From f39cc4a76fb62bedd5c496cbc5e5893066fc79e6 Mon Sep 17 00:00:00 2001
From: Francesco Colista <fcolista@alpinelinux.org>
Date: Wed, 18 Sep 2019 10:45:55 +0000
Subject: main/sdl2_image: security upgrade to 2.0.5.

This upgrade fixed the following CVE's:
CVE-2019-5060 (TALOS-2019-0844)
CVE-2019-5059 (TALOS-2019-0843)
CVE-2019-5058 (TALOS-2019-0842)
CVE-2019-5057 (TALOS-2019-0841)
CVE-2019-5052 (TALOS-2019-0821)
CVE-2019-5051 (TALOS-2019-0820)
CVE-2019-12222
CVE-2019-12221
CVE-2019-12219
CVE-2019-12218
CVE-2019-12217
---
 main/sdl2_image/APKBUILD             | 41 ++++++++++---------------
 main/sdl2_image/CVE-2017-12122.patch | 51 -------------------------------
 main/sdl2_image/CVE-2017-14440.patch | 23 --------------
 main/sdl2_image/CVE-2017-14441.patch | 26 ----------------
 main/sdl2_image/CVE-2017-14442.patch | 24 ---------------
 main/sdl2_image/CVE-2017-14448.patch | 59 ------------------------------------
 main/sdl2_image/CVE-2017-14450.patch | 25 ---------------
 main/sdl2_image/CVE-2017-2887.patch  | 25 ---------------
 main/sdl2_image/CVE-2018-3837.patch  | 21 -------------
 main/sdl2_image/CVE-2018-3838.patch  | 40 ------------------------
 main/sdl2_image/CVE-2018-3839.patch  | 31 -------------------
 11 files changed, 16 insertions(+), 350 deletions(-)
 delete mode 100644 main/sdl2_image/CVE-2017-12122.patch
 delete mode 100644 main/sdl2_image/CVE-2017-14440.patch
 delete mode 100644 main/sdl2_image/CVE-2017-14441.patch
 delete mode 100644 main/sdl2_image/CVE-2017-14442.patch
 delete mode 100644 main/sdl2_image/CVE-2017-14448.patch
 delete mode 100644 main/sdl2_image/CVE-2017-14450.patch
 delete mode 100644 main/sdl2_image/CVE-2017-2887.patch
 delete mode 100644 main/sdl2_image/CVE-2018-3837.patch
 delete mode 100644 main/sdl2_image/CVE-2018-3838.patch
 delete mode 100644 main/sdl2_image/CVE-2018-3839.patch

diff --git a/main/sdl2_image/APKBUILD b/main/sdl2_image/APKBUILD
index 64c70f9116..6023ff887b 100644
--- a/main/sdl2_image/APKBUILD
+++ b/main/sdl2_image/APKBUILD
@@ -1,8 +1,8 @@
 # Contributor: Francesco Colista <fcolista@alpinelinux.org>
 # Maintainer: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=sdl2_image
-pkgver=2.0.2
-pkgrel=1
+pkgver=2.0.5
+pkgrel=0
 _pkgname=SDL2_image
 pkgdesc="A simple library to load images of various formats as SDL surfaces"
 url="http://www.libsdl.org/projects/SDL_image/"
@@ -11,22 +11,22 @@ license="zlib"
 makedepends="sdl2-dev libpng-dev libjpeg-turbo-dev
 	libwebp-dev tiff-dev zlib-dev"
 subpackages="$pkgname-dev"
-source="http://www.libsdl.org/projects/SDL_image/release/$_pkgname-$pkgver.tar.gz
-	CVE-2017-12122.patch
-	CVE-2017-14440.patch
-	CVE-2017-14441.patch
-	CVE-2017-14442.patch
-	CVE-2017-14448.patch
-	CVE-2017-14450.patch
-	CVE-2018-3837.patch
-	CVE-2018-3838.patch
-	CVE-2018-3839.patch
-"
-
+source="http://www.libsdl.org/projects/SDL_image/release/$_pkgname-$pkgver.tar.gz"
 builddir="$srcdir/$_pkgname-$pkgver"
 
 # secfixes:
-#
