slackware-current/source/l/sdl/CVE-2021-33657.patch

From d95c1a4bbd644baba748d341b03141e5f0481ae6 Mon Sep 17 00:00:00 2001
From: Sam Lantinga <slouken@libsdl.org>
Date: Tue, 30 Nov 2021 12:36:46 -0800
Subject: [PATCH] Always create a full 256-entry map in case color values are
 out of range

Fixes https://github.com/libsdl-org/SDL/issues/5042

Backport of CVE-2021-33657 fix from SDL2
---
 src/video/SDL_pixels.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c
index 17f1a7199..d0973f217 100644
--- a/src/video/SDL_pixels.c
+++ b/src/video/SDL_pixels.c
@@ -477,7 +477,7 @@ static Uint8 *Map1to1(SDL_Palette *src, SDL_Palette *dst, int *identical)
 		}
 		*identical = 0;
 	}
-	map = (Uint8 *)SDL_malloc(src->ncolors);
+	map = (Uint8 *) SDL_calloc(256, sizeof(Uint8));
 	if ( map == NULL ) {
 		SDL_OutOfMemory();
 		return(NULL);
@@ -498,7 +498,7 @@ static Uint8 *Map1toN(SDL_PixelFormat *src, SDL_PixelFormat *dst)
 	SDL_Palette *pal = src->palette;
 
 	bpp = ((dst->BytesPerPixel == 3) ? 4 : dst->BytesPerPixel);
-	map = (Uint8 *)SDL_malloc(pal->ncolors*bpp);
+	map = (Uint8 *) SDL_calloc(256, bpp);
 	if ( map == NULL ) {
 		SDL_OutOfMemory();
 		return(NULL);
Tue Dec 20 20:40:18 UTC 2022 d/p2c-2.02-x86_64-1.txz: Upgraded. kde/dolphin-22.12.0-x86_64-2.txz: Rebuilt. [PATCH] Revert "portalize drag urls" Thanks to marav. l/gst-plugins-bad-free-1.20.5-x86_64-1.txz: Upgraded. l/gst-plugins-base-1.20.5-x86_64-1.txz: Upgraded. l/gst-plugins-good-1.20.5-x86_64-1.txz: Upgraded. l/gst-plugins-libav-1.20.5-x86_64-1.txz: Upgraded. l/gstreamer-1.20.5-x86_64-1.txz: Upgraded. l/libqalculate-4.5.0-x86_64-1.txz: Upgraded. l/libvncserver-0.9.14-x86_64-1.txz: Upgraded. l/sdl-1.2.15-x86_64-14.txz: Rebuilt. This update fixes a heap overflow problem in video/SDL_pixels.c in SDL. By crafting a malicious .BMP file, an attacker can cause the application using this library to crash, denial of service, or code execution. Thanks to marav for the heads-up. For more information, see: https://www.cve.org/CVERecord?id=CVE-2021-33657 (* Security fix ) n/gnupg2-2.2.41-x86_64-1.txz: Upgraded. n/libksba-1.6.3-x86_64-1.txz: Upgraded. Fix another integer overflow in the CRL's signature parser. ( Security fix *) x/libSM-1.2.4-x86_64-1.txz: Upgraded. x/xcb-util-0.4.1-x86_64-1.txz: Upgraded. x/xdriinfo-1.0.7-x86_64-1.txz: Upgraded. 2022-12-20 21:40:18 +01:00			`From d95c1a4bbd644baba748d341b03141e5f0481ae6 Mon Sep 17 00:00:00 2001`
			`From: Sam Lantinga <slouken@libsdl.org>`
			`Date: Tue, 30 Nov 2021 12:36:46 -0800`
			`Subject: [PATCH] Always create a full 256-entry map in case color values are`
			`out of range`

			`Fixes https://github.com/libsdl-org/SDL/issues/5042`

			`Backport of CVE-2021-33657 fix from SDL2`
			`---`
			`src/video/SDL_pixels.c \| 4 ++--`
			`1 file changed, 2 insertions(+), 2 deletions(-)`

			`diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c`
			`index 17f1a7199..d0973f217 100644`
			`--- a/src/video/SDL_pixels.c`
			`+++ b/src/video/SDL_pixels.c`
			`@@ -477,7 +477,7 @@ static Uint8 Map1to1(SDL_Palette src, SDL_Palette dst, int identical)`
			`}`
			`*identical = 0;`
			`}`
			`- map = (Uint8 *)SDL_malloc(src->ncolors);`
			`+ map = (Uint8 *) SDL_calloc(256, sizeof(Uint8));`
			`if ( map == NULL ) {`
			`SDL_OutOfMemory();`
			`return(NULL);`
			`@@ -498,7 +498,7 @@ static Uint8 Map1toN(SDL_PixelFormat src, SDL_PixelFormat *dst)`
			`SDL_Palette *pal = src->palette;`

			`bpp = ((dst->BytesPerPixel == 3) ? 4 : dst->BytesPerPixel);`
			`- map = (Uint8 )SDL_malloc(pal->ncolorsbpp);`
			`+ map = (Uint8 *) SDL_calloc(256, bpp);`
			`if ( map == NULL ) {`
			`SDL_OutOfMemory();`
			`return(NULL);`