diff -Nru libsdl2-2.0.2+dfsg1/debian/changelog libsdl2-2.0.2+dfsg1/debian/changelog --- libsdl2-2.0.2+dfsg1/debian/changelog 2016-04-19 11:43:45.000000000 +0000 +++ libsdl2-2.0.2+dfsg1/debian/changelog 2019-09-25 15:27:17.000000000 +0000 @@ -1,3 +1,22 @@ +libsdl2 (2.0.2+dfsg1-3ubuntu1.3) trusty-security; urgency=medium + + * SECURITY UPDATE: heap-based buffer over-read in Fill_IMA_ADPCM_block + - debian/patches/CVE-2017-2888.diff: check var size before mallocing pixels + - debian/patches/CVE-2017-2888_CVE-2019-7637.diff: assert size of int + before mallocing + - CVE-2017-2888 + - CVE-2019-7637 + * SECURITY UPDATE: heap-based buffer over-read in Blit1to4 + - debian/patches/CVE-2019-7635.diff: add error checking to SDL_LoadBMP_RW + - CVE-2019-7635 + * SECURITY UPDATE: heap-based buffer over-read in Map1toN and SDL_GetRGB + - debian/patches/CVE-2019-7636_CVE-2019-7638.patch: add error checking to + SDL_LoadBMP_RW + - CVE-2019-7636 + - CVE-2019-7638 + + -- Avital Ostromich Wed, 25 Sep 2019 11:26:34 -0400 + libsdl2 (2.0.2+dfsg1-3ubuntu1.2) trusty; urgency=medium * Explicitly depend on virtual package libwayland-egl1 to avoid diff -Nru libsdl2-2.0.2+dfsg1/debian/patches/CVE-2017-2888_CVE-2019-7637.diff libsdl2-2.0.2+dfsg1/debian/patches/CVE-2017-2888_CVE-2019-7637.diff --- libsdl2-2.0.2+dfsg1/debian/patches/CVE-2017-2888_CVE-2019-7637.diff 1970-01-01 00:00:00.000000000 +0000 +++ libsdl2-2.0.2+dfsg1/debian/patches/CVE-2017-2888_CVE-2019-7637.diff 2019-09-25 15:25:30.000000000 +0000 @@ -0,0 +1,60 @@ +Description: Fixed bug 3890 - Incomplete fix for CVE-2017-2888 + Felix Geyer + http://hg.libsdl.org/SDL/rev/7e0f1498ddb5 tries to fix CVE-2017-2888. + Unfortunately compilers may optimize the second condition "(size / + surface->pitch) != surface->h" away. See + https://bugzilla.redhat.com/show_bug.cgi?id=1500623#c2 I've verified that this + is also the case on Debian unstable (gcc 7.2). + + [Ubuntu note: Added SDL_MAX_SINT32 defs for compatibility with patch + -- Avital] +Author: Sam Lantinga +Origin: backport, https://hg.libsdl.org/SDL/rev/81a4950907a0 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878264 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4497 +Last-Update: 2019-09-10 + +--- a/src/video/SDL_surface.c ++++ b/src/video/SDL_surface.c +@@ -27,6 +27,10 @@ + #include "SDL_pixels_c.h" + + ++/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */ ++SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, ++ sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32)); ++ + /* Public routines */ + /* + * Create an empty RGB surface of the appropriate depth +@@ -88,15 +92,16 @@ SDL_CreateRGBSurface(Uint32 flags, + + /* Get the pixels */ + if (surface->w && surface->h) { +- int size = (surface->h * surface->pitch); +- if (size < 0 || (size / surface->pitch) != surface->h) { ++ /* Assumptions checked in surface_size_assumptions assert above */ ++ Sint64 size = ((Sint64)surface->h * surface->pitch); ++ if (size < 0 || size > SDL_MAX_SINT32) { + /* Overflow... */ + SDL_FreeSurface(surface); + SDL_OutOfMemory(); + return