!37 [sync] PR-35: Fix CVE-2022-4743

From: @openeuler-sync-bot 
Reviewed-by: @gitee-cmd 
Signed-off-by: @gitee-cmd

CVE-2020-14409_CVE-2020-14410.patch

@@ -0,0 +1,73 @@
+From a7ff6e96155f550a5597621ebeddd03c98aa9294 Mon Sep 17 00:00:00 2001
+From: Sam Lantinga <slouken@libsdl.org>
+Date: Wed, 17 Jun 2020 08:44:45 -0700
+Subject: [PATCH] Fixed overflow in surface pitch calculation
+
+---
+ src/video/SDL_surface.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/src/video/SDL_surface.c b/src/video/SDL_surface.c
+index 085d9ff1e17..bff826f7cc6 100644
+--- a/src/video/SDL_surface.c
++++ b/src/video/SDL_surface.c
+@@ -28,24 +28,23 @@
+ #include "SDL_yuv_c.h"
+ 
+ 
+-/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */
+-SDL_COMPILE_TIME_ASSERT(surface_size_assumptions,
+-    sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32));
++/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow Sint64 */
++SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, sizeof(int) == sizeof(Sint32));
+ 
+ /* Public routines */
+ 
+ /*
+  * Calculate the pad-aligned scanline width of a surface
+  */
+-static int
++static Sint64
+ SDL_CalculatePitch(Uint32 format, int width)
+ {
+-    int pitch;
++    Sint64 pitch;
+ 
+     if (SDL_ISPIXELFORMAT_FOURCC(format) || SDL_BITSPERPIXEL(format) >= 8) {
+-        pitch = (width * SDL_BYTESPERPIXEL(format));
++        pitch = ((Sint64)width * SDL_BYTESPERPIXEL(format));
+     } else {
+-        pitch = ((width * SDL_BITSPERPIXEL(format)) + 7) / 8;
++        pitch = (((Sint64)width * SDL_BITSPERPIXEL(format)) + 7) / 8;
+     }
+     pitch = (pitch + 3) & ~3;   /* 4-byte aligning for speed */
+     return pitch;
+@@ -59,11 +58,19 @@ SDL_Surface *
+ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth,
+                                Uint32 format)
+ {
++    Sint64 pitch;
+     SDL_Surface *surface;
+ 
+     /* The flags are no longer used, make the compiler happy */
+     (void)flags;
+ 
++    pitch = SDL_CalculatePitch(format, width);
++    if (pitch < 0 || pitch > SDL_MAX_SINT32) {
++        /* Overflow... */
++        SDL_OutOfMemory();
++        return NULL;
++    }
++
+     /* Allocate the surface */
+     surface = (SDL_Surface *) SDL_calloc(1, sizeof(*surface));
+     if (surface == NULL) {
+@@ -78,7 +85,7 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth,
+     }
+     surface->w = width;
+     surface->h = height;
+-    surface->pitch = SDL_CalculatePitch(format, width);
++    surface->pitch = (int)pitch;
+     SDL_SetClipRect(surface, NULL);
+ 
+     if (SDL_ISPIXELFORMAT_INDEXED(surface->format->format)) {

CVE-2022-4743.patch

@@ -0,0 +1,33 @@
+From 00b67f55727bc0944c3266e2b875440da132ce4b Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Wed, 21 Sep 2022 10:30:38 +0800
+Subject: [PATCH] Fix potential memory leak in GLES_CreateTexture
+
+---
+ src/render/opengles/SDL_render_gles.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/render/opengles/SDL_render_gles.c b/src/render/opengles/SDL_render_gles.c
+index a5fbab309eda..ba08a46e2805 100644
+--- a/src/render/opengles/SDL_render_gles.c
++++ b/src/render/opengles/SDL_render_gles.c
+@@ -359,6 +359,9 @@ GLES_CreateTexture(SDL_Renderer * renderer, SDL_Texture * texture)
+     renderdata->glGenTextures(1, &data->texture);
+     result = renderdata->glGetError();
+     if (result != GL_NO_ERROR) {
++        if (texture->access == SDL_TEXTUREACCESS_STREAMING) {
++            SDL_free(data->pixels);
++        }
+         SDL_free(data);
+         return GLES_SetError("glGenTextures()", result);
+     }
+@@ -387,6 +390,9 @@ GLES_CreateTexture(SDL_Renderer * renderer, SDL_Texture * texture)
+ 
+     result = renderdata->glGetError();
+     if (result != GL_NO_ERROR) {
++        if (texture->access == SDL_TEXTUREACCESS_STREAMING) {
++            SDL_free(data->pixels);
++        }
+         SDL_free(data);
+         return GLES_SetError("glTexImage2D()", result);
+     }