+#   2.0.5-r0:
+#     - CVE-2019-5060 TALOS-2019-0844
+#     - CVE-2019-5059 TALOS-2019-0843
+#     - CVE-2019-5058 TALOS-2019-0842
+#     - CVE-2019-5057 TALOS-2019-0841
+#     - CVE-2019-5052 TALOS-2019-0821
+#     - CVE-2019-5051 TALOS-2019-0820
+#     - CVE-2019-12222
+#     - CVE-2019-12221
+#     - CVE-2019-12219
+#     - CVE-2019-12218
+#     - CVE-2019-12217
 #   2.0.2-r1:
 #     - CVE-2017-12122 TALOS-2017-0488
 #     - CVE-2017-14440 TALOS-2017-0489
@@ -63,13 +63,4 @@ package() {
 	make DESTDIR="$pkgdir" install
 }
 
-sha512sums="468f1a5aaee0b6920adb80df21aaaa41bfc5c642b4a00ac60244a90c5e9f27b092b73bcdd2c5520aa1de2759e8b174686b186a51f2d07e7e188ce2cd10519724  SDL2_image-2.0.2.tar.gz
-1c3c713af1b3d1996a226741fa0e053e76aee4355c5dfeb9d727b0af016c73760c63907547a11de2d3bb1f23fcbfe5265317d20d54baf10ec8e0cdd25e2370ec  CVE-2017-12122.patch
-0527bcb0113d09a935f694192f864457f3d86c2d69ef7bc89036544756ab23c32e5b30e526190b1642f8d0a531c9dd52eaeca9605320578168932d98bb4badea  CVE-2017-14440.patch
-6455c44fa0727b91fef53bca887b86fc8ae4652ef13ffcb305d86405fba7d2527941530eba2e87af382a05333694bfa69ea3e2c692422a0eb33ef58538ac74b1  CVE-2017-14441.patch
-ac7be687db2fcea5daa0b8f8685f3b7a106bd748ba8277986515d1129b969fbdc9adb3a4836141f81f3cb51c93539339fad40c9bf132582bc977bc0e0103de83  CVE-2017-14442.patch
-e483cfb17333c2f1f3513549891d6378161f70ad70876fb4a4f44e32c4b85e76503eefbb7294c2ad77ab0cb812e646466169aa2f15637ac8337aa623b328d9b9  CVE-2017-14448.patch
-eec58e6fbe0a96f63a01241bb9a3b26b6dbacdd5a5fcbbae5a62a3f577d8b8ef9cf9ec60f70cec854990a16f53086f510c2adc40d345b15ce8a6412910da1a86  CVE-2017-14450.patch
-59c8d73eb65d896c6ea168ac97a817f482507ae9f694c90359096160d9f0c0f584143762d848cf1d021af4a6d16d33c69ad7382b5a2bc10ee22621304420bc36  CVE-2018-3837.patch
-f0a74538c70e47264f892d6b8f3280c8e45db0e0aa05fb145e4398f5c6b16636da12c66de90835015541a236c065287f715351042a79139cbd1b337b4ed0715c  CVE-2018-3838.patch
-09da40655972e32ee9f6498aff12d235e2137dd28e1f3e0fa858d22ee7b228602400b9ce1b40cbf8ec447bf0a07c3c2bd9cf4bcecea0d8360aa5c606d63c53dd  CVE-2018-3839.patch"
+sha512sums="77e743d3f32707e015b290c1379ae3c7d7a3fe265995713267f0d0ec6517de4808f0de9890b5ab28445941af5bc9fbff346620629e0d7d7e9f365262cab05ee7  SDL2_image-2.0.5.tar.gz"
diff --git a/main/sdl2_image/CVE-2017-12122.patch b/main/sdl2_image/CVE-2017-12122.patch
deleted file mode 100644
index 9c2f33b170..0000000000
--- a/main/sdl2_image/CVE-2017-12122.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-diff -r 3e1ebbbaba54 -r 16772bbb1b09 IMG_lbm.c
---- a/IMG_lbm.c	Wed Jan 24 01:43:46 2018 -0500
-+++ b/IMG_lbm.c	Wed Jan 24 01:44:36 2018 -0500
-@@ -245,7 +245,7 @@
-         goto done;
-     }
- 
--    if ( ( Image = SDL_CreateRGBSurface( SDL_SWSURFACE, width, bmhd.h, (bmhd.planes==24 || flagHAM==1)?24:8, 0, 0, 0, 0 ) ) == NULL )
-+    if ( ( Image = SDL_CreateRGBSurface( SDL_SWSURFACE, width, bmhd.h, (nbplanes==24 || flagHAM==1)?24:8, 0, 0, 0, 0 ) ) == NULL )
-        goto done;
- 
