1# HG changeset patch
2# User Petr Písař <ppisar@redhat.com>
3# Date 1552788984 25200
4#      Sat Mar 16 19:16:24 2019 -0700
5# Branch SDL-1.2
6# Node ID 9b0e5c555c0f5ce6d2c3c19da6cc2c7fb5048bf2
7# Parent  4646533663ae1d80c2cc6b2d6dbfb37c62491c1e
8CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch
9If a too large width is passed to SDL_SetVideoMode() the width travels
10to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by
11BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch
12variable. During this arithmetics an integer overflow can happen (e.g.
13the value is clamped as 65532). As a result SDL_Surface with a pitch
14smaller than width * BytesPerPixel is created, too small pixel buffer
15is allocated and when the SDL_Surface is processed in SDL_FillRect()
16a buffer overflow occurs.
17
18This can be reproduced with "./graywin -width 21312312313123213213213"
19command.
20
21This patch fixes is by using a very careful arithmetics in
22SDL_CalculatePitch(). If an overflow is detected, an error is reported
23back as a special 0 value. We assume that 0-width surfaces do not
24occur in the wild. Since SDL_CalculatePitch() is a private function,
25we can change the semantics.
26
27CVE-2019-7637
28https://bugzilla.libsdl.org/show_bug.cgi?id=4497
29
30Signed-off-by: Petr Písař <ppisar@redhat.com>
31
32CVE: CVE-2019-7637
33Upstream-Status: Backport
34Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
35
36diff -r 4646533663ae -r 9b0e5c555c0f src/video/SDL_pixels.c
37--- a/src/video/SDL_pixels.c	Sat Mar 16 18:35:33 2019 -0700
38+++ b/src/video/SDL_pixels.c	Sat Mar 16 19:16:24 2019 -0700
39@@ -286,26 +286,53 @@
40 	}
41 }
42 /*
43- * Calculate the pad-aligned scanline width of a surface
44+ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of
45+ * an error.
46  */
47 Uint16 SDL_CalculatePitch(SDL_Surface *surface)
48 {
49-	Uint16 pitch;
50+	unsigned int pitch = 0;
51
52 	/* Surface should be 4-byte aligned for speed */
53-	pitch = surface->w*surface->format->BytesPerPixel;
54+	/* The code tries to prevent from an Uint16 overflow. */;
55+	for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) {
56+		pitch += (unsigned int)surface->w;
57+		if (pitch < surface->w) {
58+			SDL_SetError("A scanline is too wide");
59+			return(0);
60+		}
61+	}
62 	switch (surface->format->BitsPerPixel) {
63 		case 1:
64-			pitch = (pitch+7)/8;
65+			if (pitch % 8) {
66+				pitch = pitch / 8 + 1;
67+			} else {
68+				pitch = pitch / 8;
69+			}
70 			break;
71 		case 4:
72-			pitch = (pitch+1)/2;
73+			if (pitch % 2) {
74+				pitch = pitch / 2 + 1;
75+			} else {
76+				pitch = pitch / 2;
77+			}
78 			break;
79 		default:
80 			break;
81 	}
82-	pitch = (pitch + 3) & ~3;	/* 4-byte aligning */
83-	return(pitch);
84+	/* 4-byte aligning */
85+	if (pitch & 3) {
86+		if (pitch + 3 < pitch) {
87+			SDL_SetError("A scanline is too wide");
88+			return(0);
89+		}
90+		pitch = (pitch + 3) & ~3;
91+	}
92+	if (pitch > 0xFFFF) {
93+		SDL_SetError("A scanline is too wide");
94+		return(0);
95+	}
96+	return((Uint16)pitch);
97 }
98 /*
99  * Match an RGB value to a particular palette index
100diff -r 4646533663ae -r 9b0e5c555c0f src/video/gapi/SDL_gapivideo.c
101--- a/src/video/gapi/SDL_gapivideo.c	Sat Mar 16 18:35:33 2019 -0700
102+++ b/src/video/gapi/SDL_gapivideo.c	Sat Mar 16 19:16:24 2019 -0700
