diff -Nru libsdl2-2.0.4+dfsg1/debian/changelog libsdl2-2.0.4+dfsg1/debian/changelog --- libsdl2-2.0.4+dfsg1/debian/changelog 2016-03-10 21:59:45.000000000 +0000 +++ libsdl2-2.0.4+dfsg1/debian/changelog 2019-09-25 15:41:54.000000000 +0000 @@ -1,3 +1,32 @@ +libsdl2 (2.0.4+dfsg1-2ubuntu2.16.04.2) xenial-security; urgency=medium + + * SECURITY UPDATE: heap-based buffer over-read in Fill_IMA_ADPCM_block + - debian/patches/CVE-2017-2888.diff: check var size before mallocing pixels + - debian/patches/CVE-2017-2888_CVE-2019-7637.diff: assert size of int + before mallocing + - CVE-2017-2888 + - CVE-2019-7637 + * SECURITY UPDATE: heap-based buffer over-read in Blit1to4 + - debian/patches/CVE-2019-7635.diff: add error checking to SDL_LoadBMP_RW + - CVE-2019-7635 + * SECURITY UPDATE: heap-based buffer over-read in Map1toN and + SDL_GetRGB + - debian/patches/CVE-2019-7636_CVE-2019-7638.patch: add error checking to + SDL_LoadBMP_RW + - CVE-2019-7636 + - CVE-2019-7638 + * Package failed to build from source + - debian/patches/ftbfs.diff: Add wl_proxy_marshal_constructor_versioned sym + + -- Avital Ostromich Wed, 28 Aug 2019 14:45:27 -0400 + +libsdl2 (2.0.4+dfsg1-2ubuntu2.16.04.1) xenial; urgency=medium + + * Cherry-pick upstream fix for full-screen switching mode + LP: #1679573 + + -- Gianfranco Costamagna Sat, 11 Nov 2017 10:55:43 +0100 + libsdl2 (2.0.4+dfsg1-2ubuntu2) xenial; urgency=medium * Rebuild against libsndio6.1. diff -Nru libsdl2-2.0.4+dfsg1/debian/control libsdl2-2.0.4+dfsg1/debian/control --- libsdl2-2.0.4+dfsg1/debian/control 2016-01-20 18:03:24.000000000 +0000 +++ libsdl2-2.0.4+dfsg1/debian/control 2019-08-28 22:11:25.000000000 +0000 @@ -1,7 +1,8 @@ Source: libsdl2 Priority: optional Section: libs -Maintainer: Debian SDL packages maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian SDL packages maintainers Uploaders: Sam Hocevar , Manuel A. Fernandez Montecelo , diff -Nru libsdl2-2.0.4+dfsg1/debian/patches/build_failure.diff libsdl2-2.0.4+dfsg1/debian/patches/build_failure.diff --- libsdl2-2.0.4+dfsg1/debian/patches/build_failure.diff 1970-01-01 00:00:00.000000000 +0000 +++ libsdl2-2.0.4+dfsg1/debian/patches/build_failure.diff 2019-09-16 13:09:31.000000000 +0000 @@ -0,0 +1,30 @@ +Description: HG changeset patch + xwayland: Add wl_proxy_marshal_constructor_versioned sym + wl_proxy_marshal_constructor_versioned was introduce in wayland-client 1.10. +Author: Jonas Ã…dahl +Origin: upstream, https://hg.libsdl.org/SDL/rev/330f500d5815 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=3265 +Last-Update: 2019-09-16 + +--- a/src/video/wayland/SDL_waylanddyn.h ++++ b/src/video/wayland/SDL_waylanddyn.h +@@ -79,6 +79,7 @@ void SDL_WAYLAND_UnloadSymbols(void); + #define wl_proxy_get_user_data (*WAYLAND_wl_proxy_get_user_data) + #define wl_proxy_add_listener (*WAYLAND_wl_proxy_add_listener) + #define wl_proxy_marshal_constructor (*WAYLAND_wl_proxy_marshal_constructor) ++#define wl_proxy_marshal_constructor_versioned (*WAYLAND_wl_proxy_marshal_constructor_versioned) + + #define wl_seat_interface (*WAYLAND_wl_seat_interface) + #define wl_surface_interface (*WAYLAND_wl_surface_interface) +--- a/src/video/wayland/SDL_waylandsym.h ++++ b/src/video/wayland/SDL_waylandsym.h +@@ -55,6 +55,9 @@ SDL_WAYLAND_SYM(void, wl_list_insert_lis + SDL_WAYLAND_MODULE(WAYLAND_CLIENT_1_4) + SDL_WAYLAND_SYM(struct wl_proxy *, wl_proxy_marshal_constructor, (struct wl_proxy *, uint32_t opcode, const struct