Fix-build-against-wayland-1.20.patch

@@ -0,0 +1,42 @@
+From 068c13b1cac4fead98a458b70ef482ddc8205358 Mon Sep 17 00:00:00 2001
+From: David Redondo <kde@david-redondo.de>
+Date: Fri, 10 Dec 2021 16:22:34 +0100
+Subject: [PATCH] Fix build against wayland 1.20
+
+Fixes #5088
+---
+ src/video/wayland/SDL_waylanddyn.h | 2 ++
+ src/video/wayland/SDL_waylandsym.h | 4 ++++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/src/video/wayland/SDL_waylanddyn.h b/src/video/wayland/SDL_waylanddyn.h
+index 485a9c1..8ab0505 100644
+--- a/src/video/wayland/SDL_waylanddyn.h
++++ b/src/video/wayland/SDL_waylanddyn.h
+@@ -78,6 +78,8 @@ void SDL_WAYLAND_UnloadSymbols(void);
+ #define wl_proxy_set_user_data (*WAYLAND_wl_proxy_set_user_data)
+ #define wl_proxy_get_user_data (*WAYLAND_wl_proxy_get_user_data)
+ #define wl_proxy_get_version (*WAYLAND_wl_proxy_get_version)
++#define wl_proxy_marshal_flags (*WAYLAND_wl_proxy_marshal_flags)
++#define wl_proxy_marshal_array_flags (*WAYLAND_wl_proxy_marshal_array_flags)
+ #define wl_proxy_add_listener (*WAYLAND_wl_proxy_add_listener)
+ #define wl_proxy_marshal_constructor (*WAYLAND_wl_proxy_marshal_constructor)
+ #define wl_proxy_marshal_constructor_versioned (*WAYLAND_wl_proxy_marshal_constructor_versioned)
+diff --git a/src/video/wayland/SDL_waylandsym.h b/src/video/wayland/SDL_waylandsym.h
+index c4c189d..789f49e 100644
+--- a/src/video/wayland/SDL_waylandsym.h
++++ b/src/video/wayland/SDL_waylandsym.h
+@@ -71,6 +71,10 @@ SDL_WAYLAND_SYM(struct wl_proxy *, wl_proxy_marshal_constructor, (struct wl_prox
+ SDL_WAYLAND_MODULE(WAYLAND_CLIENT_1_10)
+ SDL_WAYLAND_SYM(struct wl_proxy *, wl_proxy_marshal_constructor_versioned, (struct wl_proxy *proxy, uint32_t opcode, const struct wl_interface *interface, uint32_t version, ...))
+ 
++SDL_WAYLAND_MODULE(WAYLAND_CLIENT_1_20)
++SDL_WAYLAND_SYM(struct wl_proxy*, wl_proxy_marshal_flags, (struct wl_proxy *proxy, uint32_t opcode, const struct wl_interface *interfac, uint32_t version, uint32_t flags, ...))
++SDL_WAYLAND_SYM(struct wl_proxy*, wl_proxy_marshal_array_flags, (struct wl_proxy *proxy, uint32_t opcode, const struct wl_interface *interface, uint32_t version,  uint32_t flags, union wl_argument *args))
++
+ SDL_WAYLAND_INTERFACE(wl_seat_interface)
+ SDL_WAYLAND_INTERFACE(wl_surface_interface)
+ SDL_WAYLAND_INTERFACE(wl_shm_pool_interface)
+-- 
+1.8.3.1
+

