From b5320e37f90f1bc5bc150f63e85814ad2d8eb588 Mon Sep 17 00:00:00 2001
From: nia <nia@pkgsrc.org>
Date: Thu, 14 May 2020 16:08:06 +0000
Subject: SDL_image: Best effort attempt at grabbing fixes from upstream hg

Bump PKGREVISION
---
 graphics/SDL_image/Makefile                 |   4 +-
 graphics/SDL_image/distinfo                 |   6 +-
 graphics/SDL_image/patches/patch-IMG__bmp.c |  92 +++++++++++++++++
 graphics/SDL_image/patches/patch-IMG__lbm.c |  97 ++++++++++++++++++
 graphics/SDL_image/patches/patch-IMG__pcx.c | 154 ++++++++++++++++++++++++++++
 graphics/SDL_image/patches/patch-IMG__xpm.c | 130 +++++++++++++++++++++++
 6 files changed, 480 insertions(+), 3 deletions(-)
 create mode 100644 graphics/SDL_image/patches/patch-IMG__bmp.c
 create mode 100644 graphics/SDL_image/patches/patch-IMG__lbm.c
 create mode 100644 graphics/SDL_image/patches/patch-IMG__pcx.c
 create mode 100644 graphics/SDL_image/patches/patch-IMG__xpm.c

(limited to 'graphics')

diff --git a/graphics/SDL_image/Makefile b/graphics/SDL_image/Makefile
index 872bd3c3a5f..5004cca0348 100644
--- a/graphics/SDL_image/Makefile
+++ b/graphics/SDL_image/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.52 2020/01/26 17:31:19 rillig Exp $
+# $NetBSD: Makefile,v 1.53 2020/05/14 16:08:06 nia Exp $
 
 DISTNAME=	SDL_image-1.2.12
-PKGREVISION=	8
+PKGREVISION=	9
 CATEGORIES=	graphics devel
 MASTER_SITES=	http://www.libsdl.org/projects/SDL_image/release/
 
diff --git a/graphics/SDL_image/distinfo b/graphics/SDL_image/distinfo
index 1b2545a3028..5ee7c1d2795 100644
--- a/graphics/SDL_image/distinfo
+++ b/graphics/SDL_image/distinfo
@@ -1,7 +1,11 @@
-$NetBSD: distinfo,v 1.17 2015/11/03 21:33:52 agc Exp $
+$NetBSD: distinfo,v 1.18 2020/05/14 16:08:06 nia Exp $
 
 SHA1 (SDL_image-1.2.12.tar.gz) = 5e3e393d4e366638048bbb10d6a269ea3f4e4cf2
 RMD160 (SDL_image-1.2.12.tar.gz) = 206990959c6b225286c0a19bc05b991c6bc2c3e8
 SHA512 (SDL_image-1.2.12.tar.gz) = 0e71b280abc2a7f15755e4480a3c1b52d41f9f8b0c9216a6f5bd9fc0e939456fb5d6c10419e1d1904785783f9a1891ead278c03e88b0466fecc6871c3ca40136
 Size (SDL_image-1.2.12.tar.gz) = 2231074 bytes
+SHA1 (patch-IMG__bmp.c) = 7c89a5bdcc5d3e5c1c7e2ee635dd063364bb8319
+SHA1 (patch-IMG__lbm.c) = 798ff3bc672894d4676214af97dbf30c3e639ffe
+SHA1 (patch-IMG__pcx.c) = 622c3c369b6830aa6b8093e58427555a16304576
+SHA1 (patch-IMG__xpm.c) = aab5f6949bc56f1087b3ff54eb763dd7a1aa1809
 SHA1 (patch-Makefile.in) = e8ae18e00af376676b292dc8419ed0d50c038db3
diff --git a/graphics/SDL_image/patches/patch-IMG__bmp.c b/graphics/SDL_image/patches/patch-IMG__bmp.c
new file mode 100644
index 00000000000..cd0c67bf0a0
--- /dev/null
+++ b/graphics/SDL_image/patches/patch-IMG__bmp.c
@@ -0,0 +1,92 @@
+$NetBSD: patch-IMG__bmp.c,v 1.1 2020/05/14 16:08:07 nia Exp $
+
+Various sanity fixes from upstream preventing potential
+security problems.