103@@ -733,6 +733,9 @@
104 	video->w = gapi->w = width;
105 	video->h = gapi->h = height;
106 	video->pitch = SDL_CalculatePitch(video);
107+	if (!current->pitch) {
108+		return(NULL);
109+	}
110
111 	/* Small fix for WinCE/Win32 - when activating window
112 	   SDL_VideoSurface is equal to zero, so activating code
113diff -r 4646533663ae -r 9b0e5c555c0f src/video/nanox/SDL_nxvideo.c
114--- a/src/video/nanox/SDL_nxvideo.c	Sat Mar 16 18:35:33 2019 -0700
115+++ b/src/video/nanox/SDL_nxvideo.c	Sat Mar 16 19:16:24 2019 -0700
116@@ -378,6 +378,10 @@
117         current -> w = width ;
118         current -> h = height ;
119         current -> pitch = SDL_CalculatePitch (current) ;
120+        if (!current->pitch) {
121+            current = NULL;
122+            goto done;
123+        }
124         NX_ResizeImage (this, current, flags) ;
125     }
126
127diff -r 4646533663ae -r 9b0e5c555c0f src/video/ps2gs/SDL_gsvideo.c
128--- a/src/video/ps2gs/SDL_gsvideo.c	Sat Mar 16 18:35:33 2019 -0700
129+++ b/src/video/ps2gs/SDL_gsvideo.c	Sat Mar 16 19:16:24 2019 -0700
130@@ -479,6 +479,9 @@
131 	current->w = width;
132 	current->h = height;
133 	current->pitch = SDL_CalculatePitch(current);
134+	if (!current->pitch) {
135+		return(NULL);
136+	}
137
138 	/* Memory map the DMA area for block memory transfer */
139 	if ( ! mapped_mem ) {
140diff -r 4646533663ae -r 9b0e5c555c0f src/video/ps3/SDL_ps3video.c
141--- a/src/video/ps3/SDL_ps3video.c	Sat Mar 16 18:35:33 2019 -0700
142+++ b/src/video/ps3/SDL_ps3video.c	Sat Mar 16 19:16:24 2019 -0700
143@@ -339,6 +339,9 @@
144 	current->w = width;
145 	current->h = height;
146 	current->pitch = SDL_CalculatePitch(current);
147+	if (!current->pitch) {
148+		return(NULL);
149+	}
150
151 	/* Alloc aligned mem for current->pixels */
152 	s_pixels = memalign(16, current->h * current->pitch);
153diff -r 4646533663ae -r 9b0e5c555c0f src/video/windib/SDL_dibvideo.c
154--- a/src/video/windib/SDL_dibvideo.c	Sat Mar 16 18:35:33 2019 -0700
155+++ b/src/video/windib/SDL_dibvideo.c	Sat Mar 16 19:16:24 2019 -0700
156@@ -675,6 +675,9 @@
157 	video->w = width;
158 	video->h = height;
159 	video->pitch = SDL_CalculatePitch(video);
160+	if (!current->pitch) {
161+		return(NULL);
162+	}
163
164 	/* Small fix for WinCE/Win32 - when activating window
165 	   SDL_VideoSurface is equal to zero, so activating code
166diff -r 4646533663ae -r 9b0e5c555c0f src/video/windx5/SDL_dx5video.c
167--- a/src/video/windx5/SDL_dx5video.c	Sat Mar 16 18:35:33 2019 -0700
168+++ b/src/video/windx5/SDL_dx5video.c	Sat Mar 16 19:16:24 2019 -0700
169@@ -1127,6 +1127,9 @@
170 		video->w = width;
171 		video->h = height;
172 		video->pitch = SDL_CalculatePitch(video);
173+		if (!current->pitch) {
174+			return(NULL);
175+		}
176
177 #ifndef NO_CHANGEDISPLAYSETTINGS
178 		/* Set fullscreen mode if appropriate.
179diff -r 4646533663ae -r 9b0e5c555c0f src/video/x11/SDL_x11video.c
180--- a/src/video/x11/SDL_x11video.c	Sat Mar 16 18:35:33 2019 -0700
181+++ b/src/video/x11/SDL_x11video.c	Sat Mar 16 19:16:24 2019 -0700
182@@ -1225,6 +1225,10 @@
183 		current->w = width;
184 		current->h = height;
185 		current->pitch = SDL_CalculatePitch(current);
186+		if (!current->pitch) {
187+			current = NULL;
188+			goto done;
189+		}
190 		if (X11_ResizeImage(this, current, flags) < 0) {
191 			current = NULL;
192 			goto done;
193