From 149c78abc8413a1553a46b5d968a7fc18aef1287 Mon Sep 17 00:00:00 2001
From: Artur Frenszek-Iwicki <fedora@svgames.pl>
Date: May 04 2022 07:51:54 +0000
Subject: Add a patch for CVE-2022-27470


---

diff --git a/0002-CVE-2022-27470.patch b/0002-CVE-2022-27470.patch
new file mode 100644
index 0000000..7ff3939
--- /dev/null
+++ b/0002-CVE-2022-27470.patch
@@ -0,0 +1,85 @@
+From 09a2294338d7907ae955b07affdac229546f9cc9 Mon Sep 17 00:00:00 2001
+From: Sylvain <sylvain.becker@gmail.com>
+Date: Sat, 19 Mar 2022 16:17:23 +0100
+Subject: [PATCH 1/2] Fixed bug #187 - Arbitrary memory overwrite occurs when
+ loading glyphs and rendering text with a malformed TTF Pitch/size isn't
+ calculated with 64 bits precisions
+
+---
+ SDL_ttf.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/SDL_ttf.c b/SDL_ttf.c
+index 053f42b..1c19458 100644
+--- a/SDL_ttf.c
++++ b/SDL_ttf.c
+@@ -1257,7 +1257,7 @@ static SDL_Surface* Create_Surface_Solid(int width, int height, SDL_Color fg, Ui
+      */
+     void *pixels, *ptr;
+     /* Worse case at the end of line pulling 'alignment' extra blank pixels */
+-    int pitch = width + alignment;
++    Sint64 pitch = width + alignment;
+     pitch += alignment;
+     pitch &= ~alignment;
+     size = height * pitch + sizeof (void *) + alignment;
+@@ -1321,7 +1321,7 @@ static SDL_Surface* Create_Surface_Shaded(int width, int height, SDL_Color fg, S
+      */
+     void *pixels, *ptr;
+     /* Worse case at the end of line pulling 'alignment' extra blank pixels */
+-    int pitch = width + alignment;
++    Sint64 pitch = width + alignment;
+     pitch += alignment;
+     pitch &= ~alignment;
+     size = height * pitch + sizeof (void *) + alignment;
+@@ -1418,7 +1418,7 @@ static SDL_Surface *Create_Surface_Blended(int width, int height, SDL_Color fg,
+         Sint64 size;
+         void *pixels, *ptr;
+         /* Worse case at the end of line pulling 'alignment' extra blank pixels */
+-        int pitch = (width + alignment) * 4;
++        Sint64 pitch = (width + alignment) * 4;
+         pitch += alignment;
+         pitch &= ~alignment;
+         size = height * pitch + sizeof (void *) + alignment;
+
+From db1b41ab8bde6723c24b866e466cad78c2fa0448 Mon Sep 17 00:00:00 2001
+From: Sylvain <sylvain.becker@gmail.com>
+Date: Sat, 19 Mar 2022 20:40:28 +0100
+Subject: [PATCH 2/2] More integer overflow (see bug #187) Make sure that
+ 'width + alignment' doesn't overflow, otherwise it could create a SDL_Surface
+ of 'width' but with wrong 'pitch'
+
+---
+ SDL_ttf.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/SDL_ttf.c b/SDL_ttf.c
+index 1c19458..6a0956b 100644
+--- a/SDL_ttf.c
++++ b/SDL_ttf.c
+@@ -1257,7 +1257,7 @@ static SDL_Surface* Create_Surface_Solid(int width, int height, SDL_Color fg, Ui
+      */
+     void *pixels, *ptr;
+     /* Worse case at the end of line pulling 'alignment' extra blank pixels */
+-    Sint64 pitch = width + alignment;
++    Sint64 pitch = (Sint64)width + (Sint64)alignment;
+     pitch += alignment;
+     pitch &= ~alignment;
+     size = height * pitch + sizeof (void *) + alignment;
+@@ -1321,7 +1321,7 @@ static SDL_Surface* Create_Surface_Shaded(int width, int height, SDL_Color fg, S
+      */
+     void *pixels, *ptr;
+     /* Worse case at the end of line pulling 'alignment' extra blank pixels */
+-    Sint64 pitch = width + alignment;
++    Sint64 pitch = (Sint64)width + (Sint64)alignment;
+     pitch += alignment;
+     pitch &= ~alignment;
+     size = height * pitch + sizeof (void *) + alignment;
+@@ -1418,7 +1418,7 @@ static SDL_Surface *Create_Surface_Blended(int width, int height, SDL_Color fg,
+         Sint64 size;
+         void *pixels, *ptr;
+         /* Worse case at the end of line pulling 'alignment' extra blank pixels */
+-        Sint64 pitch = (width + alignment) * 4;
++        Sint64 pitch = ((Sint64)width + (Sint64)alignment) * 4;
+         pitch += alignment;
+         pitch &= ~alignment;
+         size = height * pitch + sizeof (void *) + alignment;
diff --git a/mingw-SDL2_ttf.spec b/mingw-SDL2_ttf.spec
index b3399a6..02be837 100644
--- a/mingw-SDL2_ttf.spec
+++ b/mingw-SDL2_ttf.spec
@@ -4,7 +4,7 @@ Name:           mingw-SDL2_ttf
 License:        zlib
 
 Version:        2.0.18
-Release:        2%{?dist}
+Release:        3%{?dist}
 
 %global  pkg_summary  MinGW Windows port of the TrueType font handling library for SDL2
 Summary: %{pkg_summary}
@@ -20,6 +20,13 @@ Patch0:         0000-disable-building-example-programs.patch
 # which causes this check to fail. This patch removes the check entirely.
 Patch1:         0001-no-harfbuzz-check.patch
 
+# Fix for CVE-2022-27470
+# Backport of upstream commits:
+# - https://github.com/libsdl-org/SDL_ttf/commit/09a2294338d7907ae955b07affdac229546f9cc9
+# - https://github.com/libsdl-org/SDL_ttf/commit/db1b41ab8bde6723c24b866e466cad78c2fa0448
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=2081599
+Patch2:		0002-CVE-2022-27470.patch
+
 BuildArch:      noarch
 
 BuildRequires:  autoconf
@@ -71,6 +78,7 @@ Summary: %{pkg_summary}
 %setup -q -n SDL2_ttf-%{version}
 %patch0 -p0
 %patch1 -p1
+%patch2 -p1
 
 
 %build
@@ -114,6 +122,9 @@ sed -i 's/\r$//' README.txt CHANGES.txt COPYING.txt
 
 
 %changelog
+* Wed May 04 2022 Artur Frenszek-Iwicki <fedora@svgames.pl> - 2.0.18-3
+- Add a patch for CVE-2022-27470
+
 * Fri Mar 25 2022 Sandro Mani <manisandro@gmail.com> - 2.0.18-2
 - Rebuild with mingw-gcc-12