+
+--- IMG_bmp.c.orig	2012-01-21 01:51:33.000000000 +0000
++++ IMG_bmp.c
+@@ -272,6 +272,11 @@ static SDL_Surface *LoadBMP_RW (SDL_RWop
+ 		biClrUsed	= SDL_ReadLE32(src);
+ 		biClrImportant	= SDL_ReadLE32(src);
+ 	}
++	if (biWidth <= 0 || biHeight == 0) {
++		IMG_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight);
++		was_error = SDL_TRUE;
++		goto done;
++	}
+ 	if (biHeight < 0) {
+ 		topDown = SDL_TRUE;
+ 		biHeight = -biHeight;
+@@ -292,6 +297,15 @@ static SDL_Surface *LoadBMP_RW (SDL_RWop
+ 			ExpandBMP = biBitCount;
+ 			biBitCount = 8;
+ 			break;
++		case 0:
++		case 2:
++		case 3:
++		case 5:
++		case 6:
++		case 7:
++			IMG_SetError("%d-bpp BMP images are not supported", biBitCount);
++			was_error = SDL_TRUE;
++			goto done;
+ 		default:
+ 			ExpandBMP = 0;
+ 			break;
+@@ -444,7 +458,12 @@ static SDL_Surface *LoadBMP_RW (SDL_RWop
+ 						goto done;
+ 					}
+ 				}
+-				*(bits+i) = (pixel>>shift);
++				bits[i] = (pixel >> shift);
++				if (bits[i] >= biClrUsed) {
++					IMG_SetError("A BMP image contains a pixel with a color out of the palette");
++					was_error = SDL_TRUE;
++					goto done;
++				}
+ 				pixel <<= ExpandBMP;
+ 			} }
+ 			break;
+@@ -456,6 +475,15 @@ static SDL_Surface *LoadBMP_RW (SDL_RWop
+ 				was_error = SDL_TRUE;
+ 				goto done;
+ 			}
++			if (biBitCount == 8 && palette && biClrUsed < (1 << biBitCount)) {
++				for (i = 0; i < surface->w; ++i) {
++					if (bits[i] >= biClrUsed) {
++						IMG_SetError("A BMP image contains a pixel with a color out of the palette");
++						was_error = SDL_TRUE;
++						goto done;
++					}
++				}
++			}
+ #if SDL_BYTEORDER == SDL_BIG_ENDIAN
+ 			/* Byte-swap the pixels if needed. Note that the 24bpp
+ 			   case has already been taken care of above. */
+@@ -662,6 +690,14 @@ LoadICOCUR_RW(SDL_RWops * src, int type,
+         goto done;
+     }
+ 
++    /* sanity check image size, so we don't overflow integers, etc. */
++    if ((biWidth < 0) || (biWidth > 0xFFFFFF) ||
++        (biHeight < 0) || (biHeight > 0xFFFFFF)) {
++        IMG_SetError("Unsupported or invalid ICO dimensions");
++        was_error = SDL_TRUE;
++        goto done;
++    }
++
+     /* Create a RGBA surface */
+     biHeight = biHeight >> 1;
+     //printf("%d x %d\n", biWidth, biHeight);
+@@ -679,6 +715,11 @@ LoadICOCUR_RW(SDL_RWops * src, int type,
+         if (biClrUsed == 0) {
+             biClrUsed = 1 << biBitCount;
+         }
++        if (biClrUsed > (sizeof(palette)/sizeof(palette[0]))) {
++            IMG_SetError("Unsupported or incorrect biClrUsed field");
++            was_error = SDL_TRUE;
++            goto done;
++        }
+         for (i = 0; i < (int) biClrUsed; ++i) {
+             SDL_RWread(src, &palette[i], 4, 1);
+         }
diff --git a/graphics/SDL_image/patches/patch-IMG__lbm.c b/graphics/SDL_image/patches/patch-IMG__lbm.c
new file mode 100644
index 00000000000..fd565eaf35c
--- /dev/null
+++ b/graphics/SDL_image/patches/patch-IMG__lbm.c
@@ -0,0 +1,97 @@
+$NetBSD: patch-IMG__lbm.c,v 1.1 2020/05/14 16:08:07 nia Exp $
+
+Various sanity fixes from upstream preventing potential
+security problems.
