sdl-1.2.15-13.parabola1: rebuild

14 files changed, 1007 insertions, 11 deletions

diff --git a/libre/sdl/PKGBUILD b/libre/sdl/PKGBUILD
index 7fc3cb0fb..e5b177193 100644
--- a/libre/sdl/PKGBUILD
+++ b/libre/sdl/PKGBUILD
@@ -8,9 +8,10 @@
 
 pkgname=sdl
 pkgver=1.2.15
-pkgrel=10
-pkgrel+=.par1
-pkgdesc="A library for portable low-level access to a video framebuffer, audio output, mouse, and keyboard, without nonfree riva_mmio.h file"
+pkgrel=13
+pkgrel+=.parabola1
+pkgdesc="A library for portable low-level access to a video framebuffer, audio output, mouse, and keyboard"
+pkgdesc+=", without nonfree riva_mmio.h file"
 arch=('x86_64')
 arch+=('i686' 'armv7h')
 url="https://www.libsdl.org"
@@ -22,8 +23,7 @@ makedepends=('alsa-lib' 'mesa' 'libpulse' 'glu')
 optdepends=('alsa-lib: ALSA audio driver'
             'libpulse: PulseAudio audio driver')
 options=('staticlibs')
-mksource=(https://www.libsdl.org/release/SDL-${pkgver}.tar.gz)
-source=(https://repo.parabola.nu/other/${pkgname}-libre/SDL-libre-${pkgver}.tar.gz
+source=(https://www.libsdl.org/release/SDL-${pkgver}.tar.gz{,.sig}
         SDL-1.2.10-GrabNotViewable.patch
         SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch
         SDL-1.2.15-const_XData32.patch
@@ -34,9 +34,22 @@ source=(https://repo.parabola.nu/other/${pkgname}-libre/SDL-libre-${pkgver}.tar.
         sdl-1.2.14-disable-mmx.patch
         libsdl-1.2.15-resizing.patch
         X11_KeyToUnicode.patch
+	SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch
+	SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
+	SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
+	SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
+	SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
+	SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
+	SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
+	SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
+	SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
+	SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
+	SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
+	SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
+	SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch
         libre.patch)
-mksha256sums=('d6d316a793e5e348155f0dd93b979798933fb98aa1edebcc108829d6474aad00')
-sha256sums=('806485cf92574ce883480b7f010aeb1b27c7e325c6c1e799f6cdc950df10da8a'
+sha256sums=('d6d316a793e5e348155f0dd93b979798933fb98aa1edebcc108829d6474aad00'
+            'SKIP'
             'ea2042b8a45a083b1447d5c56e52b23b79f2ddb0d717ec7b287b34ef71bd2d1a'
             '292046466d52a2ebe995a0121404864e4ee0de2b6024203acb95bbd600844da0'
             'bab60b515a74b71650ee71d5a0075c77046a7bad48b061673c3798dbdd35446d'
@@ -47,15 +60,26 @@ sha256sums=('806485cf92574ce883480b7f010aeb1b27c7e325c6c1e799f6cdc950df10da8a'
             '17bb880dd2cb4922d4e3771d146660b9da8be8f1629a5cdaae7523d4a9d2bd7c'
             '5160fb1c07b04480d98d45b89a0aa6e577f2ac4c3bace0c80b251e6aca1fb4a1'
             'b1ad9c60829b166e6b647006d6549ea657155e755cf574fcfc4b91b658654769'
+            '95ddeff25c9f5ea4f828c90073852218a3c8ecfcd4da4f3a7f6ea54e3e5c2086'
+            '3f05fcccfa7f3474572955d0cbcfc931da57e3da450fc5c5803c837c38fd6e17'
+            'a9bd66c75e443f7875d044518b5960386c549aa1c0592364aee1240a6e0867a5'
+            'f4cd391a5df211a5d3558f5ec03b9f413533398f44feca86a30a8acc90e63402'
+            '0293e56873929d817950e272ebfd6735c8d5b896d0a59b2d7be09107dac7e85b'
+            'be4cadd1b028e8b14ee4e4413aeffd98ff2ad1e66a7c75c8bdb04bfd08b9372a'
+            '335b5b1c44229ac90318dae36a98731332f417c2d71d449385e6ab013f25efdb'
+            '0371bcdba4e89055be62a76421052d7bd5fbf40c0f0e3d9c29fc5d21686f5afd'
+            '0f3691d6fc7381a4dd23216041b341102aa858b105534541dfa2843b0eccace6'
+            '358028a9d6523377c1757a58faed741e10a0a9863f9df33f21cd32668d257fed'
+            '3624f0dbe8d9bd3d553a25806237edcae5fafe714e5c4da3c5e3b281a3fbc8ae'
+            '7db8112826318de5705b54cf493060cec34e2822df2b1cd9f55891672beed64d'
+            'da87eb71c7af042bc8379f9f7cd63e57d99429774bb43524dde103718b99c533'
             '89a6d08e1d2f8cf2d144d43d0511f7da430eb4a2020acb52775de6f506e40d48')
+validpgpkeys=('1528635D8053A57F77D1E08630A59377A7763BE6') # Sam Lantinga <slouken@libsdl.org>
 
-mksource() {
+prepare() {
   cd SDL-$pkgver
   rm -v src/video/fbcon/riva_mmio.h
-}
 
