Package: libsdl1.2 / 1.2.15+dfsg2-5

Metadata

Package Version Patches format
libsdl1.2 1.2.15+dfsg2-5 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
replace relicenced SDL_qsort.patch | (download)

src/stdlib/SDL_qsort.c | 447 447 + 0 - 0 !
1 file changed, 447 insertions(+)

---
x11_keytounicode.diff | (download)

src/video/x11/SDL_x11events.c | 9 9 + 0 - 0 !
1 file changed, 9 insertions(+)

 export x11_keytounicode() to legacy applications, but warn about such usage to stderr
 Introduced in 1.2.11-3 (Sun, 13 Aug 2006 19:03:51 +0200).
 .
 Upstream accepted it:
   Sam Lantinga 2012-01-22 10:48:43 PST
 .
   At this point it's fine to leave it as an exported function, but not in the
   headers.
   http://hg.libsdl.org/SDL/rev/900a0fae90ca
dont_propagate_lpthread.diff | (download)

sdl-config.in | 2 1 + 1 - 0 !
sdl.pc.in | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 do not propagate -lpthread to sdl-config --libs
 Introduced in 1.2.11-1 (Thu, 20 Jul 2006 14:17:18 +0200).
 .
 Upstream will not apply it at the moment:
   Sam Lantinga 2012-01-22 10:54:21 PST
 .
   At some point it was required that multi-threaded programs using pthreads on
   Linux link directly to the pthread library.  I don't remember all the details,
   but it had something to do with initializing C runtime variables correctly.
 .
   I'm sure it's not an issue anymore, but I'd rather not apply this patch in 1.2.
   I'll go ahead and make this change in 1.3 though.
fix_build_joystick_freebsd.diff | (download)

src/joystick/bsd/SDL_sysjoystick.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 freebsd compile fix.
 src/joystick/bsd/SDL_sysjoystick.c makes the invalid assumption that
 __FreeBSD_kernel__ implies presence of "ucr_data" struct member.  This
 breaks recent versions of FreeBSD 10-CURRENT, FreeBSD 9-STABLE and
 Debian GNU/kFreeBSD "wheezy/sid".
fix_window_resizing.diff | (download)

src/video/x11/SDL_x11events.c | 16 0 + 16 - 0 !
src/video/x11/SDL_x11events_c.h | 5 0 + 5 - 0 !
src/video/x11/SDL_x11video.c | 2 0 + 2 - 0 !
3 files changed, 23 deletions(-)

 revert change that breaks window corner resizing
 http://bugzilla.libsdl.org/show_bug.cgi?id=1430
fix_joystick_misc_axes.diff | (download)

src/joystick/linux/SDL_sysjoystick.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 left/right joystick axis doesn't work with some controllers
 Introduced in 1.2.15-3 (June 2012)
 .
 Reviewed in 2013-10-19 for SDL2 and SDL1.2 and submitted new upstream bug
 report for re-evaluation, the previous one (suggested by the bug submitted) was
 probably not related.
sdl check for SDL_VIDEO_X11_BACKINGSTORE.patch | (download)

src/video/x11/SDL_x11video.c | 4 1 + 3 - 0 !
1 file changed, 1 insertion(+), 3 deletions(-)

 do not harness backing store by default
 xorg-server 1.15 enables backing store if composite extension is enabled
 (default settings). Harnessing backing store through compositor leads to
 tearing effect.
 This patch reverts default harnessing backing store to conditional use if
 SDL_VIDEO_X11_BACKINGSTORE environment variable exists.
avoid_maybe_non DFSG_file.patch | (download)

src/video/fbcon/SDL_fbriva.c | 38 0 + 38 - 0 !
src/video/fbcon/SDL_fbvideo.c | 8 0 + 8 - 0 !
2 files changed, 46 deletions(-)

 avoid maybe non-dfsg file
 Avoid use of source file with vague licensing terms regarding
 modification
SDL 1.2.15 vec_perm ppc64le.patch | (download)

src/video/SDL_blit_N.c | 44 44 + 0 - 0 !
1 file changed, 44 insertions(+)

---
CVE 2019 7572_CVE 2019 7574.patch | (download)

src/audio/SDL_wave.c | 27 20 + 7 - 0 !
1 file changed, 20 insertions(+), 7 deletions(-)

 cve-2019-7572, cve-2019-7574
 CVE-2019-7572: a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c.
 CVE-2019-7574: a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c.