+
+--- IMG_lbm.c.orig	2012-01-21 01:51:33.000000000 +0000
++++ IMG_lbm.c
+@@ -187,7 +187,12 @@ SDL_Surface *IMG_LoadLBM_RW( SDL_RWops *
+ 
+ 		if ( !memcmp( id, "CMAP", 4 ) ) /* palette ( Color Map ) */
+ 		{
+-			if ( !SDL_RWread( src, &colormap, size, 1 ) )
++			if (size > sizeof (colormap)) {
++				error="colormap size is too large";
++				goto done;
++			}
++
++			if ( !SDL_RWread( src, colormap, size, 1 ) )
+ 			{
+ 				error="error reading CMAP chunk";
+ 				goto done;
+@@ -242,14 +247,14 @@ SDL_Surface *IMG_LoadLBM_RW( SDL_RWops *
+ 	/* Allocate memory for a temporary buffer ( used for
+            decompression/deinterleaving ) */
+ 
+-	MiniBuf = (void *)malloc( bytesperline * (nbplanes + stencil) );
++	MiniBuf = (Uint8 *)malloc( bytesperline * (nbplanes + stencil) );
+ 	if ( MiniBuf == NULL )
+ 	{
+-		error="no enough memory for temporary buffer";
++		error="not enough memory for temporary buffer";
+ 		goto done;
+ 	}
+ 
+-	if ( ( Image = SDL_CreateRGBSurface( SDL_SWSURFACE, width, bmhd.h, (bmhd.planes==24 || flagHAM==1)?24:8, 0, 0, 0, 0 ) ) == NULL )
++	if ( ( Image = SDL_CreateRGBSurface( SDL_SWSURFACE, width, bmhd.h, (nbplanes==24 || flagHAM==1)?24:8, 0, 0, 0, 0 ) ) == NULL )
+ 	   goto done;
+ 
+ 	if ( bmhd.mask & 2 )               /* There is a transparent color */
+@@ -276,7 +281,7 @@ SDL_Surface *IMG_LoadLBM_RW( SDL_RWops *
+ 		/* The 32 last colors are the same but divided by 2 */
+ 		/* Some Amiga pictures save 64 colors with 32 last wrong colors, */
+ 		/* they shouldn't !, and here we overwrite these 32 bad colors. */
+-		if ( (nbcolors==32 || flagEHB ) && (1<<bmhd.planes)==64 )
++		if ( (nbcolors==32 || flagEHB ) && (1<<nbplanes)==64 )
+ 		{
+ 			nbcolors = 64;
+ 			ptr = &colormap[0];
+@@ -290,8 +295,8 @@ SDL_Surface *IMG_LoadLBM_RW( SDL_RWops *
+ 
+ 		/* If nbcolors < 2^nbplanes, repeat the colormap */
+ 		/* This happens when pictures have a stencil mask */
+-		if ( nbrcolorsfinal > (1<<bmhd.planes) ) {
+-			nbrcolorsfinal = (1<<bmhd.planes);
++		if ( nbrcolorsfinal > (1<<nbplanes) ) {
++			nbrcolorsfinal = (1<<nbplanes);
+ 		}
+ 		for ( i=nbcolors; i < (Uint32)nbrcolorsfinal; i++ )
+ 		{
+@@ -365,7 +370,7 @@ SDL_Surface *IMG_LoadLBM_RW( SDL_RWops *
+ 
+ 		/* One line has been read, store it ! */
+ 
+-		ptr = Image->pixels;
++		ptr = (Uint8 *)Image->pixels;
+ 		if ( nbplanes==24 || flagHAM==1 )
+ 			ptr += h * width * 3;
+ 		else
+@@ -449,19 +454,15 @@ SDL_Surface *IMG_LoadLBM_RW( SDL_RWops *
+ 						{
+ 							finalcolor = pixelcolor;
+ 						}
+-						if ( SDL_BYTEORDER == SDL_LIL_ENDIAN )
+-						{
+-							*ptr++ = (Uint8)(finalcolor>>16);
+-							*ptr++ = (Uint8)(finalcolor>>8);
+-							*ptr++ = (Uint8)(finalcolor);
+-						}
+-						else
+-						{
+-							*ptr++ = (Uint8)(finalcolor);
+-							*ptr++ = (Uint8)(finalcolor>>8);
+-							*ptr++ = (Uint8)(finalcolor>>16);
+-						}
+-
++#if SDL_BYTEORDER == SDL_LIL_ENDIAN
++						*ptr++ = (Uint8)(finalcolor>>16);
++						*ptr++ = (Uint8)(finalcolor>>8);
++						*ptr++ = (Uint8)(finalcolor);
++#else
++						*ptr++ = (Uint8)(finalcolor);
++						*ptr++ = (Uint8)(finalcolor>>8);
++						*ptr++ = (Uint8)(finalcolor>>16);
++#endif
+ 						maskBit = maskBit>>1;
+ 					}
+ 				}
diff --git a/graphics/SDL_image/patches/patch-IMG__pcx.c b/graphics/SDL_image/patches/patch-IMG__pcx.c
new file mode 100644
index 00000000000..0c0498f2c98
--- /dev/null
+++ b/graphics/SDL_image/patches/patch-IMG__pcx.c
@@ -0,0 +1,154 @@
+$NetBSD: patch-IMG__pcx.c,v 1.1 2020/05/14 16:08:07 nia Exp $
+
+Various sanity fixes from upstream preventing potential
+security problems.