SDL2-2.0.9-khrplatform.patch

@@ -0,0 +1,15 @@
+diff -up SDL2-2.0.9/include/SDL_opengl_glext.h.khrplatform SDL2-2.0.9/include/SDL_opengl_glext.h
+--- SDL2-2.0.9/include/SDL_opengl_glext.h.khrplatform	2019-02-15 20:22:39.173773779 -0500
++++ SDL2-2.0.9/include/SDL_opengl_glext.h	2019-02-15 20:22:58.176399330 -0500
+@@ -469,8 +469,9 @@ GLAPI void APIENTRY glBlendEquation (GLe
+ typedef long GLsizeiptr;
+ typedef long GLintptr;
+ #else
+-typedef ptrdiff_t GLsizeiptr;
+-typedef ptrdiff_t GLintptr;
++#include <KHR/khrplatform.h>
++typedef khronos_intptr_t GLintptr;
++typedef khronos_ssize_t GLsizeiptr;
+ #endif
+ #define GL_BUFFER_SIZE                    0x8764
+ #define GL_BUFFER_USAGE                   0x8765

SDL2.spec

@@ -1,19 +1,25 @@
 Name:           SDL2
-Version:        2.0.8
-Release:        8
+Version:        2.0.12
+Release:        2
 Summary:        Cross-platform multimedia library
 License:        zlib and MIT
 URL:            http://www.libsdl.org/
 Source0:        http://www.libsdl.org/release/%{name}-%{version}.tar.gz
 Source1:        SDL_config.h
 Patch0000:      multilib.patch
-Patch0001:      dynapi.patch
+Patch0001:	SDL2-2.0.9-khrplatform.patch
+Patch0002:	Fix-build-against-wayland-1.20.patch
+#https://github.com/libsdl-org/SDL/commit/a7ff6e96155f550a5597621ebeddd03c98aa9294
+Patch0003:	CVE-2020-14409_CVE-2020-14410.patch
+Patch6000:      backport-CVE-2021-33657.patch
+Patch6001:      CVE-2022-4743.patch
+
 BuildRequires:  alsa-lib-devel audiofile-devel mesa-libGL-devel
-BuildRequires:  mesa-libGLU-devel mesa-libEGL-devel mesa-libGLES-devel
+BuildRequires:  mesa-libGLU-devel mesa-libEGL-devel libglvnd-devel
 BuildRequires:  libXext-devel libX11-devel libXi-devel libXrandr-devel
 BuildRequires:  libXrender-devel libXScrnSaver-devel libusb-devel
 BuildRequires:  libXinerama-devel libXcursor-devel systemd-devel
-BuildRequires:  pkgconfig(libpulse-simple)
+BuildRequires:  pkgconfig(libpulse-simple) pkgconfig(jack)
 BuildRequires:  pkgconfig(dbus-1) pkgconfig(ibus-1.0)
 BuildRequires:  pkgconfig(wayland-client) pkgconfig(wayland-egl)
 BuildRequires:  pkgconfig(wayland-cursor) pkgconfig(wayland-protocols)
@@ -38,7 +44,7 @@ developing SDL applications.
 
 %prep
 %autosetup -p1
-sed -i -e 's/.*AM_PATH_ESD.*//' configure.in
+sed -i -e 's/.*AM_PATH_ESD.*//' configure.ac
 sed -i -e 's/\r//g' TODO.txt README.txt WhatsNew.txt BUGS.txt COPYING.txt CREDITS.txt README-SDL.txt
 
 %build
@@ -54,14 +60,18 @@ sed -i -e 's/\r//g' TODO.txt README.txt WhatsNew.txt BUGS.txt COPYING.txt CREDIT
 