CVE 2019 7573.patch | (download)

src/audio/SDL_wave.c | 13 10 + 3 - 0 !
1 file changed, 10 insertions(+), 3 deletions(-)

 cve-2019-7573
 a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (inside the
 wNumCoef loop).


CVE 2019 7575_7577.patch | (download)

src/audio/SDL_wave.c | 13 12 + 1 - 0 !
1 file changed, 12 insertions(+), 1 deletion(-)

 cve-2019-7575, cve-2019-7577
 CVE-2019-7575
a heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c.
 CVE-2019-7577
a buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c.


CVE 2019 7578.patch | (download)

src/audio/SDL_wave.c | 12 9 + 3 - 0 !
1 file changed, 9 insertions(+), 3 deletions(-)

 cve-2019-7578

 If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it
 could read past the end of chunk data. This patch fixes it.

CVE 2019 7635_636_638.patch | (download)

src/video/SDL_bmp.c | 29 29 + 0 - 0 !
1 file changed, 29 insertions(+)

 cve-2019-7635_cve-2019-7636, cve-2019-7638
 CVE-2019-7635
a heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c
 CVE-2019-7636
a heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c
 CVE-2019-7638
buffer overwrite when the SDL_LoadBMP_RW()
loads colors from a file.


CVE 2019 7637.patch | (download)

src/video/SDL_pixels.c | 42 35 + 7 - 0 !
src/video/gapi/SDL_gapivideo.c | 3 3 + 0 - 0 !
src/video/nanox/SDL_nxvideo.c | 4 4 + 0 - 0 !
src/video/ps2gs/SDL_gsvideo.c | 3 3 + 0 - 0 !
src/video/ps3/SDL_ps3video.c | 3 3 + 0 - 0 !
src/video/windib/SDL_dibvideo.c | 3 3 + 0 - 0 !
src/video/windx5/SDL_dx5video.c | 3 3 + 0 - 0 !
src/video/x11/SDL_x11video.c | 4 4 + 0 - 0 !
8 files changed, 58 insertions(+), 7 deletions(-)

 [patch] cve-2019-7637: fix in integer overflow in sdl_calculatepitch
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If a too large width is passed to SDL_SetVideoMode() the width travels
to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by
BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch
variable. During this arithmetics an integer overflow can happen (e.g.
the value is clamped as 65532). As a result SDL_Surface with a pitch
smaller than width * BytesPerPixel is created, too small pixel buffer
is allocated and when the SDL_Surface is processed in SDL_FillRect()
a buffer overflow occurs.

This can be reproduced with "./graywin -width 21312312313123213213213"
command.

This patch fixes is by using a very careful arithmetics in
SDL_CalculatePitch(). If an overflow is detected, an error is reported
back as a special 0 value. We assume that 0-width surfaces do not
occur in the wild. Since SDL_CalculatePitch() is a private function,
we can change the semantics.

CVE-2019-7637
https://bugzilla.libsdl.org/show_bug.cgi?id=4497

Signed-off-by: Petr Písař <ppisar@redhat.com>

CVE 2019 7637 2.patch | (download)

src/video/gapi/SDL_gapivideo.c | 2 1 + 1 - 0 !
src/video/windib/SDL_dibvideo.c | 2 1 + 1 - 0 !
src/video/windx5/SDL_dx5video.c | 2 1 + 1 - 0 !
3 files changed, 3 insertions(+), 3 deletions(-)

---
CVE 2019 7577 1_2.patch | (download)

src/audio/SDL_wave.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 cve-2019-7577
 a buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c.


CVE 2019 13616.patch | (download)

src/video/SDL_bmp.c | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

---