+
+--- IMG_pcx.c.orig	2012-01-21 01:51:33.000000000 +0000
++++ IMG_pcx.c
+@@ -100,6 +100,8 @@ SDL_Surface *IMG_LoadPCX_RW(SDL_RWops *s
+ 	Uint8 *row, *buf = NULL;
+ 	char *error = NULL;
+ 	int bits, src_bits;
++	int count = 0;
++	Uint8 ch;
+ 
+ 	if ( !src ) {
+ 		/* The error message has been set in SDL_RWFromFile */
+@@ -127,37 +129,37 @@ SDL_Surface *IMG_LoadPCX_RW(SDL_RWops *s
+ 		bits = 8;
+ 	} else if(pcxh.BitsPerPixel == 8 && pcxh.NPlanes == 3) {
+ 		bits = 24;
+-		if ( SDL_BYTEORDER == SDL_LIL_ENDIAN ) {
+-			Rmask = 0x000000FF;
+-			Gmask = 0x0000FF00;
+-			Bmask = 0x00FF0000;
+-		} else {
+-			Rmask = 0xFF0000;
+-			Gmask = 0x00FF00;
+-			Bmask = 0x0000FF;
+-		}
++#if SDL_BYTEORDER == SDL_LIL_ENDIAN
++		Rmask = 0x000000FF;
++		Gmask = 0x0000FF00;
++		Bmask = 0x00FF0000;
++#else
++		Rmask = 0xFF0000;
++		Gmask = 0x00FF00;
++		Bmask = 0x0000FF;
++#endif
+ 	} else {
+ 		error = "unsupported PCX format";
+ 		goto done;
+ 	}
+ 	surface = SDL_AllocSurface(SDL_SWSURFACE, width, height,
+ 				   bits, Rmask, Gmask, Bmask, Amask);
+-	if ( surface == NULL )
++	if ( surface == NULL ) {
+ 		goto done;
++	}
+ 
+ 	bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+-	if (bpl > surface->pitch) {
+-		error = "bytes per line is too large (corrupt?)";
++	buf = (Uint8 *)calloc(bpl, 1);
++	if (!buf) {
++		error = "Out of memory";
++		goto done;
+ 	}
+-	buf = malloc(bpl);
+-	row = surface->pixels;
++	row = (Uint8 *)surface->pixels;
+ 	for ( y=0; y<surface->h; ++y ) {
+ 		/* decode a scan line to a temporary buffer first */
+-		int i, count = 0;
+-		Uint8 ch;
+-		Uint8 *dst = (src_bits == 8) ? row : buf;
++		int i;
+ 		if ( pcxh.Encoding == 0 ) {
+-			if(!SDL_RWread(src, dst, bpl, 1)) {
++			if(!SDL_RWread(src, buf, bpl, 1)) {
+ 				error = "file truncated";
+ 				goto done;
+ 			}
+@@ -168,46 +170,54 @@ SDL_Surface *IMG_LoadPCX_RW(SDL_RWops *s
+ 						error = "file truncated";
+ 						goto done;
+ 					}
+-					if( (ch & 0xc0) == 0xc0) {
+-						count = ch & 0x3f;
++					if (ch < 0xc0) {
++						count = 1;
++					} else {
++						count = ch - 0xc0;
+ 						if(!SDL_RWread(src, &ch, 1, 1)) {
+ 							error = "file truncated";
+ 							goto done;
+ 						}
