Commit e8f1db19 authored by Fabian Greffrath's avatar Fabian Greffrath

remove patches backported from upstream

parent 26e419b9
# HG changeset patch
# User Sam Lantinga <slouken@libsdl.org>
# Date 1507331870 25200
# Node ID 7e0f1498ddb549a338a220534875529ef0ba55ce
# Parent dc7245e3d1f2ae032caa7776940af4aebe6afc05
Fixed potential overflow in surface allocation (thanks Yves!)
diff -r dc7245e3d1f2 -r 7e0f1498ddb5 src/video/SDL_surface.c
--- a/src/video/SDL_surface.c Thu Oct 05 09:37:28 2017 -0700
+++ b/src/video/SDL_surface.c Fri Oct 06 16:17:50 2017 -0700
@@ -80,7 +80,15 @@
/* Get the pixels */
if (surface->w && surface->h) {
- surface->pixels = SDL_malloc(surface->h * surface->pitch);
+ int size = (surface->h * surface->pitch);
+ if (size < 0 || (size / surface->pitch) != surface->h) {
+ /* Overflow... */
+ SDL_FreeSurface(surface);
+ SDL_OutOfMemory();
+ return NULL;
+ }
+
+ surface->pixels = SDL_malloc(size);
if (!surface->pixels) {
SDL_FreeSurface(surface);
SDL_OutOfMemory();
# HG changeset patch
# User Sam Lantinga <slouken@libsdl.org>
# Date 1508189996 25200
# Node ID 97bc026b46ded1ef28709d246130e66e81f1b513
# Parent 2eaf345a2a301183f671cdb31852bee8196aaec8
Added min/max macros for the sized SDL datatypes
diff -r 2eaf345a2a30 -r 97bc026b46de include/SDL_stdinc.h
--- a/include/SDL_stdinc.h Sun Oct 15 21:21:19 2017 -0700
+++ b/include/SDL_stdinc.h Mon Oct 16 14:39:56 2017 -0700
@@ -146,35 +146,51 @@
/**
* \brief A signed 8-bit integer type.
*/
+#define SDL_MAX_SINT8 ((Sint8)0x7F) /* 127 */
+#define SDL_MIN_SINT8 ((Sint8)(~0x7F)) /* -128 */
typedef int8_t Sint8;
/**
* \brief An unsigned 8-bit integer type.
*/
+#define SDL_MAX_UINT8 ((Uint8)0xFF) /* 255 */
+#define SDL_MIN_UINT8 ((Uint8)0x00) /* 0 */
typedef uint8_t Uint8;
/**
* \brief A signed 16-bit integer type.
*/
+#define SDL_MAX_SINT16 ((Sint16)0x7FFF) /* 32767 */
+#define SDL_MIN_SINT16 ((Sint16)(~0x7FFF)) /* -32768 */
typedef int16_t Sint16;
/**
* \brief An unsigned 16-bit integer type.
*/
+#define SDL_MAX_UINT16 ((Uint16)0xFFFF) /* 65535 */
+#define SDL_MIN_UINT16 ((Uint16)0x0000) /* 0 */
typedef uint16_t Uint16;
/**
* \brief A signed 32-bit integer type.
*/
+#define SDL_MAX_SINT32 ((Sint32)0x7FFFFFFF) /* 2147483647 */
+#define SDL_MIN_SINT32 ((Sint32)(~0x7FFFFFFF)) /* -2147483648 */
typedef int32_t Sint32;
/**
* \brief An unsigned 32-bit integer type.
*/
+#define SDL_MAX_UINT32 ((Uint32)0xFFFFFFFFu) /* 4294967295 */
+#define SDL_MIN_UINT32 ((Uint32)0x00000000) /* 0 */
typedef uint32_t Uint32;
/**
* \brief A signed 64-bit integer type.
*/
+#define SDL_MAX_SINT64 ((Sint64)0x7FFFFFFFFFFFFFFFll) /* 9223372036854775807 */
+#define SDL_MIN_SINT64 ((Sint64)(~0x7FFFFFFFFFFFFFFFll)) /* -9223372036854775808 */
typedef int64_t Sint64;
/**
* \brief An unsigned 64-bit integer type.