-     if ( bmhd.mask & 2 )               /* There is a transparent color */
-@@ -272,7 +272,7 @@
-         /* The 32 last colors are the same but divided by 2 */
-         /* Some Amiga pictures save 64 colors with 32 last wrong colors, */
-         /* they shouldn't !, and here we overwrite these 32 bad colors. */
--        if ( (nbcolors==32 || flagEHB ) && (1<<bmhd.planes)==64 )
-+        if ( (nbcolors==32 || flagEHB ) && (1<<nbplanes)==64 )
-         {
-             nbcolors = 64;
-             ptr = &colormap[0];
-@@ -286,8 +286,8 @@
- 
-         /* If nbcolors < 2^nbplanes, repeat the colormap */
-         /* This happens when pictures have a stencil mask */
--        if ( nbrcolorsfinal > (1<<bmhd.planes) ) {
--            nbrcolorsfinal = (1<<bmhd.planes);
-+        if ( nbrcolorsfinal > (1<<nbplanes) ) {
-+            nbrcolorsfinal = (1<<nbplanes);
-         }
-         for ( i=nbcolors; i < (Uint32)nbrcolorsfinal; i++ )
-         {
-
-
-diff -r 16772bbb1b09 -r 97f7f01e0665 IMG_lbm.c
---- a/IMG_lbm.c	Wed Jan 24 01:44:36 2018 -0500
-+++ b/IMG_lbm.c	Wed Jan 24 01:45:04 2018 -0500
-@@ -233,6 +233,12 @@
-         nbplanes = 1;
-     }
- 
-+    if ((nbplanes != 1) && (nbplanes != 4) && (nbplanes != 8) && (nbplanes != 24))
-+    {
-+        error="unsupported number of color planes";
-+        goto done;
-+    }
-+
-     stencil = (bmhd.mask & 1);   /* There is a mask ( 'stencil' ) */
- 
-     /* Allocate memory for a temporary buffer ( used for
-
diff --git a/main/sdl2_image/CVE-2017-14440.patch b/main/sdl2_image/CVE-2017-14440.patch
deleted file mode 100644
index 49ab2b0323..0000000000
--- a/main/sdl2_image/CVE-2017-14440.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-# HG changeset patch
-# User Ryan C. Gordon <icculus@icculus.org>
-# Date 1516813224 18000
-# Node ID bfa08dc02b3c7b265ead6019f901f17f925570c3
-# Parent  97f7f01e0665b7555a0e5e9465799e80c8f59528
-lbm: Don't overflow static colormap buffer.
-
-diff -r 97f7f01e0665 -r bfa08dc02b3c IMG_lbm.c
---- a/IMG_lbm.c	Wed Jan 24 01:45:04 2018 -0500
-+++ b/IMG_lbm.c	Wed Jan 24 12:00:24 2018 -0500
-@@ -183,6 +183,11 @@
- 
-         if ( !SDL_memcmp( id, "CMAP", 4 ) ) /* palette ( Color Map ) */
-         {
-+            if (size > sizeof (colormap)) {
-+                error="colormap size is too large";
-+                goto done;
-+            }
-+
-             if ( !SDL_RWread( src, &colormap, size, 1 ) )
-             {
-                 error="error reading CMAP chunk";
-
diff --git a/main/sdl2_image/CVE-2017-14441.patch b/main/sdl2_image/CVE-2017-14441.patch
deleted file mode 100644
index 19c30bbf99..0000000000
--- a/main/sdl2_image/CVE-2017-14441.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-# HG changeset patch
-# User Ryan C. Gordon <icculus@icculus.org>
-# Date 1516816924 18000
-# Node ID a1e9b624ca1033f893e93691802682bf36400f7a
-# Parent  bfa08dc02b3c7b265ead6019f901f17f925570c3
-ico: reject obviously incorrect image sizes.