+-					} else
+-						count = 1;
++					}
+ 				}
+-				dst[i] = ch;
++				buf[i] = ch;
+ 				count--;
+ 			}
+ 		}
+ 
+ 		if(src_bits <= 4) {
+ 			/* expand planes to 1 byte/pixel */
+-			Uint8 *src = buf;
++			Uint8 *innerSrc = buf;
+ 			int plane;
+ 			for(plane = 0; plane < pcxh.NPlanes; plane++) {
+-				int i, j, x = 0;
+-				for(i = 0; i < pcxh.BytesPerLine; i++) {
+-					Uint8 byte = *src++;
+-					for(j = 7; j >= 0; j--) {
+-						unsigned bit = (byte >> j) & 1;
++				int j, k, x = 0;
++				for(j = 0; j < pcxh.BytesPerLine; j++) {
++					Uint8 byte = *innerSrc++;
++					for(k = 7; k >= 0; k--) {
++						unsigned bit = (byte >> k) & 1;
+ 						/* skip padding bits */
+-						if (i * 8 + j >= width)
++						if (j * 8 + k >= width)
+ 							continue;
+ 						row[x++] |= bit << plane;
+ 					}
+ 				}
+ 			}
++		} else if(src_bits == 8) {
++			/* Copy the row directly */
++			memcpy(row, buf, SDL_min(width, bpl));
+  		} else if(src_bits == 24) {
+ 			/* de-interlace planes */
+-			Uint8 *src = buf;
++			Uint8 *innerSrc = buf;
+ 			int plane;
+ 			for(plane = 0; plane < pcxh.NPlanes; plane++) {
+ 				int x;
+-				dst = row + plane;
++				Uint8 *dst = row + plane;
+ 				for(x = 0; x < width; x++) {
+-					*dst = *src++;
++					if (dst >= row+surface->pitch) {
++						error = "decoding out of bounds (corrupt?)";
++						goto done;
++					}
++					*dst = *innerSrc++;
+ 					dst += pcxh.NPlanes;
+ 				}
+ 			}
+@@ -227,8 +237,9 @@ SDL_Surface *IMG_LoadPCX_RW(SDL_RWops *s
+ 			/* look for a 256-colour palette */
+ 			do {
+ 				if ( !SDL_RWread(src, &ch, 1, 1)) {
+-					error = "file truncated";
+-					goto done;
++					/* Couldn't find the palette, try the end of the file */
++					SDL_RWseek(src, -768, RW_SEEK_END);
++					break;
+ 				}
+ 			} while ( ch != 12 );
+ 
diff --git a/graphics/SDL_image/patches/patch-IMG__xpm.c b/graphics/SDL_image/patches/patch-IMG__xpm.c
new file mode 100644
index 00000000000..35fed5b0f1d
--- /dev/null
+++ b/graphics/SDL_image/patches/patch-IMG__xpm.c
@@ -0,0 +1,130 @@
+$NetBSD: patch-IMG__xpm.c,v 1.1 2020/05/14 16:08:07 nia Exp $
+
+Various sanity fixes from upstream preventing potential
+security problems.
