ayae/extra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial import

Browse Source
This commit is contained in:
Astound
2025-06-22 20:39:04 -05:00
commit f8a70886f0
3428 changed files with 302546 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

148
sdl/PKGBUILD Normal file
View File

@@ -0,0 +1,148 @@
# Maintainer: Jesus E. <heckyel@riseup.net>
pkgname=sdl
pkgver=1.2.15
_debver=1.2.15+dfsg2
_debrel=6
pkgrel=9
pkgdesc="A library for portable low-level access to a video framebuffer, audio output, mouse, and keyboard"
arch=('i686' 'x86_64')
url="https://www.libsdl.org/"
license=('LGPL-2.1')
depends=('glibc' 'libxext' 'libxrender' 'libx11' 'libsndio')
makedepends=('alsa-lib' 'mesa' 'glu' 'quilt')
optdepends=('alsa-lib: ALSA audio driver'
'sndio: sndio audio driver')
options=('staticlibs')
mksource=(https://www.libsdl.org/release/SDL-${pkgver}.tar.gz)
source=(https://repo.hyperbola.info:50000/sources/${pkgname}-libre/SDL-libre-${pkgver}.tar.gz{,.sig}
https://deb.debian.org/debian/pool/main/libs/libsdl1.2/libsdl1.2_$_debver-$_debrel.debian.tar.xz
SDL-1.2.10-GrabNotViewable.patch
SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch
SDL-1.2.15-const_XData32.patch
SDL-1.2.15-ignore_insane_joystick_axis.patch
SDL-1.2.15-no-default-backing-store.patch
SDL-1.2.15-x11-Bypass-SetGammaRamp-when-changing-gamma.patch
sdl-1.2.14-fix-mouse-clicking.patch
sdl-1.2.14-disable-mmx.patch
libsdl-1.2.15-resizing.patch
X11_KeyToUnicode.patch
SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch
SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch
sndio.patch
libre.patch)
mksha512sums=('ac392d916e6953b0925a7cbb0f232affea33339ef69b47a0a7898492afb9784b93138986df53d6da6d3e2ad79af1e9482df565ecca30f89428be0ae6851b1adc')
sha512sums=('0f43a2d7905eb7bf4e2348f9999ee6b716d08159b8418fe0f179c235034c4d20874e38055d9eb2cdbcec612e396e1c2739a4d23d7181aecb018f24ca16e27b08'
'SKIP'
'6cca017439661e7f1a6eef2fa19ecd26de03cd4d81bf1a8117651bebd28b5ea1ae88c2149029ef27e664ec692d39d34c571811812824180a4693b94ff752da6f'
'20049408d4c00d895c39a7901d889d1874ebcd382e93b2e8df38bd3726e2236f4e9a980720724cf176a35d05fb0db5dbcabd42089423adeb404f2dba16d52b7b'
'8816d3c3767bb02007cc8617b62d21b79c5f224f77c80ebc6b2be6e817571f255ef6901ed4c7461f3d6b24f0ade315c0e07445c13acd8d8db6b01001be498ec2'
'c414a088350e4b039edf46b109721bea01300ad959b84c313f34d5bc085cab97107abb55a71cb8343f092546e4a36c52febf029ffa7d5bacbd580aee43c07bf3'
'6fc50981ef6ae1c737afcb597241d8e89379072ed495cfcc54ee969125c2de1b1455bc3bada8c0c8c3ec13ab2d1b01bc2f7c31e88fcbc399b21754878b5c325e'
'd21850ae37faeea3a5c57e5695773d732b0ca4452e0b3a9d35af0ec73879f6f91e98b56d9137eb18f04b5886ded2de10df6f8574f3207800275af04982ebefd1'
'e78153051c496ad37d55137d8d9cd8782269c9be201feaeb32ed57f547d628810f1fba3d9b6c69cc37b1f9941b155cc9d37ba78b275485d129f3c8bad69d5df7'
'69ccd8122829530bbff2d056cbf2e0a172e1385c46ab666f869a2c11777a8ef458603aadd59f3a044aac429d1f1ca7b0339ea1b968347c44f784a9423aacea58'
'b0f22c21afcc5942d5cca246875eca23ad5bf0af63b57986b70cefa297f7913dc12269e00e36b6be6b635802b86f2e1aa078c603a0f2d3531321d6a178195c31'
'f037efd76547eb2bb02a869ca245ea682f0d3321a1dd83d4dadadbda7cd6208c31d977281361b4e683416510be117704038fa54aa9d898e6b6c1168d0b24ecbb'
'cc9b7e6f775608caa004961805b8817e44a698aaefdc0a05a8410ce6d2e9249b7c4d4ee5c029738bf32486f3e9bb7bd18849542c830a0fb8dd4c587c6d5ac0e5'
'538910b9f74923f89b664b69d710df06280d629c912303fcd9ccca9c8e6d43c7aefd6053ffc615ec0a38d3e0b86e828df7e2ce503b2b889b9c42179453112596'
'3274f91e41b72cd98b6d7962013dd45289952b7af78cc7bc5fe99d4f143434243c8ef0743117d3ec6b090784dfcba8dd460679cc5b49f298ebd8b5afab78a108'
'e713d0f3d24d73831d9f116d4e15e965c5f09e19b15634e8cbf92714612b0172f24a5c542b3fde09732d17b03d7dac3aaac0d8f4e359a45c1c538970413d6e7c'
'3bf62a71988feff2329e298cee8ce48c636c65100959385b73953c95eea21cb069a7ed096165c252e5ef1db133330da5d095cf5ad145d9875b1197d3b5517b81'
'8c287d6ffcc159f19d934d560e073a716325b6a62d9dea974b92b2d4a417defc4f8441769b4761c5a2600b10a45ff401b0afbab6823880e3d54eab09e22f9859'
'abe54d9f29b5e6c1a91cba2bb44e0988b7ceb5a94c3f63569f436f49f282b80280cecd79ee48b9926fff458efbdf0fff019b0fdbf6530692a11a68dbec73e7ca'
'f364161069ceb5d05d329ff04f6e72d2c52baff68d0d3f2203f8a7ee3ace1efe8fc63676ea7d097ccc8eb696dcc20c6b141319ddf0c2bb6efc4fd92cb1dba038'
'd2f0664cc0388908ec621c84e7f889ef5abda31dc4e4d23e6e379e26475ed73863ad47b2f13d282c96ba269bdbc77e7effaf5f01032d0683ad991b506063ef19'
'a31d5c685fafbca72fdc5336343b74b90b1bfd5af4b6f632b4d8271bb1a218ec6419a7994290f65e7a5fc36d921c2d3c1a25ddf0cdf29bffb7229229415eaa9f'
'60d57952fb0190e15aac85d9d7e5b589e1a6e781870c35d75327aefc21c8285dffc48aee3b458caee0e8c7704f59e8c8d2596d7126f58944878f905688267b5e'
'e0fcbfc500f654f0791ca2d240589275e9dd8d97e76e962d0de095e1135880d3f21f5b1a851ec7cac35245d1e92f53758f88cd673e823a975a6c7c3760def24e'
'ac5f3b731b82a6aa1b89492e8eddf48b1e927b8ec52b24cd1618417cc0edc646e8de5b9d903e965a0e10dbd830fdc3964d753274995a59865a059ce594efb56f'
'5c8210c830afc97e6401e0cda2c7372fcb3f20ed91470258c0ab168410c12664f76c5fc5e23f88c4b2c40dcee1e87e49ad41de4c8a0c409c16d269247ade105c'
'20d7200147de20a0e3a9ce7205b169b4b1a26e05f57d7d44174564e8ce8f5d9ba005b9de9c538e72d48eaac046fc22a56440f4974827c2959a88fcdb6d8355ef'
'0c8b6da6e1fb02b19062d9cde4b35ba55a522285041367d79cd3634ad2887683f27e0cb88f6e8cf044e24da41f0bdcf39d4b77758e7417c57bc4506671235ecb')
validpgpkeys=('C92BAA713B8D53D3CAE63FC9E6974752F9704456') # André Silva
mksource() {
cd SDL-$pkgver
rm -v src/video/fbcon/riva_mmio.h
}
prepare() {
cd SDL-$pkgver
if [[ ${pkgver} = ${_debver} ]]; then
# Debian patches
export QUILT_PATCHES=debian/patches
export QUILT_REFRESH_ARGS='-p ab --no-timestamps --no-index'
export QUILT_DIFF_ARGS='--no-timestamps'
mv "$srcdir"/debian .
# Doesn't apply and seems unimportant
rm -v debian/patches/replace-relicenced-SDL_qsort.patch || true
quilt push -av
else
patch -Np1 -i ../SDL-1.2.15-no-default-backing-store.patch
patch -Np1 -i ../libsdl-1.2.15-resizing.patch
patch -Np1 -i ../X11_KeyToUnicode.patch
fi
patch -Np1 -i ../SDL-1.2.10-GrabNotViewable.patch
patch -Np1 -i ../SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch
patch -Np1 -i ../SDL-1.2.15-const_XData32.patch
patch -Np1 -i ../SDL-1.2.15-ignore_insane_joystick_axis.patch
# https://bugs.freedesktop.org/show_bug.cgi?id=27222
patch -Np1 -i ../SDL-1.2.15-x11-Bypass-SetGammaRamp-when-changing-gamma.patch
patch -Np1 -i ../sdl-1.2.14-fix-mouse-clicking.patch
patch -Np1 -i ../sdl-1.2.14-disable-mmx.patch
# bunch of CVE fixes from Fedora - Thanks!
patch -Np1 -i ../SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
patch -Np1 -i ../SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
patch -Np1 -i ../SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
patch -Np1 -i ../SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
patch -Np1 -i ../SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
patch -Np1 -i ../SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
patch -Np1 -i ../SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
patch -Np1 -i ../SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
patch -Np1 -i ../SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
patch -Np1 -i ../SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
patch -Np1 -i ../SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch
patch -Np1 -i ../SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
patch -Np1 -i ../SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch
patch -Np1 -i ../sndio.patch
patch -Np1 -i ../libre.patch
./autogen.sh
}
build() {
cd SDL-$pkgver
./configure --prefix=/usr --disable-nasm --enable-alsa \
--with-x --disable-rpath --disable-static \
--disable-pulseaudio --disable-pulseaudio-shared \
--enable-sndio --enable-video-directfb
make
}
package() {
cd SDL-$pkgver
make DESTDIR="$pkgdir" install
install -Dm644 COPYING $pkgdir/usr/share/licenses/$pkgname/COPYING
}