wl_interface *interface, ...)) + ++SDL_WAYLAND_MODULE(WAYLAND_CLIENT_1_10) ++SDL_WAYLAND_SYM(struct wl_proxy *, wl_proxy_marshal_constructor_versioned, (struct wl_proxy *proxy, uint32_t opcode, const struct wl_interface *interface, uint32_t version, ...)) ++ + SDL_WAYLAND_INTERFACE(wl_seat_interface) + SDL_WAYLAND_INTERFACE(wl_surface_interface) + SDL_WAYLAND_INTERFACE(wl_shm_pool_interface) diff -Nru libsdl2-2.0.4+dfsg1/debian/patches/CVE-2017-2888_CVE-2019-7637.diff libsdl2-2.0.4+dfsg1/debian/patches/CVE-2017-2888_CVE-2019-7637.diff --- libsdl2-2.0.4+dfsg1/debian/patches/CVE-2017-2888_CVE-2019-7637.diff 1970-01-01 00:00:00.000000000 +0000 +++ libsdl2-2.0.4+dfsg1/debian/patches/CVE-2017-2888_CVE-2019-7637.diff 2019-09-10 22:04:37.000000000 +0000 @@ -0,0 +1,60 @@ +Description: Fixed bug 3890 - Incomplete fix for CVE-2017-2888 + Felix Geyer + http://hg.libsdl.org/SDL/rev/7e0f1498ddb5 tries to fix CVE-2017-2888. + Unfortunately compilers may optimize the second condition "(size / + surface->pitch) != surface->h" away. See + https://bugzilla.redhat.com/show_bug.cgi?id=1500623#c2 I've verified that this + is also the case on Debian unstable (gcc 7.2). + + [Ubuntu note: Added SDL_MAX_SINT32 defs for compatibility with patch + -- Avital] +Author: Sam Lantinga +Origin: backport, https://hg.libsdl.org/SDL/rev/81a4950907a0 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878264 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4497 +Last-Update: 2019-09-10 + +--- a/src/video/SDL_surface.c ++++ b/src/video/SDL_surface.c +@@ -26,6 +26,10 @@ + #include "SDL_RLEaccel_c.h" + #include "SDL_pixels_c.h" + ++/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */ ++SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, ++ sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32)); ++ + /* Public routines */ + /* + * Create an empty RGB surface of the appropriate depth +@@ -87,15 +91,16 @@ SDL_CreateRGBSurface(Uint32 flags, + + /* Get the pixels */ + if (surface->w && surface->h) { +- int size = (surface->h * surface->pitch); +- if (size < 0 || (size / surface->pitch) != surface->h) { ++ /* Assumptions checked in surface_size_assumptions assert above */ ++ Sint64 size = ((Sint64)surface->h * surface->pitch); ++ if (size < 0 || size > SDL_MAX_SINT32) { + /* Overflow... */ + SDL_FreeSurface(surface); + SDL_OutOfMemory(); + return NULL; + } + +- surface->pixels = SDL_malloc(size); ++ surface->pixels = SDL_malloc((size_t)size); + if (!surface->pixels) { + SDL_FreeSurface(surface); + SDL_OutOfMemory(); +--- a/include/SDL_stdinc.h ++++ b/include/SDL_stdinc.h +@@ -148,6 +148,8 @@ typedef uint16_t Uint16; + /** + * \brief A signed 32-bit integer type. + */ ++#define SDL_MAX_SINT32 ((Sint32)0x7FFFFFFF) /* 2147483647 */ ++#define SDL_MIN_SINT32 ((Sint32)(~0x7FFFFFFF)) /* -2147483648 */ + typedef int32_t Sint32; + /** + * \brief An unsigned 32-bit integer type. diff -Nru libsdl2-2.0.4+dfsg1/debian/patches/CVE-2017-2888.diff libsdl2-2.0.4+dfsg1/debian/patches/CVE-2017-2888.diff --- libsdl2-2.0.4+dfsg1/debian/patches/CVE-2017-2888.diff 1970-01-01 00:00:00.000000000 +0000 +++ libsdl2-2.0.4+dfsg1/debian/patches/CVE-2017-2888.diff 2019-09-10 21:44:45.000000000 +0000 @@ -0,0 +1,25 @@ +Description: Fixed potential overflow in surface allocation (thanks Yves!) +Author: Sam Lantinga +Origin: https://hg.libsdl.org/SDL/rev/7e0f1498ddb5 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878264 +Last-Update: 