+
+--- IMG_xpm.c.orig	2012-01-21 01:51:33.000000000 +0000
++++ IMG_xpm.c
+@@ -106,7 +106,7 @@ static struct color_hash *create_colorha
+ 
+ 	/* we know how many entries we need, so we can allocate
+ 	   everything here */
+-	hash = malloc(sizeof *hash);
++	hash = (struct color_hash *)calloc(1, sizeof(*hash));
+ 	if(!hash)
+ 		return NULL;
+ 
+@@ -115,15 +115,32 @@ static struct color_hash *create_colorha
+ 		;
+ 	hash->size = s;
+ 	hash->maxnum = maxnum;
++
+ 	bytes = hash->size * sizeof(struct hash_entry **);
+-	hash->entries = NULL;	/* in case malloc fails */
+-	hash->table = malloc(bytes);
+-	if(!hash->table)
++	/* Check for overflow */
++	if ((bytes / sizeof(struct hash_entry **)) != hash->size) {
++		IMG_SetError("memory allocation overflow");
++		free(hash);
++		return NULL;
++	}
++	hash->table = (struct hash_entry **)calloc(1, bytes);
++	if(!hash->table) {
++		free(hash);
++		return NULL;
++	}
++
++	bytes = maxnum * sizeof(struct hash_entry);
++	/* Check for overflow */
++	if ((bytes / sizeof(struct hash_entry)) != maxnum) {
++		IMG_SetError("memory allocation overflow");
++		free(hash->table);
++		free(hash);
+ 		return NULL;
+-	memset(hash->table, 0, bytes);
+-	hash->entries = malloc(maxnum * sizeof(struct hash_entry));
++	}
++	hash->entries = (struct hash_entry *)calloc(1, bytes);
+ 	if(!hash->entries) {
+ 		free(hash->table);
++		free(hash);
+ 		return NULL;
+ 	}
+ 	hash->next_free = hash->entries;
+@@ -158,7 +175,7 @@ static Uint32 get_colorhash(struct color
+ 
+ static void free_colorhash(struct color_hash *hash)
+ {
+-	if(hash && hash->table) {
++	if(hash) {
+ 		free(hash->table);
+ 		free(hash->entries);
+ 		free(hash);
+@@ -262,7 +279,7 @@ static char *get_next_line(char ***lines
+ 			len += 4;	/* "\",\n\0" */
+ 			if(len > buflen){
+ 				buflen = len;
+-				linebufnew = realloc(linebuf, buflen);
++				linebufnew = (char *)realloc(linebuf, buflen);
+ 				if(!linebufnew) {
+ 					free(linebuf);
+ 					error = "Out of memory";
+@@ -282,7 +299,7 @@ static char *get_next_line(char ***lines
+ 					if(buflen == 0)
+ 						buflen = 16;
+ 					buflen *= 2;
+-					linebufnew = realloc(linebuf, buflen);
++					linebufnew = (char *)realloc(linebuf, buflen);
+ 					if(!linebufnew) {
+ 						free(linebuf);
+ 						error = "Out of memory";
+@@ -359,7 +376,12 @@ static SDL_Surface *load_xpm(char **xpm,
+ 		goto done;
+ 	}
+ 
+-	keystrings = malloc(ncolors * cpp);
++	/* Check for allocation overflow */
++	if ((size_t)(ncolors * cpp)/cpp != ncolors) {
++		error = "Invalid color specification";
++		goto done;
++	}
++	keystrings = (char *)malloc(ncolors * cpp);
+ 	if(!keystrings) {
+ 		error = "Out of memory";
+ 		goto done;
+@@ -426,8 +448,9 @@ static SDL_Surface *load_xpm(char **xpm,
+ 				c->g = (Uint8)(rgb >> 8);
+ 				c->b = (Uint8)(rgb);
+ 				pixel = index;
+-			} else
++			} else {
+ 				pixel = rgb;
++			}
+ 			add_colorhash(colors, nextkey, cpp, pixel);
+ 			nextkey += cpp;
+ 			if(rgb == 0xffffffff)
+@@ -438,9 +461,11 @@ static SDL_Surface *load_xpm(char **xpm,
+ 
+ 	/* Read the pixels */
+ 	pixels_len = w * cpp;
+-	dst = image->pixels;
++	dst = (Uint8 *)image->pixels;
+ 	for(y = 0; y < h; y++) {
+ 		line = get_next_line(xpmlines, src, pixels_len);
++		if (!line)
++			goto done;
+ 		if(indexed) {
+ 			/* optimization for some common cases */
+ 			if(cpp == 1)
+@@ -489,6 +514,10 @@ SDL_Surface *IMG_LoadXPM_RW(SDL_RWops *s
+ 
+ SDL_Surface *IMG_ReadXPMFromArray(char **xpm)
+ {
++	if ( !xpm ) {
++		IMG_SetError("array is NULL");
++		return NULL;
++	}
+ 	return load_xpm(xpm, NULL);
+ }
+ 
-- 
cgit v1.2.3