22
sdl/SDL-1.2.10-GrabNotViewable.patch Normal file
View File

@@ -0,0 +1,22 @@
Makes SDL-1.2 SDL_WM_GrabInput() non-blocking in case of SDL window is not
viewable. Patch provided by <pbonzini@redhat.com>.
See <http://bugzilla.libsdl.org/show_bug.cgi?id=1155>.
--- ./src/video/x11/SDL_x11wm.c 2007-12-31 04:48:13.000000000 +0000
+++ ./src/video/x11/SDL_x11wm.c 2009-01-15 10:27:14.000000000 +0000
@@ -351,13 +351,14 @@ SDL_GrabMode X11_GrabInputNoLock(_THIS,
result = XGrabPointer(SDL_Display, SDL_Window, True, 0,
GrabModeAsync, GrabModeAsync,
SDL_Window, None, CurrentTime);
- if ( result == GrabSuccess ) {
+ if ( result == GrabSuccess || result == GrabNotViewable ) {
break;
}
SDL_Delay(100);
}
if ( result != GrabSuccess ) {
/* Uh, oh, what do we do here? */ ;
+ return(SDL_GRAB_OFF);
}
/* Now grab the keyboard */
XGrabKeyboard(SDL_Display, WMwindow, True,

23
sdl/SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch Normal file
View File

@@ -0,0 +1,23 @@
changeset: 12960:ad1bbfbca760
branch: SDL-1.2
parent: 12914:87d60cae0273
user: Ozkan Sezer <sezeroz@gmail.com>
date: Tue Jul 30 21:30:24 2019 +0300
summary: Fixed bug 4538 - validate image size when loading BMP files
diff -r 87d60cae0273 -r ad1bbfbca760 src/video/SDL_bmp.c
--- a/src/video/SDL_bmp.c Tue Jun 18 23:31:40 2019 +0100
+++ b/src/video/SDL_bmp.c Tue Jul 30 21:30:24 2019 +0300
@@ -143,6 +143,11 @@
(void) biYPelsPerMeter;
(void) biClrImportant;
+ if (biWidth <= 0 || biHeight == 0) {
+ SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight);
+ was_error = SDL_TRUE;
+ goto done;
+ }
if (biHeight < 0) {
topDown = SDL_TRUE;
biHeight = -biHeight;

59
sdl/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch Normal file
View File

@@ -0,0 +1,59 @@
From bb11ffcff5ae2f25bead921c2a299e7e63d8a759 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Thu, 14 Feb 2019 16:51:54 +0100
Subject: [PATCH] CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If an IMA ADPCM block contained an initial index out of step table
range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used
this bogus value and that lead to a buffer overread.
This patch fixes it by moving clamping the index value at the
beginning of IMA_ADPCM_nibble() function instead of the end after
an update.
CVE-2019-7572
https://bugzilla.libsdl.org/show_bug.cgi?id=4495
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
src/audio/SDL_wave.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 2968b3d..69d62dc 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -275,6 +275,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
};
Sint32 delta, step;
+ /* Clamp index value. The inital value can be invalid. */
+ if ( state->index > 88 ) {
+ state->index = 88;
+ } else
+ if ( state->index < 0 ) {
+ state->index = 0;
+ }
+
/* Compute difference and new sample value */
step = step_table[state->index];
delta = step >> 3;
@@ -286,12 +294,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
/* Update index value */
state->index += index_table[nybble];
- if ( state->index > 88 ) {
- state->index = 88;
- } else
- if ( state->index < 0 ) {
- state->index = 0;
- }
/* Clamp output sample */
if ( state->sample > max_audioval ) {
--
2.20.1

64
sdl/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch Normal file
View File

@@ -0,0 +1,64 @@
From 6086741bda4d43cc227500bc7645a829380e6326 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Fri, 15 Feb 2019 09:21:45 +0100
Subject: [PATCH] CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If data chunk was longer than expected based on a WAV format
definition, IMA_ADPCM_decode() tried to write past the output
buffer. This patch fixes it.
Based on patch from
<https://bugzilla.libsdl.org/show_bug.cgi?id=4496>.
CVE-2019-7572
https://bugzilla.libsdl.org/show_bug.cgi?id=4495
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
src/audio/SDL_wave.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 69d62dc..91e89e8 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -336,7 +336,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
{
struct IMA_ADPCM_decodestate *state;
- Uint8 *freeable, *encoded, *encoded_end, *decoded;
+ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
Sint32 encoded_len, samplesleft;
unsigned int c, channels;
@@ -363,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
return(-1);
}
decoded = *audio_buf;
+ decoded_end = decoded + *audio_len;
/* Get ready... Go! */
while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
@@ -382,6 +383,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
}
/* Store the initial sample we start with */
+ if (decoded + 2 > decoded_end) goto invalid_size;
decoded[0] = (Uint8)(state[c].sample&0xFF);
decoded[1] = (Uint8)(state[c].sample>>8);
decoded += 2;
@@ -392,6 +394,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
while ( samplesleft > 0 ) {
for ( c=0; c<channels; ++c ) {
if (encoded + 4 > encoded_end) goto invalid_size;
+ if (decoded + 4 * 4 * channels > decoded_end)
+ goto invalid_size;
Fill_IMA_ADPCM_block(decoded, encoded,
c, channels, &state[c]);
encoded += 4;
--
2.20.1

83
sdl/SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch Normal file
View File

@@ -0,0 +1,83 @@
From 3e2c89e516701f3586dfeadec13932f665371d2a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Fri, 15 Feb 2019 10:36:13 +0100
Subject: [PATCH] CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in
InitMS_ADPCM
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it
could read past the end of chunk data. This patch fixes it.
CVE-2019-7573
https://bugzilla.libsdl.org/show_bug.cgi?id=4491
CVE-2019-7576
https://bugzilla.libsdl.org/show_bug.cgi?id=4490
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
src/audio/SDL_wave.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 91e89e8..1d446ed 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -44,12 +44,13 @@ static struct MS_ADPCM_decoder {
struct MS_ADPCM_decodestate state[2];
} MS_ADPCM_state;
-static int InitMS_ADPCM(WaveFMT *format)
+static int InitMS_ADPCM(WaveFMT *format, int length)
{
- Uint8 *rogue_feel;
+ Uint8 *rogue_feel, *rogue_feel_end;
int i;
/* Set the rogue pointer to the MS_ADPCM specific data */
+ if (length < sizeof(*format)) goto too_short;
MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
@@ -58,9 +59,11 @@ static int InitMS_ADPCM(WaveFMT *format)
MS_ADPCM_state.wavefmt.bitspersample =
SDL_SwapLE16(format->bitspersample);
rogue_feel = (Uint8 *)format+sizeof(*format);
+ rogue_feel_end = (Uint8 *)format + length;
if ( sizeof(*format) == 16 ) {
rogue_feel += sizeof(Uint16);
}
+ if (rogue_feel + 4 > rogue_feel_end) goto too_short;
MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
rogue_feel += sizeof(Uint16);
MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]);
@@ -70,12 +73,16 @@ static int InitMS_ADPCM(WaveFMT *format)
return(-1);
}
for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) {
+ if (rogue_feel + 4 > rogue_feel_end) goto too_short;
MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]);
rogue_feel += sizeof(Uint16);
MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]);
rogue_feel += sizeof(Uint16);
}
return(0);
+too_short:
+ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format");
+ return(-1);
}
static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
@@ -485,7 +492,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
break;
case MS_ADPCM_CODE:
/* Try to understand this */
- if ( InitMS_ADPCM(format) < 0 ) {
+ if ( InitMS_ADPCM(format, lenread) < 0 ) {
was_error = 1;
goto done;
}
--
2.20.1

71
sdl/SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch Normal file
View File

