[Pkg-sdl-commits] [libsdl2] 01/01: Import further upstream patches for CVE-2017-2888.
Felix Geyer
fgeyer at moszumanska.debian.org
Wed Oct 18 19:48:17 UTC 2017
This is an automated email from the git hooks/post-receive script.
fgeyer pushed a commit to branch master
in repository libsdl2.
commit 7cafc19617198e20a9d84257d5acc0edf6431f09
Author: Felix Geyer <fgeyer at debian.org>
Date: Wed Oct 18 21:43:48 2017 +0200
Import further upstream patches for CVE-2017-2888.
The initial fix was incomplete.
Closes: #878264
---
debian/changelog | 10 +++
.../{CVE-2017-2888.patch => CVE-2017-2888-1.patch} | 0
debian/patches/CVE-2017-2888-2.patch | 93 ++++++++++++++++++++++
debian/patches/CVE-2017-2888-3.patch | 49 ++++++++++++
debian/patches/series | 4 +-
5 files changed, 155 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index 9bbbb9f..536a37b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+libsdl2 (2.0.6+dfsg1-4) unstable; urgency=high
+
+ * Import further upstream patches for CVE-2017-2888.
+ The initial fix was incomplete. (Closes: #878264)
+ - d/patches/CVE-2017-2888-1.patch
+ - d/patches/CVE-2017-2888-2.patch
+ - d/patches/CVE-2017-2888-3.patch
+
+ -- Felix Geyer <fgeyer at debian.org> Wed, 18 Oct 2017 21:36:23 +0200
+
libsdl2 (2.0.6+dfsg1-3) unstable; urgency=high
[ Gianfranco Costamagna ]
diff --git a/debian/patches/CVE-2017-2888.patch b/debian/patches/CVE-2017-2888-1.patch
similarity index 100%
rename from debian/patches/CVE-2017-2888.patch
rename to debian/patches/CVE-2017-2888-1.patch
diff --git a/debian/patches/CVE-2017-2888-2.patch b/debian/patches/CVE-2017-2888-2.patch
new file mode 100644
index 0000000..0c64de1
--- /dev/null
+++ b/debian/patches/CVE-2017-2888-2.patch
@@ -0,0 +1,93 @@
+# HG changeset patch
+# User Sam Lantinga <slouken at libsdl.org>
+# Date 1508189996 25200
+# Node ID 97bc026b46ded1ef28709d246130e66e81f1b513
+# Parent 2eaf345a2a301183f671cdb31852bee8196aaec8
+Added min/max macros for the sized SDL datatypes
+
+diff -r 2eaf345a2a30 -r 97bc026b46de include/SDL_stdinc.h
+--- a/include/SDL_stdinc.h Sun Oct 15 21:21:19 2017 -0700
++++ b/include/SDL_stdinc.h Mon Oct 16 14:39:56 2017 -0700
+@@ -146,35 +146,51 @@
+ /**
+ * \brief A signed 8-bit integer type.
+ */
++#define SDL_MAX_SINT8 ((Sint8)0x7F) /* 127 */
++#define SDL_MIN_SINT8 ((Sint8)(~0x7F)) /* -128 */
+ typedef int8_t Sint8;
+ /**
+ * \brief An unsigned 8-bit integer type.
+ */
++#define SDL_MAX_UINT8 ((Uint8)0xFF) /* 255 */
++#define SDL_MIN_UINT8 ((Uint8)0x00) /* 0 */
+ typedef uint8_t Uint8;
+ /**
+ * \brief A signed 16-bit integer type.
+ */
++#define SDL_MAX_SINT16 ((Sint16)0x7FFF) /* 32767 */
++#define SDL_MIN_SINT16 ((Sint16)(~0x7FFF)) /* -32768 */
+ typedef int16_t Sint16;
+ /**
+ * \brief An unsigned 16-bit integer type.
+ */
++#define SDL_MAX_UINT16 ((Uint16)0xFFFF) /* 65535 */
++#define SDL_MIN_UINT16 ((Uint16)0x0000) /* 0 */
+ typedef uint16_t Uint16;
+ /**
+ * \brief A signed 32-bit integer type.
+ */
++#define SDL_MAX_SINT32 ((Sint32)0x7FFFFFFF) /* 2147483647 */
++#define SDL_MIN_SINT32 ((Sint32)(~0x7FFFFFFF)) /* -2147483648 */
+ typedef int32_t Sint32;
+ /**
+ * \brief An unsigned 32-bit integer type.
+ */
++#define SDL_MAX_UINT32 ((Uint32)0xFFFFFFFFu) /* 4294967295 */
++#define SDL_MIN_UINT32 ((Uint32)0x00000000) /* 0 */
+ typedef uint32_t Uint32;
+
+ /**
+ * \brief A signed 64-bit integer type.
+ */
++#define SDL_MAX_SINT64 ((Sint64)0x7FFFFFFFFFFFFFFFll) /* 9223372036854775807 */
++#define SDL_MIN_SINT64 ((Sint64)(~0x7FFFFFFFFFFFFFFFll)) /* -9223372036854775808 */
+ typedef int64_t Sint64;
+ /**
+ * \brief An unsigned 64-bit integer type.
