src/video/x11/SDL_x11events.c | 9 9 + 0 - 0 !
1 file changed, 9 insertions(+)

 export x11_keytounicode() to legacy applications,
 but warn about such usage to stderr

Introduced in 1.2.11-3 (Sun, 13 Aug 2006 19:03:51 +0200).

src/joystick/bsd/SDL_sysjoystick.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 freebsd compile fix.

src/joystick/bsd/SDL_sysjoystick.c makes the invalid assumption that
__FreeBSD_kernel__ implies presence of "ucr_data" struct member.  This
breaks recent versions of FreeBSD 10-CURRENT, FreeBSD 9-STABLE and
Debian GNU/kFreeBSD "wheezy/sid".

src/video/SDL_blit_N.c | 40 40 + 0 - 0 !
1 file changed, 40 insertions(+)

 sdl_blit_n.c: correct vec_perm() application on little-endian 64-bit
 PowerPC

The LE transformation for vec_perm has an implicit assumption that the
permutation is being used to reorder vector elements (in this case 4-byte
integer word elements), not to reorder bytes within those elements.  Although
this is legal behavior, it is not anticipated by the transformation performed
by the compilers.

This causes pygame-1.9.1 test failure on PPC64LE because blitted pixmaps are
corrupted there due to how SDL uses vec_perm().

From RedHat / Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1392465
Original patch was provided by: Menanteau Guy <menantea@linux.vnet.ibm.com>

Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1392465

src/video/SDL_bmp.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 cve-2019-7638,
 CVE-2019-7636: Refuse loading BMP images with too high number of colors

If a BMP file that defines more colors than can fit into
a palette of color depth defined in the same BMP file is loaded by
SDL_LoadBMP_RW() function, invalid number of colors is set into
resulting SDL surface.

Then if the SDL surface is passed to SDL_DisplayFormat() function to
convert the surface format into a native video format, a buffer
overread will happen in Map1to1() or Map1toN() function
(CVE-2019-7638). (The choice of the mapping function depends on
a actual video hardware.)

In addition SDL_GetRGB() called indirectly from SDL_DisplayFormat()
performs the same buffer overread (CVE-2019-7636).

There is also probably a buffer overwrite when the SDL_LoadBMP_RW()
loads colors from a file.

This patch fixes it by refusing loading such badly damaged BMP files.

src/video/SDL_bmp.c | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 reject 2, 3, 5, 6, 7-bpp bmp images

BMP decoder assumes less than 8 bit depth images have 1 or 4 bits
per pixel. No other depths are correctly translated to an 8bpp
surface.

This patch rejects loading these images.

Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4498
Bug: https://github.com/libsdl-org/SDL/issues/3160
Bug-CVE: CVE-2019-7635

src/video/SDL_pixels.c | 41 34 + 7 - 0 !
src/video/gapi/SDL_gapivideo.c | 3 3 + 0 - 0 !
src/video/nanox/SDL_nxvideo.c | 4 4 + 0 - 0 !
src/video/ps2gs/SDL_gsvideo.c | 3 3 + 0 - 0 !
src/video/ps3/SDL_ps3video.c | 3 3 + 0 - 0 !
src/video/windib/SDL_dibvideo.c | 3 3 + 0 - 0 !
src/video/windx5/SDL_dx5video.c | 3 3 + 0 - 0 !
src/video/x11/SDL_x11video.c | 4 4 + 0 - 0 !
8 files changed, 57 insertions(+), 7 deletions(-)

 cve-2019-7637: fix in integer overflow in sdl_calculatepitch
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

If a too large width is passed to SDL_SetVideoMode() the width travels
to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by
BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch
variable. During this arithmetics an integer overflow can happen (e.g.
the value is clamped as 65532). As a result SDL_Surface with a pitch
smaller than width * BytesPerPixel is created, too small pixel buffer
is allocated and when the SDL_Surface is processed in SDL_FillRect()
a buffer overflow occurs.

This can be reproduced with "./graywin -width 21312312313123213213213"
command.

This patch fixes is by using a very careful arithmetics in
SDL_CalculatePitch(). If an overflow is detected, an error is reported
back as a special 0 value. We assume that 0-width surfaces do not
occur in the wild. Since SDL_CalculatePitch() is a private function,
we can change the semantics.

Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4497
Bug-CVE: CVE-2019-7637
Signed-off-by: Petr Psa <ppisar@redhat.com>

src/video/SDL_pixels.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 remove initial declaration from for loop

src/audio/SDL_wave.c | 14 8 + 6 - 0 !
1 file changed, 8 insertions(+), 6 deletions(-)

 cve-2019-7572: fix a buffer overread in ima_adpcm_nibble
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

If an IMA ADPCM block contained an initial index out of step table
range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used
this bogus value and that lead to a buffer overread.

This patch fixes it by moving clamping the index value at the
beginning of IMA_ADPCM_nibble() function instead of the end after
an update.

Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4495
Bug-CVE: CVE-2019-7572
Signed-off-by: Petr Psa <ppisar@redhat.com>

src/audio/SDL_wave.c | 12 9 + 3 - 0 !
1 file changed, 9 insertions(+), 3 deletions(-)

 cve-2019-7578: fix a buffer overread in initima_adpcm
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it
could read past the end of chunk data. This patch fixes it.

Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4494
Bug-CVE: CVE-2019-7578
Signed-off-by: Petr Psa <ppisar@redhat.com>

src/audio/SDL_wave.c | 9 8 + 1 - 0 !
1 file changed, 8 insertions(+), 1 deletion(-)

 cve-2019-7574: fix a buffer overread in ima_adpcm_decode
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

If data chunk was shorter than expected based on a WAV format
definition, IMA_ADPCM_decode() tried to read past the data chunk
buffer. This patch fixes it.

Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4496
Bug-CVE: CVE-2019-7574
Signed-off-by: Petr Psa <ppisar@redhat.com>

src/audio/SDL_wave.c | 10 9 + 1 - 0 !
1 file changed, 9 insertions(+), 1 deletion(-)

 cve-2019-7577: fix a buffer overread in ms_adpcm_decode
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

If RIFF/WAV data chunk length is shorter then expected for an audio
format defined in preceeding RIFF/WAV format headers, a buffer
overread can happen.

This patch fixes it by checking a MS ADPCM data to be decoded are not
past the initialized buffer.

Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
Bug-CVE: CVE-2019-7577
Signed-off-by: Petr Psa <ppisar@redhat.com>

src/audio/SDL_wave.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 cve-2019-7577: fix a buffer overread in ms_adpcm_nibble and
 MS_ADPCM_decode
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

If a chunk of RIFF/WAV file with MS ADPCM encoding contains an invalid
predictor (a valid predictor's value is between 0 and 6 inclusive),
a buffer overread can happen when the predictor is used as an index
into an array of MS ADPCM coefficients.

The overead happens when indexing MS_ADPCM_state.aCoeff[] array in
MS_ADPCM_decode() and later when dereferencing a coef pointer in
MS_ADPCM_nibble().

This patch fixes it by checking the MS ADPCM predictor values fit
into the valid range.

Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
Bug-CVE: CVE-2019-7577
Signed-off-by: Petr Psa <ppisar@redhat.com>

src/audio/SDL_wave.c | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 cve-2019-7572: fix a buffer overwrite in ima_adpcm_decode
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

If data chunk was longer than expected based on a WAV format
definition, IMA_ADPCM_decode() tried to write past the output
buffer. This patch fixes it.

Based on patch from
<https://bugzilla.libsdl.org/show_bug.cgi?id=4496>.

Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4495
Bug-CVE: CVE-2019-7572
Signed-off-by: Petr Psa <ppisar@redhat.com>

src/audio/SDL_wave.c | 13 10 + 3 - 0 !
1 file changed, 10 insertions(+), 3 deletions(-)

 cve-2019-7573, cve-2019-7576: fix buffer overreads in initms_adpcm
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it
could read past the end of chunk data. This patch fixes it.

Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4491
Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4490
Bug-CVE: CVE-2019-7573
Bug-CVE: CVE-2019-7576
Signed-off-by: Petr Psa <ppisar@redhat.com>

src/audio/SDL_wave.c | 13 8 + 5 - 0 !
1 file changed, 8 insertions(+), 5 deletions(-)

 cve-2019-7575: fix a buffer overwrite in ms_adpcm_decode
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

If a WAV format defines shorter audio stream and decoded MS ADPCM data chunk
is longer, decoding continued past the output audio buffer.

This fix is based on a patch from
<https://bugzilla.libsdl.org/show_bug.cgi?id=4492>.

Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4493
Bug-CVE: CVE-2019-7575
Signed-off-by: Petr Psa <ppisar@redhat.com>

src/video/SDL_bmp.c | 16 16 + 0 - 0 !
1 file changed, 16 insertions(+)

 cve-2019-7635: reject bmp images with pixel colors out the palette
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

If a 1-, 4-, or 8-bit per pixel BMP image declares less used colors
than the palette offers an SDL_Surface with a palette of the indicated
number of used colors is created. If some of the image's pixel
refer to a color number higher then the maximal used colors, a subsequent
bliting operation on the surface will look up a color past a blit map
(that is based on the palette) memory. I.e. passing such SDL_Surface
to e.g. an SDL_DisplayFormat() function will result in a buffer overread in
a blit function.

This patch fixes it by validing each pixel's color to be less than the
maximal color number in the palette. A validation failure raises an
error from a SDL_LoadBMP_RW() function.

Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4498
Bug-CVE: CVE-2019-7635
Signed-off-by: Petr Psa <ppisar@redhat.com>

src/video/SDL_bmp.c | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 fixed bug 4538 - validate image size when loading bmp files

src/video/gapi/SDL_gapivideo.c | 2 1 + 1 - 0 !
src/video/windib/SDL_dibvideo.c | 2 1 + 1 - 0 !
src/video/windx5/SDL_dx5video.c | 2 1 + 1 - 0 !
3 files changed, 3 insertions(+), 3 deletions(-)

 fix copy+paste mistakes in commit 9b0e5c555c0f (cve-2019-7637 fix)

http://hg.libsdl.org/SDL/rev/9b0e5c555c0f made copy+paste mistakes which
resulted in windows versions failing to set video mode.

src/video/SDL_bmp.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 sdl_bmp.c: reject bmp files with zero bpp

Fixes:  https://bugzilla.libsdl.org/show_bug.cgi?id=4536
(2.0 commit: https://hg.libsdl.org/SDL/rev/6203d73874ab)

src/video/x11/SDL_x11events.c | 14 14 + 0 - 0 !
1 file changed, 14 insertions(+)

 sdl_x11events.c: properly handle input focus events (fix bug #5426)

Since some time I stated to observe an annoying bug with the forward
movement suddenly stopping while I was still pressing the corresponding
key for the forward movement. Releasing and pressing the key again
continued the movement. I observed this in the game "Unreal Tournament
2004", but other software is probably also affected. The stop basically
happens after a few minutues of pressing the key, though the time needed
to reproduce the issue is not constant.

While investigating the issue I found it started with a commit [1] in
the Xorg xserver. Digging deeper into the code I found two commits [2]
[3] in libsdl2 which looked like they would also fix the issue in
libsdl1.2. I backported these two commits to the libsdl1.2 in Debian
and can confirm that the bug got fixed by this.

[1] https://cgit.freedesktop.org/xorg/xserver/commit/?id=c67f2eac56518163981af59f5accb7c79bc00f6a
[2] https://hg.libsdl.org/SDL/rev/a1c4c17410e8
[3] https://hg.libsdl.org/SDL/rev/764129077d18

Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=5426
Bug: https://github.com/libsdl-org/SDL-1.2/issues/831
Bug-Debian: https://bugs.debian.org/980253

src/video/SDL_pixels.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 always create a full 256-entry map in case color values are out of
 range

Bug: https://github.com/libsdl-org/SDL/issues/5042
Bug-CVE: CVE-2021-33657
Bug-Debian: https://bugs.debian.org/1014577

src/video/x11/SDL_x11yuv.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 sdl_x11yuv.c: fix possible use-after-free

Bug: https://github.com/libsdl-org/SDL-1.2/issues/863
Bug-CVE: CVE-2022-34568
Bug-Debian: https://bugs.debian.org/1016352

configure.in | 52 3 + 49 - 0 !
1 file changed, 3 insertions(+), 49 deletions(-)

 build: use pkg_prog_pkg_config to check for pkg-config

Part of f3bc60c4 "multiple updates to autotools build system from default
SDL2 branch" upstream.

src/stdlib/SDL_qsort.c | 447 447 + 0 - 0 !
1 file changed, 447 insertions(+)

 use newer relicenced version for sdl_qsort.c

Thanks to the anonymous reporter, Ben Hutchings for looking into it and
get in contact with the original author, and the original author Gareth
McCaughan for prompt relicencing.

Bug-Debian: https://bugs.debian.org/814445

sdl-config.in | 2 1 + 1 - 0 !
sdl.pc.in | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 do not propagate -lpthread to sdl-config --libs

Introduced in 1.2.11-1 (Thu, 20 Jul 2006 14:17:18 +0200).

Upstream will not apply it at the moment:
  Sam Lantinga 2012-01-22 10:54:21 PST

  At some point it was required that multi-threaded programs using pthreads on
  Linux link directly to the pthread library.  I don't remember all the details,
  but it had something to do with initializing C runtime variables correctly.

  I'm sure it's not an issue anymore, but I'd rather not apply this patch in 1.2.
  I'll go ahead and make this change in 1.3 though.

src/video/x11/SDL_x11events.c | 16 0 + 16 - 0 !
src/video/x11/SDL_x11events_c.h | 5 0 + 5 - 0 !
src/video/x11/SDL_x11video.c | 2 0 + 2 - 0 !
3 files changed, 23 deletions(-)

 revert change that breaks window corner resizing

src/joystick/linux/SDL_sysjoystick.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 left/right joystick axis doesn't work with some controllers

Introduced in 1.2.15-3 (June 2012)

Reviewed in 2013-10-19 for SDL2 and SDL1.2 and submitted new upstream bug
report for re-evaluation, the previous one (suggested by the bug submitted) was
probably not related.

src/video/x11/SDL_x11video.c | 4 1 + 3 - 0 !
1 file changed, 1 insertion(+), 3 deletions(-)

 do not harness backing store by default

xorg-server 1.15 enables backing store if composite extension is enabled
(default settings). Harnessing backing store through compositor leads to
tearing effect.
This patch reverts default harnessing backing store to conditional use if
SDL_VIDEO_X11_BACKINGSTORE environment variable exists.

src/video/fbcon/SDL_fbriva.c | 38 0 + 38 - 0 !
src/video/fbcon/SDL_fbvideo.c | 8 0 + 8 - 0 !
2 files changed, 46 deletions(-)

 avoid maybe non-dfsg file

Avoid use of source file with vague licensing terms regarding
modification