@@ -0,0 +1,71 @@
From 9b2eee24768889378032077423cb6a3221a8ad18 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Thu, 14 Feb 2019 15:41:47 +0100
Subject: [PATCH] CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If data chunk was shorter than expected based on a WAV format
definition, IMA_ADPCM_decode() tried to read past the data chunk
buffer. This patch fixes it.
CVE-2019-7574
https://bugzilla.libsdl.org/show_bug.cgi?id=4496
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
src/audio/SDL_wave.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index b6c49de..2968b3d 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -334,7 +334,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
{
struct IMA_ADPCM_decodestate *state;
- Uint8 *freeable, *encoded, *decoded;
+ Uint8 *freeable, *encoded, *encoded_end, *decoded;
Sint32 encoded_len, samplesleft;
unsigned int c, channels;
@@ -350,6 +350,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
/* Allocate the proper sized output buffer */
encoded_len = *audio_len;
encoded = *audio_buf;
+ encoded_end = encoded + encoded_len;
freeable = *audio_buf;
*audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) *
IMA_ADPCM_state.wSamplesPerBlock*
@@ -365,6 +366,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
/* Grab the initial information for this block */
for ( c=0; c<channels; ++c ) {
+ if (encoded + 4 > encoded_end) goto invalid_size;
/* Fill the state information for this block */
state[c].sample = ((encoded[1]<<8)|encoded[0]);
encoded += 2;
@@ -387,6 +389,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
while ( samplesleft > 0 ) {
for ( c=0; c<channels; ++c ) {
+ if (encoded + 4 > encoded_end) goto invalid_size;
Fill_IMA_ADPCM_block(decoded, encoded,
c, channels, &state[c]);
encoded += 4;
@@ -398,6 +401,10 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
}
SDL_free(freeable);
return(0);
+invalid_size:
+ SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder");
+ SDL_free(freeable);
+ return(-1);
}
SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
--
2.20.1

84
sdl/SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch Normal file
View File

@@ -0,0 +1,84 @@
From e1f80cadb079e35103e6eebf160a818815c823df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Thu, 14 Feb 2019 14:51:52 +0100
Subject: [PATCH] CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If a WAV format defines shorter audio stream and decoded MS ADPCM data chunk
is longer, decoding continued past the output audio buffer.
This fix is based on a patch from
<https://bugzilla.libsdl.org/show_bug.cgi?id=4492>.
https://bugzilla.libsdl.org/show_bug.cgi?id=4493
CVE-2019-7575
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
src/audio/SDL_wave.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index e42d01c..b6c49de 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
{
struct MS_ADPCM_decodestate *state[2];
- Uint8 *freeable, *encoded, *encoded_end, *decoded;
+ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
Sint32 encoded_len, samplesleft;
Sint8 nybble, stereo;
Sint16 *coeff[2];
@@ -135,6 +135,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
return(-1);
}
decoded = *audio_buf;
+ decoded_end = decoded + *audio_len;
/* Get ready... Go! */
stereo = (MS_ADPCM_state.wavefmt.channels == 2);
@@ -142,7 +143,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
state[1] = &MS_ADPCM_state.state[stereo];
while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
/* Grab the initial information for this block */
- if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
+ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size;
state[0]->hPredictor = *encoded++;
if ( stereo ) {
state[1]->hPredictor = *encoded++;
@@ -169,6 +170,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
/* Store the two initial samples we start with */
+ if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size;
decoded[0] = state[0]->iSamp2&0xFF;
decoded[1] = state[0]->iSamp2>>8;
decoded += 2;
@@ -190,7 +192,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
MS_ADPCM_state.wavefmt.channels;
while ( samplesleft > 0 ) {
- if (encoded + 1 > encoded_end) goto too_short;
+ if (encoded + 1 > encoded_end) goto invalid_size;
+ if (decoded + 4 > decoded_end) goto invalid_size;
nybble = (*encoded)>>4;
new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
@@ -213,8 +216,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
}
SDL_free(freeable);
return(0);
-too_short:
- SDL_SetError("Too short chunk for a MS ADPCM decoder");
+invalid_size:
+ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
SDL_free(freeable);
return(-1);
}
--
2.20.1

75
sdl/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch Normal file
View File

@@ -0,0 +1,75 @@
From ac3d0d365b1f01a6782565feda0c7432a5795671 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Thu, 14 Feb 2019 14:12:22 +0100
Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If RIFF/WAV data chunk length is shorter then expected for an audio
format defined in preceeding RIFF/WAV format headers, a buffer
overread can happen.
This patch fixes it by checking a MS ADPCM data to be decoded are not
past the initialized buffer.
CVE-2019-7577
Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
src/audio/SDL_wave.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index b4ad6c7..e42d01c 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
{
struct MS_ADPCM_decodestate *state[2];
- Uint8 *freeable, *encoded, *decoded;
+ Uint8 *freeable, *encoded, *encoded_end, *decoded;
Sint32 encoded_len, samplesleft;
Sint8 nybble, stereo;
Sint16 *coeff[2];
@@ -124,6 +124,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
/* Allocate the proper sized output buffer */
encoded_len = *audio_len;
encoded = *audio_buf;
+ encoded_end = encoded + encoded_len;
freeable = *audio_buf;
*audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) *
MS_ADPCM_state.wSamplesPerBlock*
@@ -141,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
state[1] = &MS_ADPCM_state.state[stereo];
while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
/* Grab the initial information for this block */
+ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
state[0]->hPredictor = *encoded++;
if ( stereo ) {
state[1]->hPredictor = *encoded++;
@@ -188,6 +190,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
MS_ADPCM_state.wavefmt.channels;
while ( samplesleft > 0 ) {
+ if (encoded + 1 > encoded_end) goto too_short;
+
nybble = (*encoded)>>4;
new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
decoded[0] = new_sample&0xFF;
@@ -209,6 +213,10 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
}
SDL_free(freeable);
return(0);
+too_short:
+ SDL_SetError("Too short chunk for a MS ADPCM decoder");
+ SDL_free(freeable);
+ return(-1);
}
struct IMA_ADPCM_decodestate {
--
2.20.1

57
sdl/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch Normal file
View File

@@ -0,0 +1,57 @@
From 69cd6157644cb0a5c9edd7b5920232c2ca31c151 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Tue, 12 Mar 2019 16:21:41 +0100
Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble and
MS_ADPCM_decode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If a chunk of RIFF/WAV file with MS ADPCM encoding contains an invalid
predictor (a valid predictor's value is between 0 and 6 inclusive),
a buffer overread can happen when the predictor is used as an index
into an array of MS ADPCM coefficients.
The overead happens when indexing MS_ADPCM_state.aCoeff[] array in
MS_ADPCM_decode() and later when dereferencing a coef pointer in
MS_ADPCM_nibble().
This patch fixes it by checking the MS ADPCM predictor values fit
into the valid range.
CVE-2019-7577
Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
src/audio/SDL_wave.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 08f65cb..5f93651 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -155,6 +155,9 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
if ( stereo ) {
state[1]->hPredictor = *encoded++;
}
+ if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) {
+ goto invalid_predictor;
+ }
state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
encoded += sizeof(Sint16);
if ( stereo ) {
@@ -227,6 +230,10 @@ invalid_size:
SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
SDL_free(freeable);
return(-1);
+invalid_predictor:
+ SDL_SetError("Invalid predictor value for a MS ADPCM decoder");
+ SDL_free(freeable);
+ return(-1);
}
struct IMA_ADPCM_decodestate {
--
2.20.1

67
sdl/SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch Normal file
View File

@@ -0,0 +1,67 @@
From 0eb76f6cabcffa2104e34c26e0f41e6de95356ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Fri, 15 Feb 2019 10:56:59 +0100
Subject: [PATCH] CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it
could read past the end of chunk data. This patch fixes it.
CVE-2019-7578
https://bugzilla.libsdl.org/show_bug.cgi?id=4494
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
src/audio/SDL_wave.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
index 1d446ed..08f65cb 100644
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -240,11 +240,12 @@ static struct IMA_ADPCM_decoder {
struct IMA_ADPCM_decodestate state[2];
} IMA_ADPCM_state;
-static int InitIMA_ADPCM(WaveFMT *format)
+static int InitIMA_ADPCM(WaveFMT *format, int length)
{
- Uint8 *rogue_feel;
+ Uint8 *rogue_feel, *rogue_feel_end;
/* Set the rogue pointer to the IMA_ADPCM specific data */
+ if (length < sizeof(*format)) goto too_short;
IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
@@ -253,11 +254,16 @@ static int InitIMA_ADPCM(WaveFMT *format)
IMA_ADPCM_state.wavefmt.bitspersample =
SDL_SwapLE16(format->bitspersample);
rogue_feel = (Uint8 *)format+sizeof(*format);
+ rogue_feel_end = (Uint8 *)format + length;
if ( sizeof(*format) == 16 ) {
rogue_feel += sizeof(Uint16);
}
+ if (rogue_feel + 2 > rogue_feel_end) goto too_short;
IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
return(0);
+too_short:
+ SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format");
+ return(-1);
}
static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
@@ -500,7 +506,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
break;
case IMA_ADPCM_CODE:
/* Try to understand this */
- if ( InitIMA_ADPCM(format) < 0 ) {
+ if ( InitIMA_ADPCM(format, lenread) < 0 ) {
was_error = 1;
goto done;
}
--
2.20.1

67
sdl/SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch Normal file
View File