*/
+#define SDL_MAX_UINT64 ((Uint64)0xFFFFFFFFFFFFFFFFull) /* 18446744073709551615 */
+#define SDL_MIN_UINT64 ((Uint64)(0x0000000000000000ull)) /* 0 */
typedef uint64_t Uint64;
/* @} *//* Basic data types */
diff -r 2eaf345a2a30 -r 97bc026b46de test/testplatform.c
--- a/test/testplatform.c Sun Oct 15 21:21:19 2017 -0700
+++ b/test/testplatform.c Mon Oct 16 14:39:56 2017 -0700
@@ -30,6 +30,26 @@
{
int error = 0;
+ SDL_COMPILE_TIME_ASSERT(SDL_MAX_SINT8, SDL_MAX_SINT8 == 127);
+ SDL_COMPILE_TIME_ASSERT(SDL_MIN_SINT8, SDL_MIN_SINT8 == -128);
+ SDL_COMPILE_TIME_ASSERT(SDL_MAX_UINT8, SDL_MAX_UINT8 == 255);
+ SDL_COMPILE_TIME_ASSERT(SDL_MIN_UINT8, SDL_MIN_UINT8 == 0);
+
+ SDL_COMPILE_TIME_ASSERT(SDL_MAX_SINT16, SDL_MAX_SINT16 == 32767);
+ SDL_COMPILE_TIME_ASSERT(SDL_MIN_SINT16, SDL_MIN_SINT16 == -32768);
+ SDL_COMPILE_TIME_ASSERT(SDL_MAX_UINT16, SDL_MAX_UINT16 == 65535);
+ SDL_COMPILE_TIME_ASSERT(SDL_MIN_UINT16, SDL_MIN_UINT16 == 0);
+
+ SDL_COMPILE_TIME_ASSERT(SDL_MAX_SINT32, SDL_MAX_SINT32 == 2147483647);
+ SDL_COMPILE_TIME_ASSERT(SDL_MIN_SINT32, SDL_MIN_SINT32 == ~0x7fffffff); /* Instead of -2147483648, which is treated as unsigned by some compilers */
+ SDL_COMPILE_TIME_ASSERT(SDL_MAX_UINT32, SDL_MAX_UINT32 == 4294967295u);
+ SDL_COMPILE_TIME_ASSERT(SDL_MIN_UINT32, SDL_MIN_UINT32 == 0);
+
+ SDL_COMPILE_TIME_ASSERT(SDL_MAX_SINT64, SDL_MAX_SINT64 == 9223372036854775807ll);
+ SDL_COMPILE_TIME_ASSERT(SDL_MIN_SINT64, SDL_MIN_SINT64 == ~0x7fffffffffffffffll); /* Instead of -9223372036854775808, which is treated as unsigned by compilers */
+ SDL_COMPILE_TIME_ASSERT(SDL_MAX_UINT64, SDL_MAX_UINT64 == 18446744073709551615ull);
+ SDL_COMPILE_TIME_ASSERT(SDL_MIN_UINT64, SDL_MIN_UINT64 == 0);
+
if (badsize(sizeof(Uint8), 1)) {
if (verbose)
SDL_Log("sizeof(Uint8) != 1, instead = %u\n",
# HG changeset patch
# User Sam Lantinga <slouken@libsdl.org>
# Date 1508191062 25200
# Node ID 81a4950907a01359f2f9390875291eb3951e6c6b
# Parent 97bc026b46ded1ef28709d246130e66e81f1b513
Fixed bug 3890 - Incomplete fix for CVE-2017-2888
Felix Geyer
http://hg.libsdl.org/SDL/rev/7e0f1498ddb5 tries to fix CVE-2017-2888.
Unfortunately compilers may optimize the second condition "(size / surface->pitch) != surface->h" away.
See https://bugzilla.redhat.com/show_bug.cgi?id=1500623#c2
I've verified that this is also the case on Debian unstable (gcc 7.2).
diff -r 97bc026b46de -r 81a4950907a0 src/video/SDL_surface.c
--- a/src/video/SDL_surface.c Mon Oct 16 14:39:56 2017 -0700
+++ b/src/video/SDL_surface.c Mon Oct 16 14:57:42 2017 -0700
@@ -37,6 +37,10 @@
#include "SDL_RLEaccel_c.h"
#include "SDL_pixels_c.h"
+/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */
+SDL_COMPILE_TIME_ASSERT(surface_size_assumptions,
+ sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32));
+
/* Public routines */
/*
@@ -91,15 +95,16 @@
/* Get the pixels */
if (surface->w && surface->h) {
- int size = (surface->h * surface->pitch);
- if (size < 0 || (size / surface->pitch) != surface->h) {
+ /* Assumptions checked in surface_size_assumptions assert above */
+ Sint64 size = ((Sint64)surface->h * surface->pitch);
+ if (size < 0 || size > SDL_MAX_SINT32) {
/* Overflow... */
SDL_FreeSurface(surface);
SDL_OutOfMemory();
return NULL;
}
- surface->pixels = SDL_malloc(size);
+ surface->pixels = SDL_malloc((size_t)size);
if (!surface->pixels) {
SDL_FreeSurface(surface);
SDL_OutOfMemory();
Origin: https://hg.libsdl.org/SDL/rev/dc7245e3d1f2
diff -r 3a23ca106752 -r dc7245e3d1f2 src/core/linux/SDL_ibus.c
--- a/src/core/linux/SDL_ibus.c Mon Oct 02 10:50:33 2017 -0700
+++ b/src/core/linux/SDL_ibus.c Thu Oct 05 09:37:28 2017 -0700
@@ -479,7 +479,7 @@
SDL_DBusContext *dbus = SDL_DBus_GetContext();
if (IBus_CheckConnection(dbus)) {
- SDL_DBus_CallVoidMethodOnConnection(ibus_conn, IBUS_SERVICE, input_ctx_path, IBUS_INPUT_INTERFACE, method);
+ SDL_DBus_CallVoidMethodOnConnection(ibus_conn, IBUS_SERVICE, input_ctx_path, IBUS_INPUT_INTERFACE, method, DBUS_TYPE_INVALID);
}
}
no-libdir.patch
dc7245e3d1f2.patch
CVE-2017-2888-1.patch
CVE-2017-2888-2.patch
CVE-2017-2888-3.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment