File CVE-2019-7637.patch of Package SDL2

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2019-7637.patch of Package SDL2

diff --git a/src/video/SDL_surface.c b/src/video/SDL_surface.c
index 719f831..56678bb 100644
--- a/src/video/SDL_surface.c
+++ b/src/video/SDL_surface.c
@@ -40,22 +40,48 @@ SDL_COMPILE_TIME_ASSERT(surface_size_assumptions,
 int
 SDL_CalculatePitch(Uint32 format, int width)
 {
-    int pitch;
+    unsigned int pitch = 0;
 
     /* Surface should be 4-byte aligned for speed */
-    pitch = width * SDL_BYTESPERPIXEL(format);
+    /* The code tries to prevent from an Uint16 overflow. */;
+    for (Uint8 byte = SDL_BITSPERPIXEL(format); byte; byte--) {
+        pitch += (unsigned int)width;
+        if (pitch < width) {
+            SDL_SetError("A scanline is too wide");
+            return(0);
+        }
+    }
     switch (SDL_BITSPERPIXEL(format)) {
     case 1:
-        pitch = (pitch + 7) / 8;
+        if (pitch % 8) {
+            pitch = pitch / 8 + 1;
+        } else {
+            pitch = pitch / 8;
+        }
         break;
     case 4:
-        pitch = (pitch + 1) / 2;
+        if (pitch % 2) {
+            pitch = pitch / 2 + 1;
+        } else {
+            pitch = pitch / 2;
+        }
         break;
     default:
         break;
     }
-    pitch = (pitch + 3) & ~3;   /* 4-byte aligning */
-    return pitch;
+    /* 4-byte aligning */
+    if (pitch & 3) {
+        if (pitch + 3 < pitch) {
+            SDL_SetError("A scanline is too wide");
+            return(0);
+        }
+        pitch = (pitch + 3) & ~3;
+    }
+    if (pitch > 0xFFFF) {
+        SDL_SetError("A scanline is too wide");
+        return(0);
+    }
+    return((Uint16)pitch);
 }
 
 /*
@@ -86,6 +112,10 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth,
     surface->w = width;
     surface->h = height;
     surface->pitch = SDL_CalculatePitch(format, width);
+    if (!surface->pitch)
+    {
+        return NULL;
+    }
     SDL_SetClipRect(surface, NULL);
 
     if (SDL_ISPIXELFORMAT_INDEXED(surface->format->format)) {

Places

File CVE-2019-7637.patch of Package SDL2

Places