@@ -0,0 +1,67 @@
From beef32b0e510371f3c968d22a1e3d48abbf366c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Tue, 19 Feb 2019 14:52:52 +0100
Subject: [PATCH] CVE-2019-7635: Reject BMP images with pixel colors out the
palette
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If a 1-, 4-, or 8-bit per pixel BMP image declares less used colors
than the palette offers an SDL_Surface with a palette of the indicated
number of used colors is created. If some of the image's pixel
refer to a color number higher then the maximal used colors, a subsequent
bliting operation on the surface will look up a color past a blit map
(that is based on the palette) memory. I.e. passing such SDL_Surface
to e.g. an SDL_DisplayFormat() function will result in a buffer overread in
a blit function.
This patch fixes it by validing each pixel's color to be less than the
maximal color number in the palette. A validation failure raises an
error from a SDL_LoadBMP_RW() function.
CVE-2019-7635
https://bugzilla.libsdl.org/show_bug.cgi?id=4498
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
src/video/SDL_bmp.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
index 3accded..8eadc5f 100644
--- a/src/video/SDL_bmp.c
+++ b/src/video/SDL_bmp.c
@@ -300,6 +300,12 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
}
*(bits+i) = (pixel>>shift);
pixel <<= ExpandBMP;
+ if ( bits[i] >= biClrUsed ) {
+ SDL_SetError(
+ "A BMP image contains a pixel with a color out of the palette");
+ was_error = SDL_TRUE;
+ goto done;
+ }
} }
break;
@@ -310,6 +316,16 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
was_error = SDL_TRUE;
goto done;
}
+ if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) {
+ for ( i=0; i<surface->w; ++i ) {
+ if ( bits[i] >= biClrUsed ) {
+ SDL_SetError(
+ "A BMP image contains a pixel with a color out of the palette");
+ was_error = SDL_TRUE;
+ goto done;
+ }
+ }
+ }
#if SDL_BYTEORDER == SDL_BIG_ENDIAN
/* Byte-swap the pixels if needed. Note that the 24bpp
case has already been taken care of above. */
--
2.20.1

209
sdl/SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch Normal file
View File

@@ -0,0 +1,209 @@
From cc50d843089c8cf386c3e0f9cb2fae0b258a9b7b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 18 Feb 2019 13:53:16 +0100
Subject: [PATCH] CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If a too large width is passed to SDL_SetVideoMode() the width travels
to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by
BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch
variable. During this arithmetics an integer overflow can happen (e.g.
the value is clamped as 65532). As a result SDL_Surface with a pitch
smaller than width * BytesPerPixel is created, too small pixel buffer
is allocated and when the SDL_Surface is processed in SDL_FillRect()
a buffer overflow occurs.
This can be reproduced with "./graywin -width 21312312313123213213213"
command.
This patch fixes is by using a very careful arithmetics in
SDL_CalculatePitch(). If an overflow is detected, an error is reported
back as a special 0 value. We assume that 0-width surfaces do not
occur in the wild. Since SDL_CalculatePitch() is a private function,
we can change the semantics.
CVE-2019-7637
https://bugzilla.libsdl.org/show_bug.cgi?id=4497
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
src/video/SDL_pixels.c | 41 +++++++++++++++++++++++++++------
src/video/gapi/SDL_gapivideo.c | 3 +++
src/video/nanox/SDL_nxvideo.c | 4 ++++
src/video/ps2gs/SDL_gsvideo.c | 3 +++
src/video/ps3/SDL_ps3video.c | 3 +++
src/video/windib/SDL_dibvideo.c | 3 +++
src/video/windx5/SDL_dx5video.c | 3 +++
src/video/x11/SDL_x11video.c | 4 ++++
8 files changed, 57 insertions(+), 7 deletions(-)
diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c
index 1a7fd51..44626b7 100644
--- a/src/video/SDL_pixels.c
+++ b/src/video/SDL_pixels.c
@@ -286,26 +286,53 @@ void SDL_DitherColors(SDL_Color *colors, int bpp)
}
}
/*
- * Calculate the pad-aligned scanline width of a surface
+ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of
+ * an error.
*/
Uint16 SDL_CalculatePitch(SDL_Surface *surface)
{
- Uint16 pitch;
+ unsigned int pitch = 0;
/* Surface should be 4-byte aligned for speed */
- pitch = surface->w*surface->format->BytesPerPixel;
+ /* The code tries to prevent from an Uint16 overflow. */;
+ for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) {
+ pitch += (unsigned int)surface->w;
+ if (pitch < surface->w) {
+ SDL_SetError("A scanline is too wide");
+ return(0);
+ }
+ }
switch (surface->format->BitsPerPixel) {
case 1:
- pitch = (pitch+7)/8;
+ if (pitch % 8) {
+ pitch = pitch / 8 + 1;
+ } else {
+ pitch = pitch / 8;
+ }
break;
case 4:
- pitch = (pitch+1)/2;
+ if (pitch % 2) {
+ pitch = pitch / 2 + 1;
+ } else {
+ pitch = pitch / 2;
+ }
break;
default:
break;
}
- pitch = (pitch + 3) & ~3; /* 4-byte aligning */
- return(pitch);
+ /* 4-byte aligning */
+ if (pitch & 3) {
+ if (pitch + 3 < pitch) {
+ SDL_SetError("A scanline is too wide");
+ return(0);
+ }
+ pitch = (pitch + 3) & ~3;
+ }
+ if (pitch > 0xFFFF) {
+ SDL_SetError("A scanline is too wide");
+ return(0);
+ }
+ return((Uint16)pitch);
}
/*
* Match an RGB value to a particular palette index
diff --git a/src/video/gapi/SDL_gapivideo.c b/src/video/gapi/SDL_gapivideo.c
index 86deadc..8a06485 100644
--- a/src/video/gapi/SDL_gapivideo.c
+++ b/src/video/gapi/SDL_gapivideo.c
@@ -733,6 +733,9 @@ SDL_Surface *GAPI_SetVideoMode(_THIS, SDL_Surface *current,
video->w = gapi->w = width;
video->h = gapi->h = height;
video->pitch = SDL_CalculatePitch(video);
+ if (!current->pitch) {
+ return(NULL);
+ }
/* Small fix for WinCE/Win32 - when activating window
SDL_VideoSurface is equal to zero, so activating code
diff --git a/src/video/nanox/SDL_nxvideo.c b/src/video/nanox/SDL_nxvideo.c
index b188e09..cbdd09a 100644
--- a/src/video/nanox/SDL_nxvideo.c
+++ b/src/video/nanox/SDL_nxvideo.c
@@ -378,6 +378,10 @@ SDL_Surface * NX_SetVideoMode (_THIS, SDL_Surface * current,
current -> w = width ;
current -> h = height ;
current -> pitch = SDL_CalculatePitch (current) ;
+ if (!current->pitch) {
+ current = NULL;
+ goto done;
+ }
NX_ResizeImage (this, current, flags) ;
}
diff --git a/src/video/ps2gs/SDL_gsvideo.c b/src/video/ps2gs/SDL_gsvideo.c
index e172c60..3290866 100644
--- a/src/video/ps2gs/SDL_gsvideo.c
+++ b/src/video/ps2gs/SDL_gsvideo.c
@@ -479,6 +479,9 @@ static SDL_Surface *GS_SetVideoMode(_THIS, SDL_Surface *current,
current->w = width;
current->h = height;
current->pitch = SDL_CalculatePitch(current);
+ if (!current->pitch) {
+ return(NULL);
+ }
/* Memory map the DMA area for block memory transfer */
if ( ! mapped_mem ) {
diff --git a/src/video/ps3/SDL_ps3video.c b/src/video/ps3/SDL_ps3video.c
index d5519e0..17848e3 100644
--- a/src/video/ps3/SDL_ps3video.c
+++ b/src/video/ps3/SDL_ps3video.c
@@ -339,6 +339,9 @@ static SDL_Surface *PS3_SetVideoMode(_THIS, SDL_Surface * current, int width, in
current->w = width;
current->h = height;
current->pitch = SDL_CalculatePitch(current);
+ if (!current->pitch) {
+ return(NULL);
+ }
/* Alloc aligned mem for current->pixels */
s_pixels = memalign(16, current->h * current->pitch);
diff --git a/src/video/windib/SDL_dibvideo.c b/src/video/windib/SDL_dibvideo.c
index 6187bfc..86ebb12 100644
--- a/src/video/windib/SDL_dibvideo.c
+++ b/src/video/windib/SDL_dibvideo.c
@@ -675,6 +675,9 @@ SDL_Surface *DIB_SetVideoMode(_THIS, SDL_Surface *current,
video->w = width;
video->h = height;
video->pitch = SDL_CalculatePitch(video);
+ if (!current->pitch) {
+ return(NULL);
+ }
/* Small fix for WinCE/Win32 - when activating window
SDL_VideoSurface is equal to zero, so activating code
diff --git a/src/video/windx5/SDL_dx5video.c b/src/video/windx5/SDL_dx5video.c
index f80ca97..39fc4fc 100644
--- a/src/video/windx5/SDL_dx5video.c
+++ b/src/video/windx5/SDL_dx5video.c
@@ -1127,6 +1127,9 @@ SDL_Surface *DX5_SetVideoMode(_THIS, SDL_Surface *current,
video->w = width;
video->h = height;
video->pitch = SDL_CalculatePitch(video);
+ if (!current->pitch) {
+ return(NULL);
+ }
#ifndef NO_CHANGEDISPLAYSETTINGS
/* Set fullscreen mode if appropriate.
diff --git a/src/video/x11/SDL_x11video.c b/src/video/x11/SDL_x11video.c
index 79e60f9..45d1f79 100644
--- a/src/video/x11/SDL_x11video.c
+++ b/src/video/x11/SDL_x11video.c
@@ -1220,6 +1220,10 @@ SDL_Surface *X11_SetVideoMode(_THIS, SDL_Surface *current,
current->w = width;
current->h = height;
current->pitch = SDL_CalculatePitch(current);
+ if (!current->pitch) {
+ current = NULL;
+ goto done;
+ }
if (X11_ResizeImage(this, current, flags) < 0) {
current = NULL;
goto done;
--
2.20.1