2019-09-10 + +--- a/src/video/SDL_surface.c ++++ b/src/video/SDL_surface.c +@@ -87,7 +87,15 @@ SDL_CreateRGBSurface(Uint32 flags, + + /* Get the pixels */ + if (surface->w && surface->h) { +- surface->pixels = SDL_malloc(surface->h * surface->pitch); ++ int size = (surface->h * surface->pitch); ++ if (size < 0 || (size / surface->pitch) != surface->h) { ++ /* Overflow... */ ++ SDL_FreeSurface(surface); ++ SDL_OutOfMemory(); ++ return NULL; ++ } ++ ++ surface->pixels = SDL_malloc(size); + if (!surface->pixels) { + SDL_FreeSurface(surface); + SDL_OutOfMemory(); diff -Nru libsdl2-2.0.4+dfsg1/debian/patches/CVE-2019-7635.diff libsdl2-2.0.4+dfsg1/debian/patches/CVE-2019-7635.diff --- libsdl2-2.0.4+dfsg1/debian/patches/CVE-2019-7635.diff 1970-01-01 00:00:00.000000000 +0000 +++ libsdl2-2.0.4+dfsg1/debian/patches/CVE-2019-7635.diff 2019-09-10 21:40:32.000000000 +0000 @@ -0,0 +1,74 @@ +Description: Fixed CVE-2019-7635 and bug 4498 + Heap-Buffer Overflow in Blit1to4 pertaining to SDL_blit_1.c + + Petr Pisar + + The root cause is that the POC BMP file declares 3 colors used and 4 bpp + palette, but pixel at line 28 and column 1 (counted from 0) has color number 3. + Then when the image loaded into a surface is passed to SDL_DisplayFormat(), in + order to convert it to a video format, a used bliting function looks up a color + number 3 in a 3-element long color bliting map. (The map obviously has the same + number entries as the surface format has colors.) + + Proper fix should refuse broken BMP images that have a pixel with a color index + higher than declared number of "used" colors. Possibly more advanced fix could + try to relocate the out-of-range color index into a vacant index (if such + exists). +Author: Sam Lantinga +Origin: https://hg.libsdl.org/SDL/rev/7c643f1c1887 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4498 +Last-Update: 2019-09-10 + +--- a/src/video/SDL_bmp.c ++++ b/src/video/SDL_bmp.c +@@ -237,6 +237,14 @@ SDL_LoadBMP_RW(SDL_RWops * src, int free + ExpandBMP = biBitCount; + biBitCount = 8; + break; ++ case 2: ++ case 3: ++ case 5: ++ case 6: ++ case 7: ++ SDL_SetError("%d-bpp BMP images are not supported", biBitCount); ++ was_error = SDL_TRUE; ++ goto done; + default: + ExpandBMP = 0; + break; +@@ -385,19 +393,32 @@ SDL_LoadBMP_RW(SDL_RWops * src, int free + goto done; + } + } +- *(bits + i) = (pixel >> shift); ++ bits[i] = (pixel >> shift); ++ if (bits[i] >= biClrUsed) { ++ SDL_SetError("A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } + pixel <<= ExpandBMP; + } + } + break; + + default: +- if (SDL_RWread(src, bits, 1, surface->pitch) +- != surface->pitch) { ++ if (SDL_RWread(src, bits, 1, surface->pitch) != surface->pitch) { + SDL_Error(SDL_EFREAD); + was_error = SDL_TRUE; + goto done; + } ++ if (biBitCount == 8 && palette && biClrUsed < (1 << biBitCount)) { ++ for (i = 0; i < surface->w; ++i) { ++ if (bits[i] >= biClrUsed) { ++ SDL_SetError("A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } ++ } ++ } + #if SDL_BYTEORDER == SDL_BIG_ENDIAN + /* Byte-swap the pixels if needed. Note that the 24bpp + case has already been taken care of above. */ diff -Nru libsdl2-2.0.4+dfsg1/debian/patches/CVE-2019-7636_CVE-2019-7638.diff libsdl2-2.0.4+dfsg1/debian/patches/CVE-2019-7636_CVE-2019-7638.diff --- libsdl2-2.0.4+dfsg1/debian/patches/CVE-2019-7636_CVE-2019-7638.diff 1970-01-01 00:00:00.000000000 +0000 +++ libsdl2-2.0.4+dfsg1/debian/patches/CVE-2019-7636_CVE-2019-7638.diff 