-
-diff -r bfa08dc02b3c -r a1e9b624ca10 IMG_bmp.c
---- a/IMG_bmp.c	Wed Jan 24 12:00:24 2018 -0500
-+++ b/IMG_bmp.c	Wed Jan 24 13:02:04 2018 -0500
-@@ -735,6 +735,14 @@
-         goto done;
-     }
- 
-+    /* sanity check image size, so we don't overflow integers, etc. */
-+    if ((biWidth < 0) || (biWidth > 0xFFFFFF) ||
-+        (biHeight < 0) || (biHeight > 0xFFFFFF)) {
-+        IMG_SetError("Unsupported or invalid ICO dimensions");
-+        was_error = SDL_TRUE;
-+        goto done;
-+    }
-+
-     /* Create a RGBA surface */
-     biHeight = biHeight >> 1;
-     //printf("%d x %d\n", biWidth, biHeight);
-
diff --git a/main/sdl2_image/CVE-2017-14442.patch b/main/sdl2_image/CVE-2017-14442.patch
deleted file mode 100644
index 6fa4524b40..0000000000
--- a/main/sdl2_image/CVE-2017-14442.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-
-# HG changeset patch
-# User Ryan C. Gordon <icculus@icculus.org>
-# Date 1516817527 18000
-# Node ID 37445f6180a8ca7a218ab9f9eaaeaf088b4f6c3a
-# Parent  a1e9b624ca1033f893e93691802682bf36400f7a
-bmp: don't overflow palette buffer with bogus biClrUsed values.
-
-diff -r a1e9b624ca10 -r 37445f6180a8 IMG_bmp.c
---- a/IMG_bmp.c	Wed Jan 24 13:02:04 2018 -0500
-+++ b/IMG_bmp.c	Wed Jan 24 13:12:07 2018 -0500
-@@ -760,6 +760,11 @@
-         if (biClrUsed == 0) {
-             biClrUsed = 1 << biBitCount;
-         }
-+        if (biClrUsed > SDL_arraysize(palette)) {
-+            IMG_SetError("Unsupported or incorrect biClrUsed field");
-+            was_error = SDL_TRUE;
-+            goto done;
-+        }
-         for (i = 0; i < (int) biClrUsed; ++i) {
-             SDL_RWread(src, &palette[i], 4, 1);
-         }
-
diff --git a/main/sdl2_image/CVE-2017-14448.patch b/main/sdl2_image/CVE-2017-14448.patch
deleted file mode 100644
index 6b02f74316..0000000000
--- a/main/sdl2_image/CVE-2017-14448.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-
-# HG changeset patch
-# User Ryan C. Gordon <icculus@icculus.org>
-# Date 1517092075 18000
-# Node ID 7df1580f1695d327c1c4580dccbf7ca6da5aed9e
-# Parent  37445f6180a8ca7a218ab9f9eaaeaf088b4f6c3a
-xcf: deal with bogus data in rle tile decoding.