56
sdl/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch Normal file
View File

@@ -0,0 +1,56 @@
From 28b1433b4bd7982524f2418420e8cc01786df5c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Fri, 15 Feb 2019 16:52:27 +0100
Subject: [PATCH] CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images with
too high number of colors
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If a BMP file that defines more colors than can fit into
a palette of color depth defined in the same BMP file is loaded by
SDL_LoadBMP_RW() function, invalid number of colors is set into
resulting SDL surface.
Then if the SDL surface is passed to SDL_DisplayFormat() function to
convert the surface format into a native video format, a buffer
overread will happen in Map1to1() or Map1toN() function
(CVE-2019-7638). (The choice of the mapping function depends on
a actual video hardware.)
In addition SDL_GetRGB() called indirectly from SDL_DisplayFormat()
performs the same buffer overread (CVE-2019-7636).
There is also probably a buffer overwrite when the SDL_LoadBMP_RW()
loads colors from a file.
This patch fixes it by refusing loading such badly damaged BMP files.
CVE-2019-7638
https://bugzilla.libsdl.org/show_bug.cgi?id=4500
CVE-2019-7636
https://bugzilla.libsdl.org/show_bug.cgi?id=4499
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
src/video/SDL_bmp.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
index d56cfd8..3accded 100644
--- a/src/video/SDL_bmp.c
+++ b/src/video/SDL_bmp.c
@@ -233,6 +233,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
if ( palette ) {
if ( biClrUsed == 0 ) {
biClrUsed = 1 << biBitCount;
+ } else if ( biClrUsed > (1 << biBitCount) ) {
+ SDL_SetError("BMP file has an invalid number of colors");
+ was_error = SDL_TRUE;
+ goto done;
}
if ( biSize == 12 ) {
for ( i = 0; i < (int)biClrUsed; ++i ) {
--
2.20.1

42
sdl/SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch Normal file
View File

@@ -0,0 +1,42 @@
From 70c3d0e97755e1b208ceba2ae012877797f15627 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Thu, 21 Feb 2019 10:57:41 +0100
Subject: [PATCH] Reject 2, 3, 5, 6, 7-bpp BMP images
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BMP decoder assumes less than 8 bit depth images have 1 or 4 bits
per pixel. No other depths are correctly translated to an 8bpp
surface.
This patch rejects loading these images.
https://bugzilla.libsdl.org/show_bug.cgi?id=4498
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
src/video/SDL_bmp.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
index 8eadc5f..758d4bb 100644
--- a/src/video/SDL_bmp.c
+++ b/src/video/SDL_bmp.c
@@ -163,6 +163,14 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
ExpandBMP = biBitCount;
biBitCount = 8;
break;
+ case 2:
+ case 3:
+ case 5:
+ case 6:
+ case 7:
+ SDL_SetError("%d-bpp BMP images are not supported", biBitCount);
+ was_error = SDL_TRUE;
+ goto done;
default:
ExpandBMP = 0;
break;
--
2.20.1

73
sdl/SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch Normal file
View File

@@ -0,0 +1,73 @@
# HG changeset patch
# User Sam Lantinga <slouken@libsdl.org>
# Date 1397799374 25200
# Thu Apr 17 22:36:14 2014 -0700
# Branch SDL-1.2
# Node ID 0aade9c0203f717fe4b823a176c3c040f1a709f8
# Parent 22a7f096bb9d4d596f35a93e33608825693462b0
Fixed bug 2325 - SDL_EnableUNICODE sometimes drops keyboard events completely
Rafał Mużyło
The most annoying part of this bug is that though I've found it in two separate apps, I don't have a trivial testcase for it.
The problem seems to be a condition race, as it's triggered quite randomly (therefore it will be hard to tell whether it really gets fixed, if a probable fix is found).
While it's specific to SDL 1.2, it seems quite similar to the problem described and fixed in http://forums.libsdl.org/viewtopic.php?p=40503.
Now, I should start describing the problem.
A game uses Escape to open menu (the exact key might not be important). Upon opening, it calls SDL_EnableUNICODE(1). Upon closing it calls SDL_EnableUNICODE(0).
I have an IME running.
Game uses SDL_PollEvent to get the events.
If Escape is pressed repeatedly, menu is opened and closed, till it eventually freezes in open state.
"freezes" in this context means "app itself still runs, but no keyboard events are getting delivered (though - for example - mouse events still are)". "getting delivered" should mean "SDL_PollEvent is not receiving any".
If it matters, the last delivered keyboard event is a keypress, the release never arrives.
It seems (no guarantees, due to random nature of the freeze) that unsetting XMODIFIERS (which - AFAIU - will disable IME as far as SDL is concerned) prevents the freeze, therefore the reference to that SDL2 thread.
diff -r 22a7f096bb9d -r 0aade9c0203f src/video/x11/SDL_x11events.c
--- a/src/video/x11/SDL_x11events.c Sun Dec 01 00:00:17 2013 -0500
+++ b/src/video/x11/SDL_x11events.c Thu Apr 17 22:36:14 2014 -0700
@@ -395,6 +395,8 @@
{
int posted;
XEvent xevent;
+ int orig_event_type;
+ KeyCode orig_keycode;
SDL_memset(&xevent, '\0', sizeof (XEvent)); /* valgrind fix. --ryan. */
XNextEvent(SDL_Display, &xevent);
@@ -410,9 +412,29 @@
#ifdef X_HAVE_UTF8_STRING
/* If we are translating with IM, we need to pass all events
to XFilterEvent, and discard those filtered events immediately. */
+ orig_event_type = xevent.type;
+ if (orig_event_type == KeyPress || orig_event_type == KeyRelease) {
+ orig_keycode = xevent.xkey.keycode;
+ } else {
+ orig_keycode = 0;
+ }
if ( SDL_TranslateUNICODE
&& SDL_IM != NULL
&& XFilterEvent(&xevent, None) ) {
+ if (orig_keycode) {
+ SDL_keysym keysym;
+ static XComposeStatus state;
+ char keybuf[32];
+
+ keysym.scancode = xevent.xkey.keycode;
+ keysym.sym = X11_TranslateKeycode(SDL_Display, xevent.xkey.keycode);
+ keysym.mod = KMOD_NONE;
+ keysym.unicode = 0;
+ if (orig_event_type == KeyPress && XLookupString(&xevent.xkey, keybuf, sizeof(keybuf), NULL, &state))
+ keysym.unicode = (Uint8)keybuf[0];
+
+ SDL_PrivateKeyboard(orig_event_type == KeyPress ? SDL_PRESSED : SDL_RELEASED, &keysym);
+ }
return 0;
}
#endif

16
sdl/SDL-1.2.15-const_XData32.patch Normal file
View File

@@ -0,0 +1,16 @@
libX11-1.5.99.901 has changed prototype of _XData32
<http://bugzilla.libsdl.org/show_bug.cgi?id=1769>
diff -r b6b2829cd7ef src/video/x11/SDL_x11sym.h
--- a/src/video/x11/SDL_x11sym.h Wed Feb 27 15:20:31 2013 -0800
+++ b/src/video/x11/SDL_x11sym.h Wed Mar 27 16:07:23 2013 +0100
@@ -165,7 +165,7 @@
*/
#ifdef LONG64
SDL_X11_MODULE(IO_32BIT)
-SDL_X11_SYM(int,_XData32,(Display *dpy,register long *data,unsigned len),(dpy,data,len),return)
+SDL_X11_SYM(int,_XData32,(Display *dpy,register _Xconst long *data,unsigned len),(dpy,data,len),return)
SDL_X11_SYM(void,_XRead32,(Display *dpy,register long *data,long len),(dpy,data,len),)
#endif

20
sdl/SDL-1.2.15-ignore_insane_joystick_axis.patch Normal file
View File

@@ -0,0 +1,20 @@
changeset: 6324:95abff7adcc2
branch: SDL-1.2
parent: 6306:2b923729fd01
user: Ryan C. Gordon <icculus@icculus.org>
date: Sun Jun 03 04:49:25 2012 -0400
summary: Linux evdev: ignore joystick axis events if they aren't in a sane range.
diff -r 2b923729fd01 -r 95abff7adcc2 src/joystick/linux/SDL_sysjoystick.c
--- a/src/joystick/linux/SDL_sysjoystick.c Sat May 12 23:32:51 2012 -0700
+++ b/src/joystick/linux/SDL_sysjoystick.c Sun Jun 03 04:49:25 2012 -0400
@@ -1106,6 +1106,9 @@
}
break;
case EV_ABS:
+ if (code > ABS_MISC) {
+ break;
+ }
switch (code) {
case ABS_HAT0X:
case ABS_HAT0Y:

