mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-03-17 04:39:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

libsdl2: fix CVE-2020-14409 CVE-2020-14410

Browse Source 
(From OE-Core rev: d3b5f34efbfb9b2db961a649da5ba6b275db5e0b)

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Lee Chee Yang
2021-03-03 00:12:23 +08:00
committed by Richard Purdie
parent 8581672cce
commit f7e5b00025
2 changed files with 80 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch Normal file
View File

@@ -0,0 +1,79 @@
From a7ff6e96155f550a5597621ebeddd03c98aa9294 Mon Sep 17 00:00:00 2001
From: Sam Lantinga <slouken@libsdl.org>
Date: Wed, 17 Jun 2020 08:44:45 -0700
Subject: [PATCH] Fixed overflow in surface pitch calculation
Upstream-Status: Backport
[https://github.com/libsdl-org/SDL/commit/a7ff6e96155f550a5597621ebeddd03c98aa9294]
CVE: CVE-2020-14409 CVE-2020-14410
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
src/video/SDL_surface.c | 23 +++++++++++++++--------
1 file changed, 15 insertions(+), 8 deletions(-)
diff --git a/src/video/SDL_surface.c b/src/video/SDL_surface.c
index 085d9ff1e..bff826f7c 100644
--- a/src/video/SDL_surface.c
+++ b/src/video/SDL_surface.c
@@ -28,24 +28,23 @@
#include "SDL_yuv_c.h"
-/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */
-SDL_COMPILE_TIME_ASSERT(surface_size_assumptions,
- sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32));
+/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow Sint64 */
+SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, sizeof(int) == sizeof(Sint32));
/* Public routines */
/*
* Calculate the pad-aligned scanline width of a surface
*/
-static int
+static Sint64
SDL_CalculatePitch(Uint32 format, int width)
{
- int pitch;
+ Sint64 pitch;
if (SDL_ISPIXELFORMAT_FOURCC(format) || SDL_BITSPERPIXEL(format) >= 8) {
- pitch = (width * SDL_BYTESPERPIXEL(format));
+ pitch = ((Sint64)width * SDL_BYTESPERPIXEL(format));
} else {
- pitch = ((width * SDL_BITSPERPIXEL(format)) + 7) / 8;
+ pitch = (((Sint64)width * SDL_BITSPERPIXEL(format)) + 7) / 8;
}
pitch = (pitch + 3) & ~3; /* 4-byte aligning for speed */
return pitch;
@@ -59,11 +58,19 @@ SDL_Surface *
SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth,
Uint32 format)
{
+ Sint64 pitch;
SDL_Surface *surface;
/* The flags are no longer used, make the compiler happy */
(void)flags;
+ pitch = SDL_CalculatePitch(format, width);
+ if (pitch < 0 || pitch > SDL_MAX_SINT32) {
+ /* Overflow... */
+ SDL_OutOfMemory();
+ return NULL;
+ }
+
/* Allocate the surface */
surface = (SDL_Surface *) SDL_calloc(1, sizeof(*surface));
if (surface == NULL) {
@@ -78,7 +85,7 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth,
}
surface->w = width;
surface->h = height;
- surface->pitch = SDL_CalculatePitch(format, width);
+ surface->pitch = (int)pitch;
SDL_SetClipRect(surface, NULL);
if (SDL_ISPIXELFORMAT_INDEXED(surface->format->format)) {

1
meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb
View File

@@ -20,6 +20,7 @@ SRC_URI = "http://www.libsdl.org/release/SDL2-${PV}.tar.gz \
file://more-gen-depends.patch \
file://directfb-spurious-curly-brace-missing-e.patch \
file://directfb-renderfillrect-fix.patch \
file://CVE-2020-14409-14410.patch \
"
S = "${WORKDIR}/SDL2-${PV}"