-
-diff -r 37445f6180a8 -r 7df1580f1695 IMG_xcf.c
---- a/IMG_xcf.c	Wed Jan 24 13:12:07 2018 -0500
-+++ b/IMG_xcf.c	Sat Jan 27 17:27:55 2018 -0500
-@@ -486,7 +486,7 @@
-   t = load = (unsigned char *) SDL_malloc (len);
-   reallen = SDL_RWread (src, t, 1, len);
- 
--  data = (unsigned char *) SDL_malloc (x*y*bpp);
-+  data = (unsigned char *) SDL_calloc (1, x*y*bpp);
-   for (i = 0; i < bpp; i++) {
-     d    = data + i;
-     size = x*y;
-@@ -503,6 +503,12 @@
-       t += 2;
-     }
- 
-+        if (((size_t) (t - load) + length) >= len) {
-+          break;  /* bogus data */
-+        } else if (length > size) {
-+          break;  /* bogus data */
-+        }
-+
-     count += length;
-     size -= length;
- 
-@@ -518,6 +524,12 @@
-       t += 2;
-     }
- 
-+        if (((size_t) (t - load)) >= len) {
-+          break;  /* bogus data */
-+        } else if (length > size) {
-+          break;  /* bogus data */
-+        }
-+
-     count += length;
-     size -= length;
- 
-@@ -529,6 +541,11 @@
-     }
-       }
-     }
-+
-+    if (size > 0) {
-+      break;  /* just drop out, untouched data initialized to zero. */
-+    }
-+
-   }
- 
-   SDL_free (load);
-
diff --git a/main/sdl2_image/CVE-2017-14450.patch b/main/sdl2_image/CVE-2017-14450.patch
deleted file mode 100644
index c7feeb7f8c..0000000000
--- a/main/sdl2_image/CVE-2017-14450.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-
-# HG changeset patch
-# User Ryan C. Gordon <icculus@icculus.org>
-# Date 1517113689 18000
-# Node ID 45e750f92c843dccea0820d86726e9cf1d524392
-# Parent  d0142861559ccd4fde994fbd33c34fbdee25f84c
-gif: report error on bogus LWZ data, instead of overflowing a buffer.
-
-diff -r d0142861559c -r 45e750f92c84 IMG_gif.c
---- a/IMG_gif.c	Sat Jan 27 22:50:18 2018 -0500
-+++ b/IMG_gif.c	Sat Jan 27 23:28:09 2018 -0500
-@@ -497,8 +497,10 @@
-             return -3;
-         }
-         *sp++ = table[1][code];
--        if (code == table[0][code])
--        RWSetMsg("circular table entry BIG ERROR");
-+        if (code == table[0][code]) {
-+            RWSetMsg("circular table entry BIG ERROR");
-+            return -3;
-+        }
-         code = table[0][code];
-     }
- 
-
diff --git a/main/sdl2_image/CVE-2017-2887.patch b/main/sdl2_image/CVE-2017-2887.patch
deleted file mode 100644
index 8b4d0c571c..0000000000
--- a/main/sdl2_image/CVE-2017-2887.patch
+++ /dev/null
@@ -1,25 +0,0 @@
---- a/IMG_xcf.c	Mon Sep 18 16:10:17 2017 -0700
-+++ b/IMG_xcf.c	Fri Oct 06 15:40:19 2017 -0700
-@@ -251,6 +251,7 @@
- }
- 
- static void xcf_read_property (SDL_RWops * src, xcf_prop * prop) {
-+  Uint32 len;
-   prop->id = SDL_ReadBE32 (src);
-   prop->length = SDL_ReadBE32 (src);
- 
-@@ -274,7 +275,12 @@
-     break;
-   case PROP_COMPRESSION:
-   case PROP_COLOR:
--    SDL_RWread (src, &prop->data, prop->length, 1);
-+    if (prop->length > sizeof(prop->data)) {
-+        len = sizeof(prop->data);
-+    } else {
-+        len = prop->length;
-+    }
-+    SDL_RWread(src, &prop->data, len, 1);
-     break;
-   case PROP_VISIBLE:
-     prop->data.visible = SDL_ReadBE32 (src);
-
diff --git a/main/sdl2_image/CVE-2018-3837.patch b/main/sdl2_image/CVE-2018-3837.patch
deleted file mode 100644
index 823a2b9cbc..0000000000
--- a/main/sdl2_image/CVE-2018-3837.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-
-# HG changeset patch
-# User Ryan C. Gordon <icculus@icculus.org>
-# Date 1518036231 18000
-# Node ID 2938fc80591abeae74b971cbdf966eff3213297e
-# Parent  f50c9c46ba52f5a594313774a938844e5cf82b4d
-pcx: don't overflow buffer if bytes-per-line is less than image width.