24
sdl/SDL-1.2.15-no-default-backing-store.patch Normal file
View File

@@ -0,0 +1,24 @@
Do not harness backing store by default
xorg-server 1.15 enables backing store if composite extension is enabled
(default settings). Harnessing backing store through compositor leads to
tearing effect.
This patch reverts default harnessing backing store to conditional use if
SDL_VIDEO_X11_BACKINGSTORE environment variable exists.
<https://bugzilla.libsdl.org/show_bug.cgi?id=2383>
<https://bugzilla.redhat.com/show_bug.cgi?id=1073057>
diff -up SDL-1.2.15/src/video/x11/SDL_x11video.c.jx SDL-1.2.15/src/video/x11/SDL_x11video.c
--- SDL-1.2.15/src/video/x11/SDL_x11video.c.jx 2012-01-19 01:30:06.000000000 -0500
+++ SDL-1.2.15/src/video/x11/SDL_x11video.c 2014-03-04 14:39:34.691545549 -0500
@@ -1088,7 +1088,7 @@ static int X11_CreateWindow(_THIS, SDL_S
}
}
-#if 0 /* This is an experiment - are the graphics faster now? - nope. */
+#if 1 /* This is an experiment - are the graphics faster now? - nope. */
if ( SDL_getenv("SDL_VIDEO_X11_BACKINGSTORE") )
#endif
/* Cache the window in the server, when possible */

44
sdl/SDL-1.2.15-x11-Bypass-SetGammaRamp-when-changing-gamma.patch Normal file
View File

@@ -0,0 +1,44 @@
From 4b56fa058a45b7c804d1a5fcaf7a70db0bd0581c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <petr.pisar@atlas.cz>
Date: Tue, 1 Jan 2013 21:25:15 +0100
Subject: [PATCH] x11: Bypass SetGammaRamp when changing gamma
Recent Xorg has broken dynamic colors setting, so calling SDL_SetGamme()
does not have any effect here. Recent means xorg-server >= 1.7, since 2010.
See <https://bugs.freedesktop.org/show_bug.cgi?id=27222>.
---
src/video/SDL_gamma.c | 15 ++-------------
1 files changed, 2 insertions(+), 13 deletions(-)
diff --git a/src/video/SDL_gamma.c b/src/video/SDL_gamma.c
index 4fd0370..464ab88 100644
--- a/src/video/SDL_gamma.c
+++ b/src/video/SDL_gamma.c
@@ -92,22 +92,11 @@ static void CalculateGammaFromRamp(float *gamma, Uint16 *ramp)
int SDL_SetGamma(float red, float green, float blue)
{
- int succeeded;
+ int succeeded = -1;
SDL_VideoDevice *video = current_video;
SDL_VideoDevice *this = current_video;
- succeeded = -1;
- /* Prefer using SetGammaRamp(), as it's more flexible */
- {
- Uint16 ramp[3][256];
-
- CalculateGammaRamp(red, ramp[0]);
- CalculateGammaRamp(green, ramp[1]);
- CalculateGammaRamp(blue, ramp[2]);
- succeeded = SDL_SetGammaRamp(ramp[0], ramp[1], ramp[2]);
- }
- if ( (succeeded < 0) && video->SetGamma ) {
- SDL_ClearError();
+ if ( video->SetGamma ) {
succeeded = video->SetGamma(this, red, green, blue);
}
return succeeded;
--
1.7.8.6

52
sdl/X11_KeyToUnicode.patch Normal file
View File

@@ -0,0 +1,52 @@
# HG changeset patch
# User Sam Lantinga <slouken@libsdl.org>
# Date 1327258041 18000
# Node ID 900a0fae90ca65cff55a70a17b9ec39d2ddccbcf
# Parent 5273dfd19a5e8c5736a0d417bd441f704c5355f8
Fixed bug 1390 - X11_KeyToUnicode
manuel.montezelo 2012-01-22 08:56:18 PST
We had the following bug report at Debian:
http://bugs.debian.org/376560
Same one in Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/libsdl1.2/+bug/66217
We've been including a patch since then (attached) to actually export the
symbol, since 2006. In the last release the function seems to be there, alive
and kicking.
It's affecting other people too:
http://www.garagegames.com/community/forums/viewthread/52287
diff -r 5273dfd19a5e -r 900a0fae90ca src/video/x11/SDL_x11events.c
--- a/src/video/x11/SDL_x11events.c Sat Jan 21 12:06:51 2012 -0500
+++ b/src/video/x11/SDL_x11events.c Sun Jan 22 13:47:21 2012 -0500
@@ -1246,8 +1246,11 @@
* sequences (dead accents, compose key sequences) will not work since the
* state has been irrevocably lost.
*/
+extern DECLSPEC Uint16 SDLCALL X11_KeyToUnicode(SDLKey, SDLMod);
+
Uint16 X11_KeyToUnicode(SDLKey keysym, SDLMod modifiers)
{
+ static int warning = 0;
struct SDL_VideoDevice *this = current_video;
char keybuf[32];
int i;
@@ -1255,6 +1258,12 @@
XKeyEvent xkey;
Uint16 unicode;
+ if ( warning ) {
+ warning = 0;
+ fprintf(stderr, "WARNING: Application is using X11_KeyToUnicode().\n");
+ fprintf(stderr, "This is not an official SDL function, please report this as a bug.\n");
+ }
+
if ( !this || !SDL_Display ) {
return 0;
}

130
sdl/libre.patch Normal file
View File

@@ -0,0 +1,130 @@
diff --git a/src/video/fbcon/SDL_fbriva.c b/src/video/fbcon/SDL_fbriva.c
index eb4b71f1b..59469759c 100644
--- a/src/video/fbcon/SDL_fbriva.c
+++ b/src/video/fbcon/SDL_fbriva.c
@@ -24,12 +24,10 @@
#include "SDL_video.h"
#include "../SDL_blit.h"
#include "SDL_fbriva.h"
-#include "riva_mmio.h"
#include "riva_regs.h"
static int FifoEmptyCount = 0;
-static int FifoFreeCount = 0;
/* Wait for vertical retrace */
static void WaitVBL(_THIS)
@@ -41,20 +39,6 @@ static void WaitVBL(_THIS)
while ( !(*port & 0x08) )
;
}
-static void NV3WaitIdle(_THIS)
-{
- RivaRop *Rop = (RivaRop *)(mapped_io + ROP_OFFSET);
- while ( (Rop->FifoFree < FifoEmptyCount) ||
- (*(mapped_io + PGRAPH_OFFSET + 0x000006B0) & 0x01) )
- ;
-}
-static void NV4WaitIdle(_THIS)
-{
- RivaRop *Rop = (RivaRop *)(mapped_io + ROP_OFFSET);
- while ( (Rop->FifoFree < FifoEmptyCount) ||
- (*(mapped_io + PGRAPH_OFFSET + 0x00000700) & 0x01) )
- ;
-}
#if 0 /* Not yet implemented? */
/* Sets video mem colorkey and accelerated blit function */
@@ -74,7 +58,6 @@ static int FillHWRect(_THIS, SDL_Surface *dst, SDL_Rect *rect, Uint32 color)
{
int dstX, dstY;
int dstW, dstH;
- RivaBitmap *Bitmap = (RivaBitmap *)(mapped_io + BITMAP_OFFSET);
/* Don't blit to the display surface when switched away */
if ( switched_away ) {
@@ -93,13 +76,6 @@ static int FillHWRect(_THIS, SDL_Surface *dst, SDL_Rect *rect, Uint32 color)
dstX += rect->x;
dstY += rect->y;
- RIVA_FIFO_FREE(Bitmap, 1);
- Bitmap->Color1A = color;
-
- RIVA_FIFO_FREE(Bitmap, 2);
- Bitmap->UnclippedRectangle[0].TopLeft = (dstX << 16) | dstY;
- Bitmap->UnclippedRectangle[0].WidthHeight = (dstW << 16) | dstH;
-
FB_AddBusySurface(dst);
if ( dst == this->screen ) {
@@ -115,7 +91,6 @@ static int HWAccelBlit(SDL_Surface *src, SDL_Rect *srcrect,
int srcX, srcY;
int dstX, dstY;
int dstW, dstH;
- RivaScreenBlt *Blt = (RivaScreenBlt *)(mapped_io + BLT_OFFSET);
/* FIXME: For now, only blit to display surface */
if ( dst->pitch != SDL_VideoSurface->pitch ) {
@@ -142,11 +117,6 @@ static int HWAccelBlit(SDL_Surface *src, SDL_Rect *srcrect,
dstX += dstrect->x;
dstY += dstrect->y;
- RIVA_FIFO_FREE(Blt, 3);
- Blt->TopLeftSrc = (srcY << 16) | srcX;
- Blt->TopLeftDst = (dstY << 16) | dstX;
- Blt->WidthHeight = (dstH << 16) | dstW;
-
FB_AddBusySurface(src);
FB_AddBusySurface(dst);
@@ -185,23 +155,15 @@ static int CheckHWBlit(_THIS, SDL_Surface *src, SDL_Surface *dst)
void FB_RivaAccel(_THIS, __u32 card)
{
- RivaRop *Rop = (RivaRop *)(mapped_io + ROP_OFFSET);
/* We have hardware accelerated surface functions */
this->CheckHWBlit = CheckHWBlit;
wait_vbl = WaitVBL;
switch (card) {
- case FB_ACCEL_NV3:
- wait_idle = NV3WaitIdle;
- break;
- case FB_ACCEL_NV4:
- wait_idle = NV4WaitIdle;
- break;
default:
/* Hmm... FIXME */
break;
}
- FifoEmptyCount = Rop->FifoFree;
/* The Riva has an accelerated color fill */
this->info.blit_fill = 1;
diff --git a/src/video/fbcon/SDL_fbvideo.c b/src/video/fbcon/SDL_fbvideo.c
index 5e5880908..dee999cbd 100644
--- a/src/video/fbcon/SDL_fbvideo.c
+++ b/src/video/fbcon/SDL_fbvideo.c
@@ -46,7 +46,6 @@
#include "SDL_fbevents_c.h"
#include "SDL_fb3dfx.h"
#include "SDL_fbmatrox.h"
-#include "SDL_fbriva.h"
/*#define FBCON_DEBUG*/
@@ -769,13 +768,6 @@ static int FB_VideoInit(_THIS, SDL_PixelFormat *vformat)
#endif
FB_3DfxAccel(this, finfo.accel);
break;
- case FB_ACCEL_NV3:
- case FB_ACCEL_NV4:
-#ifdef FBACCEL_DEBUG
- printf("NVidia hardware accelerator!\n");
-#endif
- FB_RivaAccel(this, finfo.accel);
- break;
default:
#ifdef FBACCEL_DEBUG
printf("Unknown hardware accelerator.\n");