 %install
 %make_install
+
 mv %{buildroot}%{_includedir}/SDL2/SDL_config.h %{buildroot}%{_includedir}/SDL2/SDL_config-%{_arch}.h
 install -pm 0644 %{SOURCE1} %{buildroot}%{_includedir}/SDL2/SDL_config.h
 
+rm -vf %{buildroot}%{_libdir}/*.la
+
+%ldconfig_scriptlets
+
 %files
 %license COPYING.txt
 %doc BUGS.txt CREDITS.txt README-SDL.txt
 %{_libdir}/lib*.so.*
-%exclude %{_libdir}/*.la
 
 %files devel
 %license COPYING.txt
@@ -75,6 +85,27 @@ install -pm 0644 %{SOURCE1} %{buildroot}%{_includedir}/SDL2/SDL_config.h
 %{_datadir}/aclocal/*
 
 %changelog
+* Tue Jan 10 2023 jiangpeng <jiangpeng01@ncti-gba.cn> - 2.0.12-2
+- fix CVE-2022-4743
+
+* Tue Apr 12 2022 yaoxin <yaoxin30@h-partners.com> - 2.0.12-1
+- Upgrade SDL2 to 2.0.12 and fix CVE-2020-14409,CVE-2020-14410
+
+* Tue Mar 15 2022 yuanxin <yuanxin24@h-partners.com> - 2.0.8-11
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC:Fix CVE-2021-33657
+
+* Tue Oct 13 2020 hanhui <hanhui15@huawei.com> - 2.0.8-10
+- change mesa-libEGL-devel to libglvnd-devel in buildrequires
+
+* Wed Mar 18 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.0.8-9
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC:Fix CVE-2019-13616
+
 * Mon Feb 24 2020 yuxiangyang <yuxiangyang4@huawei.com> - 2.0.8-8
 - Delete buildrequires for jack-audio-connection-kit
 

backport-CVE-2021-33657.patch

@@ -0,0 +1,33 @@
+From 8c91cf7dba5193f5ce12d06db1336515851c9ee9 Mon Sep 17 00:00:00 2001
+From: Sam Lantinga <slouken@libsdl.org>
+Date: Tue, 30 Nov 2021 12:36:46 -0800
+Subject: [PATCH] Always create a full 256-entry map in case color values are
+ out of range
+
+Fixes https://github.com/libsdl-org/SDL/issues/5042
+---
+ src/video/SDL_pixels.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c
+index ac04533c5d5..9bb02f771d0 100644
+--- a/src/video/SDL_pixels.c
++++ b/src/video/SDL_pixels.c
+@@ -947,7 +947,7 @@ Map1to1(SDL_Palette * src, SDL_Palette * dst, int *identical)
+         }
+         *identical = 0;
+     }
+-    map = (Uint8 *) SDL_malloc(src->ncolors);
++    map = (Uint8 *) SDL_calloc(256, sizeof(Uint8));
+     if (map == NULL) {
+         SDL_OutOfMemory();
+         return (NULL);
+@@ -971,7 +971,7 @@ Map1toN(SDL_PixelFormat * src, Uint8 Rmod, Uint8 Gmod, Uint8 Bmod, Uint8 Amod,
+     SDL_Palette *pal = src->palette;
+ 
+     bpp = ((dst->BytesPerPixel == 3) ? 4 : dst->BytesPerPixel);
+-    map = (Uint8 *) SDL_malloc(pal->ncolors * bpp);
++    map = (Uint8 *) SDL_calloc(256, bpp);
+     if (map == NULL) {
+         SDL_OutOfMemory();
+         return (NULL);

