diff --git a/CVE-2019-13616.patch b/CVE-2019-13616.patch deleted file mode 100644 index 83256fb4dfd24612e7c7e2999896d2f5a3c9dd60..0000000000000000000000000000000000000000 --- a/CVE-2019-13616.patch +++ /dev/null @@ -1,23 +0,0 @@ -# HG changeset patch -# User Sam Lantinga -# Date 1564509600 25200 -# Node ID e7ba650a643ad88dd8545511a18af1c9dcdfa2da -# Parent b810b78d32cc41a2384d0f14746ae889d443ffa7 -Fixed bug 4538 - validate image size when loading BMP files - -diff -r b810b78d32cc -r e7ba650a643a src/video/SDL_bmp.c ---- a/src/video/SDL_bmp.c Thu Jul 25 08:05:13 2019 -0500 -+++ b/src/video/SDL_bmp.c Tue Jul 30 11:00:00 2019 -0700 -@@ -226,6 +226,11 @@ - SDL_RWseek(src, (biSize - headerSize), RW_SEEK_CUR); - } - } -+ if (biWidth <= 0 || biHeight == 0) { -+ SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight); -+ was_error = SDL_TRUE; -+ goto done; -+ } - if (biHeight < 0) { - topDown = SDL_TRUE; - biHeight = -biHeight; - diff --git a/CVE-2020-14409_CVE-2020-14410.patch b/CVE-2020-14409_CVE-2020-14410.patch new file mode 100644 index 0000000000000000000000000000000000000000..4c9b59dd436e2c9624cd9f0cc91284aac3c43d96 --- /dev/null +++ b/CVE-2020-14409_CVE-2020-14410.patch @@ -0,0 +1,73 @@ +From a7ff6e96155f550a5597621ebeddd03c98aa9294 Mon Sep 17 00:00:00 2001 +From: Sam Lantinga +Date: Wed, 17 Jun 2020 08:44:45 -0700 +Subject: [PATCH] Fixed overflow in surface pitch calculation + +--- + src/video/SDL_surface.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/src/video/SDL_surface.c b/src/video/SDL_surface.c +index 085d9ff1e17..bff826f7cc6 100644 +--- a/src/video/SDL_surface.c ++++ b/src/video/SDL_surface.c +@@ -28,24 +28,23 @@ + #include "SDL_yuv_c.h" + + +-/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */ +-SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, +- sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32)); ++/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow Sint64 */ ++SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, sizeof(int) == sizeof(Sint32)); + + /* Public routines */ + + /* + * Calculate the pad-aligned scanline width of a surface + */ +-static int ++static Sint64 + SDL_CalculatePitch(Uint32 format, int width) + { +- int pitch; ++ Sint64 pitch; + + if (SDL_ISPIXELFORMAT_FOURCC(format) || SDL_BITSPERPIXEL(format) >= 8) { +- pitch = (width * SDL_BYTESPERPIXEL(format)); ++ pitch = ((Sint64)width * SDL_BYTESPERPIXEL(format)); + } else { +- pitch = ((width * SDL_BITSPERPIXEL(format)) + 7) / 8; ++ pitch = (((Sint64)width * SDL_BITSPERPIXEL(format)) + 7) / 8; + } + pitch = (pitch + 3) & ~3; /* 4-byte aligning for speed */ + return pitch; +@@ -59,11 +58,19 @@ SDL_Surface * + SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth, + Uint32 format) + { ++ Sint64 pitch; + SDL_Surface *surface; + + /* The flags are no longer used, make the compiler happy */ + (void)flags; + ++ pitch = SDL_CalculatePitch(format, width); ++ if (pitch < 0 || pitch > SDL_MAX_SINT32) { ++ /* Overflow... */ ++ SDL_OutOfMemory(); ++ return NULL; ++ } ++ + /* Allocate the surface */ + surface = (SDL_Surface *) SDL_calloc(1, sizeof(*surface)); + if (surface == NULL) { +@@ -78,7 +85,7 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth, + } + surface->w = width; + surface->h = height; +- surface->pitch = SDL_CalculatePitch(format, width); ++ surface->pitch = (int)pitch; + SDL_SetClipRect(surface, NULL); + + if (SDL_ISPIXELFORMAT_INDEXED(surface->format->format)) { diff --git a/Fix-build-against-wayland-1.20.patch b/Fix-build-against-wayland-1.20.patch new file mode 100644 index 0000000000000000000000000000000000000000..428796452972b45a61cab7ed5262345a5dcb0458 --- /dev/null +++ b/Fix-build-against-wayland-1.20.patch @@ -0,0 +1,42 @@ +From 068c13b1cac4fead98a458b70ef482ddc8205358 Mon Sep 17 00:00:00 2001 +From: David Redondo +Date: Fri, 10 Dec 2021 16:22:34 +0100 +Subject: [PATCH] Fix build against wayland 1.20 + +Fixes #5088 +--- + src/video/wayland/SDL_waylanddyn.h | 2 ++ + src/video/wayland/SDL_waylandsym.h | 4 ++++ + 2 files changed, 6 insertions(+) + +diff --git a/src/video/wayland/SDL_waylanddyn.h b/src/video/wayland/SDL_waylanddyn.h +index 485a9c1..8ab0505 100644 +--- a/src/video/wayland/SDL_waylanddyn.h ++++ b/src/video/wayland/SDL_waylanddyn.h +@@ -78,6 +78,8 @@ void SDL_WAYLAND_UnloadSymbols(void); + #define wl_proxy_set_user_data (*WAYLAND_wl_proxy_set_user_data) + #define wl_proxy_get_user_data (*WAYLAND_wl_proxy_get_user_data) + #define wl_proxy_get_version (*WAYLAND_wl_proxy_get_version) ++#define wl_proxy_marshal_flags (*WAYLAND_wl_proxy_marshal_flags) ++#define wl_proxy_marshal_array_flags (*WAYLAND_wl_proxy_marshal_array_flags) + #define wl_proxy_add_listener (*WAYLAND_wl_proxy_add_listener) + #define wl_proxy_marshal_constructor (*WAYLAND_wl_proxy_marshal_constructor) + #define wl_proxy_marshal_constructor_versioned (*WAYLAND_wl_proxy_marshal_constructor_versioned) +diff --git a/src/video/wayland/SDL_waylandsym.h b/src/video/wayland/SDL_waylandsym.h +index c4c189d..789f49e 100644 +--- a/src/video/wayland/SDL_waylandsym.h ++++ b/src/video/wayland/SDL_waylandsym.h +@@ -71,6 +71,10 @@ SDL_WAYLAND_SYM(struct wl_proxy *, wl_proxy_marshal_constructor, (struct wl_prox + SDL_WAYLAND_MODULE(WAYLAND_CLIENT_1_10) + SDL_WAYLAND_SYM(struct wl_proxy *, wl_proxy_marshal_constructor_versioned, (struct wl_proxy *proxy, uint32_t opcode, const struct wl_interface *interface, uint32_t version, ...)) + ++SDL_WAYLAND_MODULE(WAYLAND_CLIENT_1_20) ++SDL_WAYLAND_SYM(struct wl_proxy*, wl_proxy_marshal_flags, (struct wl_proxy *proxy, uint32_t opcode, const struct wl_interface *interfac, uint32_t version, uint32_t flags, ...)) ++SDL_WAYLAND_SYM(struct wl_proxy*, wl_proxy_marshal_array_flags, (struct wl_proxy *proxy, uint32_t opcode, const struct wl_interface *interface, uint32_t version, uint32_t flags, union wl_argument *args)) ++ + SDL_WAYLAND_INTERFACE(wl_seat_interface) + SDL_WAYLAND_INTERFACE(wl_surface_interface) + SDL_WAYLAND_INTERFACE(wl_shm_pool_interface) +-- +1.8.3.1 + diff --git a/SDL2-2.0.8.tar.gz b/SDL2-2.0.12.tar.gz similarity index 38% rename from SDL2-2.0.8.tar.gz rename to SDL2-2.0.12.tar.gz index befc15589cac185e3f836d4a0cb2ebeb54c0b606..111a62bf439abafc15884bb94865127444addaaf 100644 Binary files a/SDL2-2.0.8.tar.gz and b/SDL2-2.0.12.tar.gz differ diff --git a/SDL2-2.0.9-khrplatform.patch b/SDL2-2.0.9-khrplatform.patch new file mode 100644 index 0000000000000000000000000000000000000000..b6c39278ba267b96b37a76c17cdfcbc5c6b9ee19 --- /dev/null +++ b/SDL2-2.0.9-khrplatform.patch @@ -0,0 +1,15 @@ +diff -up SDL2-2.0.9/include/SDL_opengl_glext.h.khrplatform SDL2-2.0.9/include/SDL_opengl_glext.h +--- SDL2-2.0.9/include/SDL_opengl_glext.h.khrplatform 2019-02-15 20:22:39.173773779 -0500 ++++ SDL2-2.0.9/include/SDL_opengl_glext.h 2019-02-15 20:22:58.176399330 -0500 +@@ -469,8 +469,9 @@ GLAPI void APIENTRY glBlendEquation (GLe + typedef long GLsizeiptr; + typedef long GLintptr; + #else +-typedef ptrdiff_t GLsizeiptr; +-typedef ptrdiff_t GLintptr; ++#include ++typedef khronos_intptr_t GLintptr; ++typedef khronos_ssize_t GLsizeiptr; + #endif + #define GL_BUFFER_SIZE 0x8764 + #define GL_BUFFER_USAGE 0x8765 diff --git a/SDL2.spec b/SDL2.spec index 5aa8592730d8df8ab476c221fbc8baf33854f2f5..f2a4d55cc0c37266deb593b129e72142361e50c8 100644 --- a/SDL2.spec +++ b/SDL2.spec @@ -1,21 +1,24 @@ Name: SDL2 -Version: 2.0.8 -Release: 11 +Version: 2.0.12 +Release: 1 Summary: Cross-platform multimedia library License: zlib and MIT URL: http://www.libsdl.org/ Source0: http://www.libsdl.org/release/%{name}-%{version}.tar.gz Source1: SDL_config.h Patch0000: multilib.patch -Patch0001: dynapi.patch -Patch0002: CVE-2019-13616.patch +Patch0001: SDL2-2.0.9-khrplatform.patch +Patch0002: Fix-build-against-wayland-1.20.patch +#https://github.com/libsdl-org/SDL/commit/a7ff6e96155f550a5597621ebeddd03c98aa9294 +Patch0003: CVE-2020-14409_CVE-2020-14410.patch Patch6000: backport-CVE-2021-33657.patch + BuildRequires: alsa-lib-devel audiofile-devel mesa-libGL-devel BuildRequires: mesa-libGLU-devel mesa-libEGL-devel libglvnd-devel BuildRequires: libXext-devel libX11-devel libXi-devel libXrandr-devel BuildRequires: libXrender-devel libXScrnSaver-devel libusb-devel BuildRequires: libXinerama-devel libXcursor-devel systemd-devel -BuildRequires: pkgconfig(libpulse-simple) +BuildRequires: pkgconfig(libpulse-simple) pkgconfig(jack) BuildRequires: pkgconfig(dbus-1) pkgconfig(ibus-1.0) BuildRequires: pkgconfig(wayland-client) pkgconfig(wayland-egl) BuildRequires: pkgconfig(wayland-cursor) pkgconfig(wayland-protocols) @@ -40,7 +43,7 @@ developing SDL applications. %prep %autosetup -p1 -sed -i -e 's/.*AM_PATH_ESD.*//' configure.in +sed -i -e 's/.*AM_PATH_ESD.*//' configure.ac sed -i -e 's/\r//g' TODO.txt README.txt WhatsNew.txt BUGS.txt COPYING.txt CREDITS.txt README-SDL.txt %build @@ -56,14 +59,18 @@ sed -i -e 's/\r//g' TODO.txt README.txt WhatsNew.txt BUGS.txt COPYING.txt CREDIT %install %make_install + mv %{buildroot}%{_includedir}/SDL2/SDL_config.h %{buildroot}%{_includedir}/SDL2/SDL_config-%{_arch}.h install -pm 0644 %{SOURCE1} %{buildroot}%{_includedir}/SDL2/SDL_config.h +rm -vf %{buildroot}%{_libdir}/*.la + +%ldconfig_scriptlets + %files %license COPYING.txt %doc BUGS.txt CREDITS.txt README-SDL.txt %{_libdir}/lib*.so.* -%exclude %{_libdir}/*.la %files devel %license COPYING.txt @@ -77,6 +84,9 @@ install -pm 0644 %{SOURCE1} %{buildroot}%{_includedir}/SDL2/SDL_config.h %{_datadir}/aclocal/* %changelog +* Tue Apr 12 2022 yaoxin - 2.0.12-1 +- Upgrade SDL2 to 2.0.12 and fix CVE-2020-14409,CVE-2020-14410 + * Tue Mar 15 2022 yuanxin - 2.0.8-11 - Type:CVE - ID:NA diff --git a/dynapi.patch b/dynapi.patch deleted file mode 100644 index f8aac364186c35a6dbdf8b501fc5c62b9a3e1b12..0000000000000000000000000000000000000000 --- a/dynapi.patch +++ /dev/null @@ -1,84 +0,0 @@ - -# HG changeset patch -# User Ryan C. Gordon -# Date 1526575846 14400 -# Node ID 7babfecee045fac18d95e5936fede534ca54ed24 -# Parent 9e46f3dd75fd2e85e0e3ebb8a77329bc74a16e70 -dynapi: don't let system loader resolve the initializer to the wrong version. - -Fixes problems launching Firewatch on Linux (which statically links SDL but -also dynamically loads a system-wide copy from a plugin shared library) with -a newer SDL build. - -diff -r 9e46f3dd75fd -r 7babfecee045 src/dynapi/SDL_dynapi.c ---- a/src/dynapi/SDL_dynapi.c Fri May 11 09:37:00 2018 +0300 -+++ b/src/dynapi/SDL_dynapi.c Thu May 17 12:50:46 2018 -0400 -@@ -167,15 +167,10 @@ - #error Write me. - #endif - -- -- --/* Here's the exported entry point that fills in the jump table. */ --/* Use specific types when an "int" might suffice to keep this sane. */ --typedef Sint32 (SDLCALL *SDL_DYNAPI_ENTRYFN)(Uint32 apiver, void *table, Uint32 tablesize); --extern DECLSPEC Sint32 SDLCALL SDL_DYNAPI_entry(Uint32, void *, Uint32); -- --Sint32 --SDL_DYNAPI_entry(Uint32 apiver, void *table, Uint32 tablesize) -+/* we make this a static function so we can call the correct one without the -+ system's dynamic linker resolving to the wrong version of this. */ -+static Sint32 -+initialize_jumptable(Uint32 apiver, void *table, Uint32 tablesize) - { - SDL_DYNAPI_jump_table *output_jump_table = (SDL_DYNAPI_jump_table *) table; - -@@ -202,6 +197,18 @@ - } - - -+/* Here's the exported entry point that fills in the jump table. */ -+/* Use specific types when an "int" might suffice to keep this sane. */ -+typedef Sint32 (SDLCALL *SDL_DYNAPI_ENTRYFN)(Uint32 apiver, void *table, Uint32 tablesize); -+extern DECLSPEC Sint32 SDLCALL SDL_DYNAPI_entry(Uint32, void *, Uint32); -+ -+Sint32 -+SDL_DYNAPI_entry(Uint32 apiver, void *table, Uint32 tablesize) -+{ -+ return initialize_jumptable(apiver, table, tablesize); -+} -+ -+ - /* Obviously we can't use SDL_LoadObject() to load SDL. :) */ - /* Also obviously, we never close the loaded library. */ - #if defined(WIN32) || defined(_WIN32) || defined(__CYGWIN__) -@@ -260,7 +267,7 @@ - SDL_InitDynamicAPILocked(void) - { - const char *libname = SDL_getenv_REAL("SDL_DYNAMIC_API"); -- SDL_DYNAPI_ENTRYFN entry = SDL_DYNAPI_entry; /* funcs from here by default. */ -+ SDL_DYNAPI_ENTRYFN entry = NULL; /* funcs from here by default. */ - - if (libname) { - entry = (SDL_DYNAPI_ENTRYFN) get_sdlapi_entry(libname, "SDL_DYNAPI_entry"); -@@ -268,16 +275,15 @@ - /* !!! FIXME: fail to startup here instead? */ - /* !!! FIXME: definitely warn user. */ - /* Just fill in the function pointers from this library. */ -- entry = SDL_DYNAPI_entry; - } - } - -- if (entry(SDL_DYNAPI_VERSION, &jump_table, sizeof (jump_table)) < 0) { -+ if (!entry || (entry(SDL_DYNAPI_VERSION, &jump_table, sizeof (jump_table)) < 0)) { - /* !!! FIXME: fail to startup here instead? */ - /* !!! FIXME: definitely warn user. */ - /* Just fill in the function pointers from this library. */ -- if (entry != SDL_DYNAPI_entry) { -- if (!SDL_DYNAPI_entry(SDL_DYNAPI_VERSION, &jump_table, sizeof (jump_table))) { -+ if (!entry) { -+ if (!initialize_jumptable(SDL_DYNAPI_VERSION, &jump_table, sizeof (jump_table))) { - /* !!! FIXME: now we're screwed. Should definitely abort now. */ - } - } -