63
sdl/libsdl-1.2.15-resizing.patch Normal file
View File

@@ -0,0 +1,63 @@
Description: Revert change that breaks window corner resizing
http://bugzilla.libsdl.org/show_bug.cgi?id=1430
Author: Andrew Caudwell <acaudwell@gmail.com>
Last-Update: 2012-04-10
Bug-Debian: http://bugs.debian.org/665779
diff -r c787fb1b5699 src/video/x11/SDL_x11events.c
--- a/src/video/x11/SDL_x11events.c Mon Feb 20 23:51:08 2012 -0500
+++ b/src/video/x11/SDL_x11events.c Mon Mar 26 12:26:52 2012 +1300
@@ -57,12 +57,6 @@
static SDLKey MISC_keymap[256];
SDLKey X11_TranslateKeycode(Display *display, KeyCode kc);
-/*
- Pending resize target for ConfigureNotify (so outdated events don't
- cause inappropriate resize events)
-*/
-int X11_PendingConfigureNotifyWidth = -1;
-int X11_PendingConfigureNotifyHeight = -1;
#ifdef X_HAVE_UTF8_STRING
Uint32 Utf8ToUcs4(const Uint8 *utf8)
@@ -825,16 +819,6 @@
#ifdef DEBUG_XEVENTS
printf("ConfigureNotify! (resize: %dx%d)\n", xevent.xconfigure.width, xevent.xconfigure.height);
#endif
- if ((X11_PendingConfigureNotifyWidth != -1) &&
- (X11_PendingConfigureNotifyHeight != -1)) {
- if ((xevent.xconfigure.width != X11_PendingConfigureNotifyWidth) &&
- (xevent.xconfigure.height != X11_PendingConfigureNotifyHeight)) {
- /* Event is from before the resize, so ignore. */
- break;
- }
- X11_PendingConfigureNotifyWidth = -1;
- X11_PendingConfigureNotifyHeight = -1;
- }
if ( SDL_VideoSurface ) {
if ((xevent.xconfigure.width != SDL_VideoSurface->w) ||
(xevent.xconfigure.height != SDL_VideoSurface->h)) {
diff -r c787fb1b5699 src/video/x11/SDL_x11events_c.h
--- a/src/video/x11/SDL_x11events_c.h Mon Feb 20 23:51:08 2012 -0500
+++ b/src/video/x11/SDL_x11events_c.h Mon Mar 26 12:26:52 2012 +1300
@@ -27,8 +27,3 @@
extern void X11_InitOSKeymap(_THIS);
extern void X11_PumpEvents(_THIS);
extern void X11_SetKeyboardState(Display *display, const char *key_vec);
-
-/* Variables to be exported */
-extern int X11_PendingConfigureNotifyWidth;
-extern int X11_PendingConfigureNotifyHeight;
-
diff -r c787fb1b5699 src/video/x11/SDL_x11video.c
--- a/src/video/x11/SDL_x11video.c Mon Feb 20 23:51:08 2012 -0500
+++ b/src/video/x11/SDL_x11video.c Mon Mar 26 12:26:52 2012 +1300
@@ -1182,8 +1182,6 @@
current = NULL;
goto done;
}
- X11_PendingConfigureNotifyWidth = width;
- X11_PendingConfigureNotifyHeight = height;
} else {
if (X11_CreateWindow(this,current,width,height,bpp,flags) < 0) {
current = NULL;

13
sdl/sdl-1.2.14-disable-mmx.patch Normal file
View File

@@ -0,0 +1,13 @@
# and another one from FS#26020
--- a/src/video/SDL_yuv_sw.c 2009-10-13 06:07:15.000000000 +0700
+++ b/src/video/SDL_yuv_sw.c 2011-09-20 19:26:30.247742620 +0700
@@ -89,6 +89,8 @@
#include "SDL_yuvfuncs.h"
#include "SDL_yuv_sw_c.h"
+#undef __OPTIMIZE__
+
/* The functions used to manipulate software video overlays */
static struct private_yuvhwfuncs sw_yuvfuncs = {
SDL_LockYUV_SW,

23
sdl/sdl-1.2.14-fix-mouse-clicking.patch Normal file
View File

@@ -0,0 +1,23 @@
--- SDL-1.2.14/src/video/x11/SDL_x11events.c.orig 2010-04-08 11:57:05.003169834 -0700
+++ SDL-1.2.14/src/video/x11/SDL_x11events.c 2010-04-08 12:33:51.690926340 -0700
@@ -423,12 +423,15 @@
if ( xevent.xcrossing.mode == NotifyUngrab )
printf("Mode: NotifyUngrab\n");
#endif
- if ( this->input_grab == SDL_GRAB_OFF ) {
- posted = SDL_PrivateAppActive(1, SDL_APPMOUSEFOCUS);
+ if ( (xevent.xcrossing.mode != NotifyGrab) &&
+ (xevent.xcrossing.mode != NotifyUngrab) ) {
+ if ( this->input_grab == SDL_GRAB_OFF ) {
+ posted = SDL_PrivateAppActive(1, SDL_APPMOUSEFOCUS);
+ }
+ posted = SDL_PrivateMouseMotion(0, 0,
+ xevent.xcrossing.x,
+ xevent.xcrossing.y);
}
- posted = SDL_PrivateMouseMotion(0, 0,
- xevent.xcrossing.x,
- xevent.xcrossing.y);
}
break;