NULL; + } + +- surface->pixels = SDL_malloc(size); ++ surface->pixels = SDL_malloc((size_t)size); + if (!surface->pixels) { + SDL_FreeSurface(surface); + SDL_OutOfMemory(); +--- a/include/SDL_stdinc.h ++++ b/include/SDL_stdinc.h +@@ -142,6 +142,8 @@ typedef int32_t Sint32; + /** + * \brief An unsigned 32-bit integer type. + */ ++#define SDL_MAX_SINT32 ((Sint32)0x7FFFFFFF) /* 2147483647 */ ++#define SDL_MIN_SINT32 ((Sint32)(~0x7FFFFFFF)) /* -2147483648 */ + typedef uint32_t Uint32; + + /** diff -Nru libsdl2-2.0.2+dfsg1/debian/patches/CVE-2017-2888.diff libsdl2-2.0.2+dfsg1/debian/patches/CVE-2017-2888.diff --- libsdl2-2.0.2+dfsg1/debian/patches/CVE-2017-2888.diff 1970-01-01 00:00:00.000000000 +0000 +++ libsdl2-2.0.2+dfsg1/debian/patches/CVE-2017-2888.diff 2019-09-25 15:25:14.000000000 +0000 @@ -0,0 +1,25 @@ +Description: Fixed potential overflow in surface allocation (thanks Yves!) +Author: Sam Lantinga +Origin: https://hg.libsdl.org/SDL/rev/7e0f1498ddb5 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878264 +Last-Update: 2019-09-10 + +--- a/src/video/SDL_surface.c ++++ b/src/video/SDL_surface.c +@@ -88,7 +88,15 @@ SDL_CreateRGBSurface(Uint32 flags, + + /* Get the pixels */ + if (surface->w && surface->h) { +- surface->pixels = SDL_malloc(surface->h * surface->pitch); ++ int size = (surface->h * surface->pitch); ++ if (size < 0 || (size / surface->pitch) != surface->h) { ++ /* Overflow... */ ++ SDL_FreeSurface(surface); ++ SDL_OutOfMemory(); ++ return NULL; ++ } ++ ++ surface->pixels = SDL_malloc(size); + if (!surface->pixels) { + SDL_FreeSurface(surface); + SDL_OutOfMemory(); diff -Nru libsdl2-2.0.2+dfsg1/debian/patches/CVE-2019-7635.diff libsdl2-2.0.2+dfsg1/debian/patches/CVE-2019-7635.diff --- libsdl2-2.0.2+dfsg1/debian/patches/CVE-2019-7635.diff 1970-01-01 00:00:00.000000000 +0000 +++ libsdl2-2.0.2+dfsg1/debian/patches/CVE-2019-7635.diff 2019-09-25 15:24:21.000000000 +0000 @@ -0,0 +1,74 @@ +Description: Fixed CVE-2019-7635 and bug 4498 + Heap-Buffer Overflow in Blit1to4 pertaining to SDL_blit_1.c + + Petr Pisar + + The root cause is that the POC BMP file declares 3 colors used and 4 bpp + palette, but pixel at line 28 and column 1 (counted from 0) has color number 3. + Then when the image loaded into a surface is passed to SDL_DisplayFormat(), in + order to convert it to a video format, a used bliting function looks up a color + number 3 in a 3-element long color bliting map. (The map obviously has the same + number entries as the surface format has colors.) + + Proper fix should refuse broken BMP images that have a pixel with a color index + higher than declared number of "used" colors. Possibly more advanced fix could + try to relocate the out-of-range color index into a vacant index (if such + exists). +Author: Sam Lantinga +Origin: https://hg.libsdl.org/SDL/rev/7c643f1c1887 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4498 +Last-Update: 2019-09-10 + +--- a/src/video/SDL_bmp.c ++++ b/src/video/SDL_bmp.c +@@ -187,6 +187,14 @@ SDL_LoadBMP_RW(SDL_RWops * src, int free + ExpandBMP = biBitCount; + biBitCount = 8; + break; ++ case 2: ++ case 3: ++ case 5: ++ case 6: ++ case 7: ++ SDL_SetError("%d-bpp BMP images are not supported", biBitCount); ++ was_error = SDL_TRUE; ++ goto done; + default: + ExpandBMP = 0; + break; +@@ -348,19 +356,32 @@ SDL_LoadBMP_RW(SDL_RWops * src, int free + goto done; + } + } +- *(bits + i) = (pixel >> shift); ++ bits[i] = (pixel >> shift); ++ if (bits[i] >= biClrUsed) { ++ SDL_SetError("A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } + pixel <<= ExpandBMP; + } + } + break; + + default: +- if (SDL_RWread(src, bits, 1, surface->pitch) +- != surface->pitch) { ++ if (SDL_RWread(src, bits, 1, surface->pitch) != surface->pitch) { + SDL_Error(SDL_EFREAD); + was_error = SDL_TRUE; + goto done; + } ++ if (biBitCount == 8 && palette && biClrUsed < (1 << biBitCount)) { ++ for (i = 0; i < surface->w; ++i) { ++ if (bits[i] >= biClrUsed) { ++ SDL_SetError("A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } ++ } ++ } + #if SDL_BYTEORDER == SDL_BIG_ENDIAN + /* Byte-swap the pixels if needed. Note that the 24bpp + case has already been taken care of above. */ diff -Nru libsdl2-2.0.2+dfsg1/debian/patches/CVE-2019-7636_CVE-2019-7638.diff libsdl2-2.0.2+dfsg1/debian/patches/CVE-2019-7636_CVE-2019-7638.diff --- libsdl2-2.0.2+dfsg1/debian/patches/CVE-2019-7636_CVE-2019-7638.diff 1970-01-01 00:00:00.000000000 +0000 +++ libsdl2-2.0.2+dfsg1/debian/patches/CVE-2019-7636_CVE-2019-7638.diff 2019-09-25 15:24:50.000000000 +0000 @@ -0,0 +1,34 @@ +Description: Fixed bug 4500 + Heap-Buffer Overflow in Map1toN pertaining to SDL_pixels.c + + Petr Pisar + + The reproducer has these data in BITMAPINFOHEADER: + + biSize = 40 + biBitCount = 8 + biClrUsed = 131075 + + SDL_LoadBMP_RW() function passes biBitCount as a color depth to + SDL_CreateRGBSurface(), thus 256-color pallete is allocated. But then biClrUsed + colors are read from a file and stored into the palette. SDL_LoadBMP_RW should + report an error if biClrUsed is greater than 2^biBitCount. +Author: Sam Lantinga +Origin: https://hg.libsdl.org/SDL/rev/7c643f1c1887 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4499 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4500 +Last-Update: 2019-09-10 + +--- a/src/video/SDL_bmp.c ++++ b/src/video/SDL_bmp.c +@@ -278,6 +278,10 @@ SDL_LoadBMP_RW(SDL_RWops * src, int free + if (palette) { + if (biClrUsed == 0) { + biClrUsed = 1 << biBitCount; ++ } else if (biClrUsed > (1 << biBitCount)) { ++ SDL_SetError("BMP file has an invalid number of colors"); ++ was_error = SDL_TRUE; ++ goto done; + } + if ((int) biClrUsed > palette->ncolors) { + palette->ncolors = biClrUsed; diff -Nru libsdl2-2.0.2+dfsg1/debian/patches/series libsdl2-2.0.2+dfsg1/debian/patches/series --- libsdl2-2.0.2+dfsg1/debian/patches/series 2014-05-07 14:31:08.000000000 +0000 +++ libsdl2-2.0.2+dfsg1/debian/patches/series 2019-09-25 15:25:30.000000000 +0000 @@ -1,3 +1,7 @@ SDL2_dont_propagate_lpthread.diff fix_joystick_misc_axes.diff mir_forward_declaration_syswm.diff +CVE-2019-7635.diff +CVE-2019-7636_CVE-2019-7638.diff +CVE-2017-2888.diff +CVE-2017-2888_CVE-2019-7637.diff