pitch = pitch / 8; ++ } + break; + case 4: +- pitch = (pitch+1)/2; ++ if (pitch % 2) { ++ pitch = pitch / 2 + 1; ++ } else { ++ pitch = pitch / 2; ++ } + break; + default: + break; + } +- pitch = (pitch + 3) & ~3; /* 4-byte aligning */ +- return(pitch); ++ /* 4-byte aligning */ ++ if (pitch & 3) { ++ if (pitch + 3 < pitch) { ++ SDL_SetError("A scanline is too wide"); ++ return(0); ++ } ++ pitch = (pitch + 3) & ~3; ++ } ++ if (pitch > 0xFFFF) { ++ SDL_SetError("A scanline is too wide"); ++ return(0); ++ } ++ return((Uint16)pitch); + } + /* + * Match an RGB value to a particular palette index +Index: libsdl1.2-1.2.15/src/video/gapi/SDL_gapivideo.c +=================================================================== +--- libsdl1.2-1.2.15.orig/src/video/gapi/SDL_gapivideo.c ++++ libsdl1.2-1.2.15/src/video/gapi/SDL_gapivideo.c +@@ -733,6 +733,9 @@ SDL_Surface *GAPI_SetVideoMode(_THIS, SD + video->w = gapi->w = width; + video->h = gapi->h = height; + video->pitch = SDL_CalculatePitch(video); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Small fix for WinCE/Win32 - when activating window + SDL_VideoSurface is equal to zero, so activating code +Index: libsdl1.2-1.2.15/src/video/nanox/SDL_nxvideo.c +=================================================================== +--- libsdl1.2-1.2.15.orig/src/video/nanox/SDL_nxvideo.c ++++ libsdl1.2-1.2.15/src/video/nanox/SDL_nxvideo.c +@@ -378,6 +378,10 @@ SDL_Surface * NX_SetVideoMode (_THIS, SD + current -> w = width ; + current -> h = height ; + current -> pitch = SDL_CalculatePitch (current) ; ++ if (!current->pitch) { ++ current = NULL; ++ goto done; ++ } + NX_ResizeImage (this, current, flags) ; + } + +Index: libsdl1.2-1.2.15/src/video/ps2gs/SDL_gsvideo.c +=================================================================== +--- libsdl1.2-1.2.15.orig/src/video/ps2gs/SDL_gsvideo.c ++++ libsdl1.2-1.2.15/src/video/ps2gs/SDL_gsvideo.c +@@ -479,6 +479,9 @@ static SDL_Surface *GS_SetVideoMode(_THI + current->w = width; + current->h = height; + current->pitch = SDL_CalculatePitch(current); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Memory map the DMA area for block memory transfer */ + if ( ! mapped_mem ) { +Index: libsdl1.2-1.2.15/src/video/ps3/SDL_ps3video.c +=================================================================== +--- libsdl1.2-1.2.15.orig/src/video/ps3/SDL_ps3video.c ++++ libsdl1.2-1.2.15/src/video/ps3/SDL_ps3video.c +@@ -339,6 +339,9 @@ static SDL_Surface *PS3_SetVideoMode(_TH + current->w = width; + current->h = height; + current->pitch = SDL_CalculatePitch(current); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Alloc aligned mem for current->pixels */ + s_pixels = memalign(16, current->h * current->pitch); +Index: libsdl1.2-1.2.15/src/video/windib/SDL_dibvideo.c +=================================================================== +--- libsdl1.2-1.2.15.orig/src/video/windib/SDL_dibvideo.c ++++ libsdl1.2-1.2.15/src/video/windib/SDL_dibvideo.c +@@ -675,6 +675,9 @@ SDL_Surface *DIB_SetVideoMode(_THIS, SDL + video->w = width; + video->h = height; + video->pitch = SDL_CalculatePitch(video); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Small fix for WinCE/Win32 - when activating window + SDL_VideoSurface is equal to zero, so activating code +Index: libsdl1.2-1.2.15/src/video/windx5/SDL_dx5video.c +=================================================================== +--- libsdl1.2-1.2.15.orig/src/video/windx5/SDL_dx5video.c ++++ libsdl1.2-1.2.15/src/video/windx5/SDL_dx5video.c +@@ -1127,6 +1127,9 @@ SDL_Surface *DX5_SetVideoMode(_THIS, SDL + video->w = width; + video->h = height; + video->pitch = SDL_CalculatePitch(video); ++ if (!current->pitch) { ++ return(NULL); ++ } + + #ifndef NO_CHANGEDISPLAYSETTINGS + /* Set fullscreen mode if appropriate. +Index: libsdl1.2-1.2.15/src/video/x11/SDL_x11video.c +=================================================================== +--- libsdl1.2-1.2.15.orig/src/video/x11/SDL_x11video.c ++++ libsdl1.2-1.2.15/src/video/x11/SDL_x11video.c +@@ -1216,6 +1216,10 @@ SDL_Surface *X11_SetVideoMode(_THIS, SDL + current->w = width; + current->h = height; + current->pitch = SDL_CalculatePitch(current); ++ if (!current->pitch) { ++ current = NULL; ++ goto done; ++ } + if (X11_ResizeImage(this, current, flags) < 0) { + current = NULL; + goto done; diff -Nru libsdl1.2-1.2.15+dfsg1/debian/patches/series libsdl1.2-1.2.15+dfsg1/debian/patches/series --- libsdl1.2-1.2.15+dfsg1/debian/patches/series 2016-03-10 00:56:04.000000000 +0000 +++ libsdl1.2-1.2.15+dfsg1/debian/patches/series 2019-10-15 13:59:48.000000000 +0000 @@ -5,3 +5,12 @@ fix_window_resizing.diff fix_joystick_misc_axes.diff sdl-check-for-SDL_VIDEO_X11_BACKINGSTORE.patch +CVE-2019-7572_CVE-2019-7574.patch +CVE-2019-7573.patch +CVE-2019-7575_7577.patch +CVE-2019-7578.patch +CVE-2019-7635_636_638.patch +CVE-2019-7637.patch +CVE-2019-7637-2.patch +CVE-2019-7577-1_2.patch +CVE-2019-13616.patch