2019-09-10 21:40:45.000000000 +0000 @@ -0,0 +1,34 @@ +Description: Fixed bug 4500 + Heap-Buffer Overflow in Map1toN pertaining to SDL_pixels.c + + Petr Pisar + + The reproducer has these data in BITMAPINFOHEADER: + + biSize = 40 + biBitCount = 8 + biClrUsed = 131075 + + SDL_LoadBMP_RW() function passes biBitCount as a color depth to + SDL_CreateRGBSurface(), thus 256-color pallete is allocated. But then biClrUsed + colors are read from a file and stored into the palette. SDL_LoadBMP_RW should + report an error if biClrUsed is greater than 2^biBitCount. +Author: Sam Lantinga +Origin: https://hg.libsdl.org/SDL/rev/7c643f1c1887 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4499 +Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4500 +Last-Update: 2019-09-10 + +--- a/src/video/SDL_bmp.c ++++ b/src/video/SDL_bmp.c +@@ -312,6 +312,10 @@ SDL_LoadBMP_RW(SDL_RWops * src, int free + SDL_assert(biBitCount <= 8); + if (biClrUsed == 0) { + biClrUsed = 1 << biBitCount; ++ } else if (biClrUsed > (1 << biBitCount)) { ++ SDL_SetError("BMP file has an invalid number of colors"); ++ was_error = SDL_TRUE; ++ goto done; + } + if ((int) biClrUsed > palette->ncolors) { + SDL_Color *colors; diff -Nru libsdl2-2.0.4+dfsg1/debian/patches/full-screen-switch-fix.patch libsdl2-2.0.4+dfsg1/debian/patches/full-screen-switch-fix.patch --- libsdl2-2.0.4+dfsg1/debian/patches/full-screen-switch-fix.patch 1970-01-01 00:00:00.000000000 +0000 +++ libsdl2-2.0.4+dfsg1/debian/patches/full-screen-switch-fix.patch 2019-08-28 18:45:20.000000000 +0000 @@ -0,0 +1,16 @@ +Description: This patch is part of upstream code. +Origin: https://hg.libsdl.org/SDL/diff/f931db466859/src/video/x11/SDL_x11framebuffer.c +Bug-Ubuntu: https://launchpad.net/bugs/1679573 +Last-Update: 2017-11-11 + +--- a/src/video/x11/SDL_x11framebuffer.c ++++ b/src/video/x11/SDL_x11framebuffer.c +@@ -97,7 +97,7 @@ X11_CreateWindowFramebuffer(_THIS, SDL_W + shm_error = False; + X_handler = X11_XSetErrorHandler(shm_errhandler); + X11_XShmAttach(display, shminfo); +- X11_XSync(display, True); ++ X11_XSync(display, False); + X11_XSetErrorHandler(X_handler); + if ( shm_error ) + shmdt(shminfo->shmaddr); diff -Nru libsdl2-2.0.4+dfsg1/debian/patches/SDL2_dont_propagate_lpthread.diff libsdl2-2.0.4+dfsg1/debian/patches/SDL2_dont_propagate_lpthread.diff --- libsdl2-2.0.4+dfsg1/debian/patches/SDL2_dont_propagate_lpthread.diff 2016-01-03 11:19:29.000000000 +0000 +++ libsdl2-2.0.4+dfsg1/debian/patches/SDL2_dont_propagate_lpthread.diff 2019-08-28 18:45:19.000000000 +0000 @@ -22,7 +22,7 @@ --- a/sdl2.pc.in +++ b/sdl2.pc.in -@@ -10,6 +10,6 @@ +@@ -10,6 +10,6 @@ Description: Simple DirectMedia Layer is Version: @SDL_VERSION@ Requires: Conflicts: @@ -32,7 +32,7 @@ Cflags: -I${includedir}/SDL2 @SDL_CFLAGS@ --- a/sdl2-config.in +++ b/sdl2-config.in -@@ -45,7 +45,7 @@ +@@ -45,7 +45,7 @@ while test $# -gt 0; do echo -I@includedir@/SDL2 @SDL_CFLAGS@ ;; @ENABLE_SHARED_TRUE@ --libs) diff -Nru libsdl2-2.0.4+dfsg1/debian/patches/series libsdl2-2.0.4+dfsg1/debian/patches/series --- libsdl2-2.0.4+dfsg1/debian/patches/series 2016-01-25 13:15:21.000000000 +0000 +++ libsdl2-2.0.4+dfsg1/debian/patches/series 2019-09-25 15:39:29.000000000 +0000 @@ -1,2 +1,8 @@ SDL2_dont_propagate_lpthread.diff mir_new_abi_api.diff +full-screen-switch-fix.patch +CVE-2017-2888.diff +CVE-2017-2888_CVE-2019-7637.diff +CVE-2019-7635.diff +CVE-2019-7636_CVE-2019-7638.diff +build_failure.diff