Tree - rpms/mingw-SDL2_ttf - src.fedoraproject.org

rpms / mingw-SDL2_ttf

Overview Files Commits Branches Forks Releases
Monitoring status:

Bugzilla Assignee:

Fedora:: suve
EPEL:: suve
Files

Commit: da41d5489a6026341470a302c645815dbcd68ae8
Blob Blame History Raw
From 09a2294338d7907ae955b07affdac229546f9cc9 Mon Sep 17 00:00:00 2001
From: Sylvain <sylvain.becker@gmail.com>
Date: Sat, 19 Mar 2022 16:17:23 +0100
Subject: [PATCH 1/2] Fixed bug #187 - Arbitrary memory overwrite occurs when
 loading glyphs and rendering text with a malformed TTF Pitch/size isn't
 calculated with 64 bits precisions

---
 SDL_ttf.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/SDL_ttf.c b/SDL_ttf.c
index 053f42b..1c19458 100644
--- a/SDL_ttf.c
+++ b/SDL_ttf.c
@@ -1257,7 +1257,7 @@ static SDL_Surface* Create_Surface_Solid(int width, int height, SDL_Color fg, Ui
      */
     void *pixels, *ptr;
     /* Worse case at the end of line pulling 'alignment' extra blank pixels */
-    int pitch = width + alignment;
+    Sint64 pitch = width + alignment;
     pitch += alignment;
     pitch &= ~alignment;
     size = height * pitch + sizeof (void *) + alignment;
@@ -1321,7 +1321,7 @@ static SDL_Surface* Create_Surface_Shaded(int width, int height, SDL_Color fg, S
      */
     void *pixels, *ptr;
     /* Worse case at the end of line pulling 'alignment' extra blank pixels */
-    int pitch = width + alignment;
+    Sint64 pitch = width + alignment;
     pitch += alignment;
     pitch &= ~alignment;
     size = height * pitch + sizeof (void *) + alignment;
@@ -1418,7 +1418,7 @@ static SDL_Surface *Create_Surface_Blended(int width, int height, SDL_Color fg,
         Sint64 size;
         void *pixels, *ptr;
         /* Worse case at the end of line pulling 'alignment' extra blank pixels */
-        int pitch = (width + alignment) * 4;
+        Sint64 pitch = (width + alignment) * 4;
         pitch += alignment;
         pitch &= ~alignment;
         size = height * pitch + sizeof (void *) + alignment;

From db1b41ab8bde6723c24b866e466cad78c2fa0448 Mon Sep 17 00:00:00 2001
From: Sylvain <sylvain.becker@gmail.com>
Date: Sat, 19 Mar 2022 20:40:28 +0100
Subject: [PATCH 2/2] More integer overflow (see bug #187) Make sure that
 'width + alignment' doesn't overflow, otherwise it could create a SDL_Surface
 of 'width' but with wrong 'pitch'

---
 SDL_ttf.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/SDL_ttf.c b/SDL_ttf.c
index 1c19458..6a0956b 100644
--- a/SDL_ttf.c
+++ b/SDL_ttf.c
@@ -1257,7 +1257,7 @@ static SDL_Surface* Create_Surface_Solid(int width, int height, SDL_Color fg, Ui
      */
     void *pixels, *ptr;
     /* Worse case at the end of line pulling 'alignment' extra blank pixels */
-    Sint64 pitch = width + alignment;
+    Sint64 pitch = (Sint64)width + (Sint64)alignment;
     pitch += alignment;
     pitch &= ~alignment;
     size = height * pitch + sizeof (void *) + alignment;
@@ -1321,7 +1321,7 @@ static SDL_Surface* Create_Surface_Shaded(int width, int height, SDL_Color fg, S
      */
     void *pixels, *ptr;
     /* Worse case at the end of line pulling 'alignment' extra blank pixels */
-    Sint64 pitch = width + alignment;
+    Sint64 pitch = (Sint64)width + (Sint64)alignment;
     pitch += alignment;
     pitch &= ~alignment;
     size = height * pitch + sizeof (void *) + alignment;
@@ -1418,7 +1418,7 @@ static SDL_Surface *Create_Surface_Blended(int width, int height, SDL_Color fg,
         Sint64 size;
         void *pixels, *ptr;
         /* Worse case at the end of line pulling 'alignment' extra blank pixels */
-        Sint64 pitch = (width + alignment) * 4;
+        Sint64 pitch = ((Sint64)width + (Sint64)alignment) * 4;
         pitch += alignment;
         pitch &= ~alignment;
         size = height * pitch + sizeof (void *) + alignment;
rpms / mingw-SDL2_ttf

Source Code

Files