dynapi.patch

@@ -1,84 +0,0 @@
-
-# HG changeset patch
-# User Ryan C. Gordon <icculus@icculus.org>
-# Date 1526575846 14400
-# Node ID 7babfecee045fac18d95e5936fede534ca54ed24
-# Parent  9e46f3dd75fd2e85e0e3ebb8a77329bc74a16e70
-dynapi: don't let system loader resolve the initializer to the wrong version.
-
-Fixes problems launching Firewatch on Linux (which statically links SDL but
-also dynamically loads a system-wide copy from a plugin shared library) with
-a newer SDL build.
-
-diff -r 9e46f3dd75fd -r 7babfecee045 src/dynapi/SDL_dynapi.c
---- a/src/dynapi/SDL_dynapi.c	Fri May 11 09:37:00 2018 +0300
-+++ b/src/dynapi/SDL_dynapi.c	Thu May 17 12:50:46 2018 -0400
-@@ -167,15 +167,10 @@
- #error Write me.
- #endif
- 
--
--
--/* Here's the exported entry point that fills in the jump table. */
--/*  Use specific types when an "int" might suffice to keep this sane. */
--typedef Sint32 (SDLCALL *SDL_DYNAPI_ENTRYFN)(Uint32 apiver, void *table, Uint32 tablesize);
--extern DECLSPEC Sint32 SDLCALL SDL_DYNAPI_entry(Uint32, void *, Uint32);
--
--Sint32
--SDL_DYNAPI_entry(Uint32 apiver, void *table, Uint32 tablesize)
-+/* we make this a static function so we can call the correct one without the
-+   system's dynamic linker resolving to the wrong version of this. */
-+static Sint32
-+initialize_jumptable(Uint32 apiver, void *table, Uint32 tablesize)
- {
-     SDL_DYNAPI_jump_table *output_jump_table = (SDL_DYNAPI_jump_table *) table;
- 
-@@ -202,6 +197,18 @@
- }
- 
- 
-+/* Here's the exported entry point that fills in the jump table. */
-+/*  Use specific types when an "int" might suffice to keep this sane. */
-+typedef Sint32 (SDLCALL *SDL_DYNAPI_ENTRYFN)(Uint32 apiver, void *table, Uint32 tablesize);
-+extern DECLSPEC Sint32 SDLCALL SDL_DYNAPI_entry(Uint32, void *, Uint32);
-+
-+Sint32
-+SDL_DYNAPI_entry(Uint32 apiver, void *table, Uint32 tablesize)
-+{
-+    return initialize_jumptable(apiver, table, tablesize);
-+}
-+
-+
- /* Obviously we can't use SDL_LoadObject() to load SDL.  :)  */
- /* Also obviously, we never close the loaded library. */
- #if defined(WIN32) || defined(_WIN32) || defined(__CYGWIN__)
-@@ -260,7 +267,7 @@
- SDL_InitDynamicAPILocked(void)
- {
-     const char *libname = SDL_getenv_REAL("SDL_DYNAMIC_API");
--    SDL_DYNAPI_ENTRYFN entry = SDL_DYNAPI_entry;  /* funcs from here by default. */
-+    SDL_DYNAPI_ENTRYFN entry = NULL;  /* funcs from here by default. */
- 
-     if (libname) {
-         entry = (SDL_DYNAPI_ENTRYFN) get_sdlapi_entry(libname, "SDL_DYNAPI_entry");
-@@ -268,16 +275,15 @@
-             /* !!! FIXME: fail to startup here instead? */
-             /* !!! FIXME: definitely warn user. */
-             /* Just fill in the function pointers from this library. */
--            entry = SDL_DYNAPI_entry;
-         }
-     }
- 
--    if (entry(SDL_DYNAPI_VERSION, &jump_table, sizeof (jump_table)) < 0) {
-+    if (!entry || (entry(SDL_DYNAPI_VERSION, &jump_table, sizeof (jump_table)) < 0)) {
-         /* !!! FIXME: fail to startup here instead? */
-         /* !!! FIXME: definitely warn user. */
-         /* Just fill in the function pointers from this library. */
--        if (entry != SDL_DYNAPI_entry) {
--            if (!SDL_DYNAPI_entry(SDL_DYNAPI_VERSION, &jump_table, sizeof (jump_table))) {
-+        if (!entry) {
-+            if (!initialize_jumptable(SDL_DYNAPI_VERSION, &jump_table, sizeof (jump_table))) {
-                 /* !!! FIXME: now we're screwed. Should definitely abort now. */
-             }
-         }
-