-
-diff -r f50c9c46ba52 -r 2938fc80591a IMG_pcx.c
---- a/IMG_pcx.c	Sun Jan 28 22:10:40 2018 -0800
-+++ b/IMG_pcx.c	Wed Feb 07 15:43:51 2018 -0500
-@@ -147,7 +147,7 @@
-     if (bpl > surface->pitch) {
-         error = "bytes per line is too large (corrupt?)";
-     }
--    buf = (Uint8 *)SDL_malloc(bpl);
-+    buf = (Uint8 *)SDL_calloc(SDL_max(bpl, surface->pitch), 1);
-     row = (Uint8 *)surface->pixels;
-     for ( y=0; y<surface->h; ++y ) {
-         /* decode a scan line to a temporary buffer first */
-
diff --git a/main/sdl2_image/CVE-2018-3838.patch b/main/sdl2_image/CVE-2018-3838.patch
deleted file mode 100644
index b0e89b804b..0000000000
--- a/main/sdl2_image/CVE-2018-3838.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-
-# HG changeset patch
-# User Ryan C. Gordon <icculus@icculus.org>
-# Date 1518038334 18000
-# Node ID c5f9cbb5d2bbcb2150ba0596ea56b49efeed660d
-# Parent  2938fc80591abeae74b971cbdf966eff3213297e
-xcf: Prevent infinite loop and/or buffer overflow on bogus data.
-
-diff -r 2938fc80591a -r c5f9cbb5d2bb IMG_xcf.c
---- a/IMG_xcf.c	Wed Feb 07 15:43:51 2018 -0500
-+++ b/IMG_xcf.c	Wed Feb 07 16:18:54 2018 -0500
-@@ -483,6 +483,10 @@
-   int i, size, count, j, length;
-   unsigned char val;
- 
-+  if (len == 0) {  /* probably bogus data. */
-+    return NULL;
-+  }
-+
-   t = load = (unsigned char *) SDL_malloc (len);
-   reallen = SDL_RWread (src, t, 1, len);
- 
-@@ -608,6 +612,16 @@
-                 tile = load_tile(src, ox * oy * 6, hierarchy->bpp, ox, oy);
-             }
- 
-+            if (!tile) {
-+                if (hierarchy) {
-+                    free_xcf_hierarchy(hierarchy);
-+                }
-+                if (level) {
-+                    free_xcf_level(level);
-+                }
-+                return 1;
-+            }
-+
-             p8 = tile;
-             p16 = (Uint16 *) p8;
-             p = (Uint32 *) p8;
-
diff --git a/main/sdl2_image/CVE-2018-3839.patch b/main/sdl2_image/CVE-2018-3839.patch
deleted file mode 100644
index 86370cbc4c..0000000000
--- a/main/sdl2_image/CVE-2018-3839.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-
-# HG changeset patch
-# User Ryan C. Gordon <icculus@icculus.org>
-# Date 1518038991 18000
-# Node ID fb643e371806910f1973abfdfe7f981e8dba60f5
-# Parent  c5f9cbb5d2bbcb2150ba0596ea56b49efeed660d
-xcf: check for some potential integer overflows.
-
-diff -r c5f9cbb5d2bb -r fb643e371806 IMG_xcf.c
---- a/IMG_xcf.c	Wed Feb 07 16:18:54 2018 -0500
-+++ b/IMG_xcf.c	Wed Feb 07 16:29:51 2018 -0500
-@@ -595,6 +595,18 @@
-     SDL_RWseek(src, layer->hierarchy_file_offset, RW_SEEK_SET);
-     hierarchy = read_xcf_hierarchy(src);
- 
-+    if (hierarchy->bpp > 4) {  /* unsupported. */
-+        SDL_Log("Unknown Gimp image bpp (%u)\n", (unsigned int) hierarchy->bpp);
-+        free_xcf_hierarchy(hierarchy);
-+        return 1;
-+    }
-+
-+    if ((hierarchy->width > 20000) || (hierarchy->height > 20000)) {  /* arbitrary limit to avoid integer overflow. */
-+        SDL_Log("Gimp image too large (%ux%u)\n", (unsigned int) hierarchy->width, (unsigned int) hierarchy->height);
-+        free_xcf_hierarchy(hierarchy);
-+        return 1;
-+    }
-+
-     level = NULL;
-     for (i = 0; hierarchy->level_file_offsets[i]; i++) {
-         SDL_RWseek(src, hierarchy->level_file_offsets[i], RW_SEEK_SET);
-
-- 
cgit v1.2.3