+ */
++#define SDL_MAX_UINT64 ((Uint64)0xFFFFFFFFFFFFFFFFull) /* 18446744073709551615 */
++#define SDL_MIN_UINT64 ((Uint64)(0x0000000000000000ull)) /* 0 */
+ typedef uint64_t Uint64;
+
+ /* @} *//* Basic data types */
+diff -r 2eaf345a2a30 -r 97bc026b46de test/testplatform.c
+--- a/test/testplatform.c Sun Oct 15 21:21:19 2017 -0700
++++ b/test/testplatform.c Mon Oct 16 14:39:56 2017 -0700
+@@ -30,6 +30,26 @@
+ {
+ int error = 0;
+
++ SDL_COMPILE_TIME_ASSERT(SDL_MAX_SINT8, SDL_MAX_SINT8 == 127);
++ SDL_COMPILE_TIME_ASSERT(SDL_MIN_SINT8, SDL_MIN_SINT8 == -128);
++ SDL_COMPILE_TIME_ASSERT(SDL_MAX_UINT8, SDL_MAX_UINT8 == 255);
++ SDL_COMPILE_TIME_ASSERT(SDL_MIN_UINT8, SDL_MIN_UINT8 == 0);
++
++ SDL_COMPILE_TIME_ASSERT(SDL_MAX_SINT16, SDL_MAX_SINT16 == 32767);
++ SDL_COMPILE_TIME_ASSERT(SDL_MIN_SINT16, SDL_MIN_SINT16 == -32768);
++ SDL_COMPILE_TIME_ASSERT(SDL_MAX_UINT16, SDL_MAX_UINT16 == 65535);
++ SDL_COMPILE_TIME_ASSERT(SDL_MIN_UINT16, SDL_MIN_UINT16 == 0);
++
++ SDL_COMPILE_TIME_ASSERT(SDL_MAX_SINT32, SDL_MAX_SINT32 == 2147483647);
++ SDL_COMPILE_TIME_ASSERT(SDL_MIN_SINT32, SDL_MIN_SINT32 == ~0x7fffffff); /* Instead of -2147483648, which is treated as unsigned by some compilers */
++ SDL_COMPILE_TIME_ASSERT(SDL_MAX_UINT32, SDL_MAX_UINT32 == 4294967295u);
++ SDL_COMPILE_TIME_ASSERT(SDL_MIN_UINT32, SDL_MIN_UINT32 == 0);
++
++ SDL_COMPILE_TIME_ASSERT(SDL_MAX_SINT64, SDL_MAX_SINT64 == 9223372036854775807ll);
++ SDL_COMPILE_TIME_ASSERT(SDL_MIN_SINT64, SDL_MIN_SINT64 == ~0x7fffffffffffffffll); /* Instead of -9223372036854775808, which is treated as unsigned by compilers */
++ SDL_COMPILE_TIME_ASSERT(SDL_MAX_UINT64, SDL_MAX_UINT64 == 18446744073709551615ull);
++ SDL_COMPILE_TIME_ASSERT(SDL_MIN_UINT64, SDL_MIN_UINT64 == 0);
++
+ if (badsize(sizeof(Uint8), 1)) {
+ if (verbose)
+ SDL_Log("sizeof(Uint8) != 1, instead = %u\n",
+
diff --git a/debian/patches/CVE-2017-2888-3.patch b/debian/patches/CVE-2017-2888-3.patch
new file mode 100644
index 0000000..1a05a68
--- /dev/null
+++ b/debian/patches/CVE-2017-2888-3.patch
@@ -0,0 +1,49 @@
+# HG changeset patch
+# User Sam Lantinga <slouken at libsdl.org>
+# Date 1508191062 25200
+# Node ID 81a4950907a01359f2f9390875291eb3951e6c6b
+# Parent 97bc026b46ded1ef28709d246130e66e81f1b513
+Fixed bug 3890 - Incomplete fix for CVE-2017-2888
+
+Felix Geyer
+
+http://hg.libsdl.org/SDL/rev/7e0f1498ddb5 tries to fix CVE-2017-2888.
+Unfortunately compilers may optimize the second condition "(size / surface->pitch) != surface->h" away.
+See https://bugzilla.redhat.com/show_bug.cgi?id=1500623#c2
+I've verified that this is also the case on Debian unstable (gcc 7.2).
+
+diff -r 97bc026b46de -r 81a4950907a0 src/video/SDL_surface.c
+--- a/src/video/SDL_surface.c Mon Oct 16 14:39:56 2017 -0700
++++ b/src/video/SDL_surface.c Mon Oct 16 14:57:42 2017 -0700
+@@ -37,6 +37,10 @@
+ #include "SDL_RLEaccel_c.h"
+ #include "SDL_pixels_c.h"
+
++/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */
++SDL_COMPILE_TIME_ASSERT(surface_size_assumptions,
++ sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32));
++
+ /* Public routines */
+
+ /*
+@@ -91,15 +95,16 @@
+
+ /* Get the pixels */
+ if (surface->w && surface->h) {
+- int size = (surface->h * surface->pitch);
+- if (size < 0 || (size / surface->pitch) != surface->h) {
++ /* Assumptions checked in surface_size_assumptions assert above */
++ Sint64 size = ((Sint64)surface->h * surface->pitch);
++ if (size < 0 || size > SDL_MAX_SINT32) {
+ /* Overflow... */
+ SDL_FreeSurface(surface);
+ SDL_OutOfMemory();
+ return NULL;
+ }
+
+- surface->pixels = SDL_malloc(size);
++ surface->pixels = SDL_malloc((size_t)size);
+ if (!surface->pixels) {
+ SDL_FreeSurface(surface);
+ SDL_OutOfMemory();
+
diff --git a/debian/patches/series b/debian/patches/series
index 5493e69..13cc980 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,5 @@
no-libdir.patch
dc7245e3d1f2.patch
-CVE-2017-2888.patch
+CVE-2017-2888-1.patch
+CVE-2017-2888-2.patch
+CVE-2017-2888-3.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-sdl/packages/libsdl2.git
More information about the pkg-sdl-commits
mailing list