400
sdl/sndio.patch Normal file
View File

@@ -0,0 +1,400 @@
diff --git a/configure.in b/configure.in
index 08c8e1e..1b6d24a 100644
--- a/configure.in
+++ b/configure.in
@@ -486,6 +486,35 @@ AC_HELP_STRING([--enable-esd-shared], [dynamically load ESD audio support [[defa
fi
}
+dnl Find Sndio
+CheckSndio()
+{
+ AC_ARG_ENABLE(sndio,
+AC_HELP_STRING([--enable-sndio], [support the sndio audio API [[default=yes]]]),
+ , enable_sndio=yes)
+ if test x$enable_audio = xyes -a x$enable_sndio = xyes; then
+ AC_CHECK_HEADER(sndio.h, have_sndio_hdr=yes)
+ AC_CHECK_LIB(sndio, sio_open, have_sndio_lib=yes)
+
+ AC_MSG_CHECKING(for sndio support)
+ have_sndio=no
+
+ if test x$have_sndio_hdr = xyes -a x$have_sndio_lib = xyes; then
+ have_sndio=yes
+ SNDIO_LIBS="-lsndio"
+ fi
+
+ AC_MSG_RESULT($have_sndio)
+
+ if test x$have_sndio = xyes; then
+ AC_DEFINE(SDL_AUDIO_DRIVER_SNDIO)
+ SOURCES="$SOURCES $srcdir/src/audio/sndio/*.c"
+ EXTRA_LDFLAGS="$EXTRA_LDFLAGS $SNDIO_LIBS"
+ have_audio=yes
+ fi
+ fi
+}
+
dnl Find PulseAudio
CheckPulseAudio()
{
@@ -2358,6 +2387,7 @@ case "$host" in
CheckALSA
CheckARTSC
CheckESD
+ CheckSndio
CheckPulseAudio
CheckNAS
CheckX11
diff --git a/include/SDL_config.h.in b/include/SDL_config.h.in
index 8bb1773..e131a9c 100644
--- a/include/SDL_config.h.in
+++ b/include/SDL_config.h.in
@@ -184,6 +184,7 @@
#undef SDL_AUDIO_DRIVER_QNXNTO
#undef SDL_AUDIO_DRIVER_SNDMGR
#undef SDL_AUDIO_DRIVER_SUNAUDIO
+#undef SDL_AUDIO_DRIVER_SNDIO
#undef SDL_AUDIO_DRIVER_WAVEOUT
/* Enable various cdrom drivers */
diff --git a/src/audio/SDL_audio.c b/src/audio/SDL_audio.c
index beb26e0..5f0a17d 100644
--- a/src/audio/SDL_audio.c
+++ b/src/audio/SDL_audio.c
@@ -36,12 +36,16 @@
/* Available audio drivers */
static AudioBootStrap *bootstrap[] = {
+
#if SDL_AUDIO_DRIVER_PULSE
&PULSE_bootstrap,
#endif
#if SDL_AUDIO_DRIVER_ALSA
&ALSA_bootstrap,
#endif
+#if SDL_AUDIO_DRIVER_SNDIO
+ &SNDIO_bootstrap,
+#endif
#if SDL_AUDIO_DRIVER_BSD
&BSD_AUDIO_bootstrap,
#endif
diff --git a/src/audio/SDL_sysaudio.h b/src/audio/SDL_sysaudio.h
index 74ac21d..4a792da 100644
--- a/src/audio/SDL_sysaudio.h
+++ b/src/audio/SDL_sysaudio.h
@@ -105,6 +105,9 @@ typedef struct AudioBootStrap {
#if SDL_AUDIO_DRIVER_BSD
extern AudioBootStrap BSD_AUDIO_bootstrap;
#endif
+#if SDL_AUDIO_DRIVER_SNDIO
+extern AudioBootStrap SNDIO_bootstrap;
+#endif
#if SDL_AUDIO_DRIVER_PULSE
extern AudioBootStrap PULSE_bootstrap;
#endif
diff --git b/src/audio/sndio/SDL_sndioaudio.c b/src/audio/sndio/SDL_sndioaudio.c
new file mode 100644
index 0000000..fcb47e7
--- /dev/null
+++ b/src/audio/sndio/SDL_sndioaudio.c
@@ -0,0 +1,243 @@
+/*
+ * Copyright (c) 2008 Jacob Meuser <jakemsr@sdf.lonestar.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "SDL_config.h"
+
+/* Allow access to a raw mixing buffer */
+
+#ifdef HAVE_SIGNAL_H
+#include <signal.h>
+#endif
+#include <unistd.h>
+
+#include "SDL_timer.h"
+#include "SDL_audio.h"
+#include "../SDL_audiomem.h"
+#include "../SDL_audio_c.h"
+#include "../SDL_audiodev_c.h"
+#include "SDL_sndioaudio.h"
+
+/* The tag name used by sndio audio */
+#define SNDIO_DRIVER_NAME "sndio"
+
+/* Audio driver functions */
+static int SNDIO_OpenAudio(_THIS, SDL_AudioSpec *spec);
+static void SNDIO_WaitAudio(_THIS);
+static void SNDIO_PlayAudio(_THIS);
+static Uint8 *SNDIO_GetAudioBuf(_THIS);
+static void SNDIO_CloseAudio(_THIS);
+
+/* Audio driver bootstrap functions */
+
+static int Audio_Available(void)
+{
+ struct sio_hdl *this_hdl;
+ int available = 0;
+
+ if ( (this_hdl = sio_open(SIO_DEVANY, SIO_PLAY, 0)) != NULL ) {
+ sio_close(this_hdl);
+ available = 1;
+ }
+
+ return available;
+}
+
+static void Audio_DeleteDevice(SDL_AudioDevice *device)
+{
+ SDL_free(device->hidden);
+ SDL_free(device);
+}
+
+static SDL_AudioDevice *Audio_CreateDevice(int devindex)
+{
+ SDL_AudioDevice *this;
+
+ /* Initialize all variables that we clean on shutdown */
+ this = (SDL_AudioDevice *)SDL_malloc(sizeof(SDL_AudioDevice));
+ if ( this ) {
+ SDL_memset(this, 0, (sizeof *this));
+ this->hidden = (struct SDL_PrivateAudioData *)
+ SDL_malloc((sizeof *this->hidden));
+ }
+ if ( (this == NULL) || (this->hidden == NULL) ) {
+ SDL_OutOfMemory();
+ if ( this ) {
+ SDL_free(this);
+ }
+ return(0);
+ }
+ SDL_memset(this->hidden, 0, (sizeof *this->hidden));
+
+ /* Set the function pointers */
+ this->OpenAudio = SNDIO_OpenAudio;
+ this->WaitAudio = SNDIO_WaitAudio;
+ this->PlayAudio = SNDIO_PlayAudio;
+ this->GetAudioBuf = SNDIO_GetAudioBuf;
+ this->CloseAudio = SNDIO_CloseAudio;
+
+ this->free = Audio_DeleteDevice;
+
+ hdl = NULL;
+
+ return this;
+}
+
+AudioBootStrap SNDIO_bootstrap = {
+ SNDIO_DRIVER_NAME, "sndio",
+ Audio_Available, Audio_CreateDevice
+};
+
+
+
+/* This function waits until it is possible to write a full sound buffer */
+static void SNDIO_WaitAudio(_THIS)
+{
+ /* nothing, we're using the blocking api */
+}
+
+static void SNDIO_PlayAudio(_THIS)
+{
+ int written;
+
+ /* Write the audio data */
+ written = sio_write(hdl, mixbuf, mixlen);
+
+ /* If we couldn't write, assume fatal error for now */
+ if ( written == 0 ) {
+ this->enabled = 0;
+ }
+#ifdef DEBUG_AUDIO
+ fprintf(stderr, "Wrote %d bytes of audio data\n", written);
+#endif
+}
+
+static Uint8 *SNDIO_GetAudioBuf(_THIS)
+{
+ return(mixbuf);
+}
+
+static void SNDIO_CloseAudio(_THIS)
+{
+ if ( mixbuf != NULL ) {
+ SDL_FreeAudioMem(mixbuf);
+ mixbuf = NULL;
+ }
+ if ( hdl != NULL ) {
+ sio_close(hdl);
+ hdl = NULL;
+ }
+}
+
+static int SNDIO_OpenAudio(_THIS, SDL_AudioSpec *spec)
+{
+ struct sio_par par;
+
+ mixbuf = NULL;
+
+ if ((hdl = sio_open(NULL, SIO_PLAY, 0)) == NULL) {
+ SDL_SetError("sio_open() failed");
+ return(-1);
+ }
+
+ sio_initpar(&par);
+
+ switch (spec->format) {
+ case AUDIO_S16LSB:
+ par.bits = 16;
+ par.sig = 1;
+ par.le = 1;
+ break;
+ case AUDIO_S16MSB:
+ par.bits = 16;
+ par.sig = 1;
+ par.le = 0;
+ break;
+ case AUDIO_S8:
+ par.bits = 8;
+ par.sig = 1;
+ break;
+ case AUDIO_U16LSB:
+ par.bits = 16;
+ par.sig = 0;
+ par.le = 1;
+ break;
+ case AUDIO_U16MSB:
+ par.bits = 16;
+ par.sig = 0;
+ par.le = 0;
+ break;
+ case AUDIO_U8:
+ par.bits = 8;
+ par.sig = 0;
+ break;
+ default:
+ SDL_SetError("SNDIO unknown format");
+ return(-1);
+ }
+
+ par.rate = spec->freq;
+ par.pchan = spec->channels;
+ par.round = spec->samples;
+ par.appbufsz = par.round * 2;
+
+ if (sio_setpar(hdl, &par) == 0) {
+ SDL_SetError("sio_setpar() failed");
+ return(-1);
+ }
+
+ if (sio_getpar(hdl, &par) == 0) {
+ SDL_SetError("sio_getpar() failed");
+ return(-1);
+ }
+
+ if (par.bits == 16) {
+ if (par.sig && par.le) {
+ spec->format = AUDIO_S16LSB;
+ } else if (par.sig && !par.le) {
+ spec->format = AUDIO_S16MSB;
+ } else if (!par.sig && par.le) {
+ spec->format = AUDIO_U16LSB;
+ } else
+ spec->format = AUDIO_U16MSB;
+ } else if (par.bits == 8) {
+ spec->format = par.sig ? AUDIO_S8 : AUDIO_U8;
+ } else {
+ SDL_SetError("SNDIO couldn't configure a suitable format");
+ return(-1);
+ }
+
+ spec->freq = par.rate;
+ spec->channels = par.pchan;
+ spec->samples = par.round;
+
+ SDL_CalculateAudioSpec(spec);
+
+ /* Allocate mixing buffer */
+ mixlen = spec->size;
+ mixbuf = (Uint8 *)SDL_AllocAudioMem(mixlen);
+ if ( mixbuf == NULL ) {
+ return(-1);
+ }
+ SDL_memset(mixbuf, spec->silence, spec->size);
+
+ if ( sio_start(hdl) == 0 ) {
+ SDL_SetError("sio_start() failed");
+ return(-1);
+ }
+
+ /* We're ready to rock and roll. :-) */
+ return(0);
+}
diff --git b/src/audio/sndio/SDL_sndioaudio.h b/src/audio/sndio/SDL_sndioaudio.h
new file mode 100644
index 0000000..32c566e
--- /dev/null
+++ b/src/audio/sndio/SDL_sndioaudio.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 2008 Jacob Meuser <jakemsr@sdf.lonestar.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "SDL_config.h"
+
+#ifndef _SDL_sndioaudio_h
+#define _SDL_sndioaudio_h
+
+#include <sndio.h>
+
+#include "../SDL_sysaudio.h"
+
+/* Hidden "this" pointer for the video functions */
+#define _THIS SDL_AudioDevice *this
+
+struct SDL_PrivateAudioData {
+ /* The stream descriptor for the audio device */
+ struct sio_hdl *hdl;
+
+ /* The parent process id, to detect when application quits */
+ pid_t parent;
+
+ /* Raw mixing buffer */
+ Uint8 *mixbuf;
+ int mixlen;
+
+};
+
+/* Old variable names */
+#define stream (this->hidden->stream)
+#define parent (this->hidden->parent)
+#define mixbuf (this->hidden->mixbuf)
+#define mixlen (this->hidden->mixlen)
+#define hdl (this->hidden->hdl)
+
+#endif /* _SDL_sndioaudio_h */
+