-prepare() {
-  cd SDL-$pkgver
   patch -Np1 -i ../SDL-1.2.10-GrabNotViewable.patch
   patch -Np1 -i ../SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch
   patch -Np1 -i ../SDL-1.2.15-const_XData32.patch
@@ -70,6 +94,21 @@ prepare() {
   patch -Np1 -i ../libsdl-1.2.15-resizing.patch
   patch -Np1 -i ../X11_KeyToUnicode.patch
 
+  # bunch of CVE fixes from Fedora - Thanks!
+  patch -Np1 -i ../SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
+  patch -Np1 -i ../SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
+  patch -Np1 -i ../SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
+  patch -Np1 -i ../SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
+  patch -Np1 -i ../SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
+  patch -Np1 -i ../SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
+  patch -Np1 -i ../SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
+  patch -Np1 -i ../SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
+  patch -Np1 -i ../SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
+  patch -Np1 -i ../SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
+  patch -Np1 -i ../SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch
+  patch -Np1 -i ../SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
+  patch -Np1 -i ../SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch
+
   patch -Np1 -i ../libre.patch
 }
 
diff --git a/libre/sdl/SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch b/libre/sdl/SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch
new file mode 100644
index 000000000..13fa7860e
--- /dev/null
+++ b/libre/sdl/SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch
@@ -0,0 +1,23 @@
+changeset:   12960:ad1bbfbca760
+branch:      SDL-1.2
+parent:      12914:87d60cae0273
+user:        Ozkan Sezer <sezeroz@gmail.com>
+date:        Tue Jul 30 21:30:24 2019 +0300
+summary:     Fixed bug 4538 - validate image size when loading BMP files
+
+diff -r 87d60cae0273 -r ad1bbfbca760 src/video/SDL_bmp.c
+--- a/src/video/SDL_bmp.c	Tue Jun 18 23:31:40 2019 +0100
++++ b/src/video/SDL_bmp.c	Tue Jul 30 21:30:24 2019 +0300
+@@ -143,6 +143,11 @@
+ 	(void) biYPelsPerMeter;
+ 	(void) biClrImportant;
+ 
++	if (biWidth <= 0 || biHeight == 0) {
++		SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight);
++		was_error = SDL_TRUE;
++		goto done;
++	}
+ 	if (biHeight < 0) {
+ 		topDown = SDL_TRUE;
+ 		biHeight = -biHeight;
+
diff --git a/libre/sdl/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch b/libre/sdl/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
new file mode 100644
index 000000000..0f242be4e
--- /dev/null
+++ b/libre/sdl/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch
@@ -0,0 +1,59 @@
+From bb11ffcff5ae2f25bead921c2a299e7e63d8a759 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 14 Feb 2019 16:51:54 +0100
+Subject: [PATCH] CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If an IMA ADPCM block contained an initial index out of step table
+range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used
+this bogus value and that lead to a buffer overread.
+
+This patch fixes it by moving clamping the index value at the
+beginning of IMA_ADPCM_nibble() function instead of the end after
+an update.
+
+CVE-2019-7572
+https://bugzilla.libsdl.org/show_bug.cgi?id=4495
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/audio/SDL_wave.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 2968b3d..69d62dc 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -275,6 +275,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
+ 	};
+ 	Sint32 delta, step;
+ 
++	/* Clamp index value. The inital value can be invalid. */
++	if ( state->index > 88 ) {
++		state->index = 88;
++	} else
++	if ( state->index < 0 ) {
++		state->index = 0;
++	}
++
+ 	/* Compute difference and new sample value */
+ 	step = step_table[state->index];
+ 	delta = step >> 3;
+@@ -286,12 +294,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
+ 
+ 	/* Update index value */
+ 	state->index += index_table[nybble];
+-	if ( state->index > 88 ) {
+-		state->index = 88;
+-	} else
+-	if ( state->index < 0 ) {
+-		state->index = 0;
+-	}
+ 
+ 	/* Clamp output sample */
+ 	if ( state->sample > max_audioval ) {
+-- 
+2.20.1
+
diff --git a/libre/sdl/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch b/libre/sdl/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
new file mode 100644
index 000000000..2c17831df
--- /dev/null
+++ b/libre/sdl/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch
@@ -0,0 +1,64 @@
+From 6086741bda4d43cc227500bc7645a829380e6326 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 15 Feb 2019 09:21:45 +0100
+Subject: [PATCH] CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If data chunk was longer than expected based on a WAV format
+definition, IMA_ADPCM_decode() tried to write past the output
+buffer. This patch fixes it.
+
+Based on patch from
+<https://bugzilla.libsdl.org/show_bug.cgi?id=4496>.
+
+CVE-2019-7572
+https://bugzilla.libsdl.org/show_bug.cgi?id=4495
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/audio/SDL_wave.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 69d62dc..91e89e8 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -336,7 +336,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
+ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ 	struct IMA_ADPCM_decodestate *state;
+-	Uint8 *freeable, *encoded, *encoded_end, *decoded;
++	Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+ 	Sint32 encoded_len, samplesleft;
+ 	unsigned int c, channels;
+ 
+@@ -363,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 		return(-1);
+ 	}
+ 	decoded = *audio_buf;
++	decoded_end = decoded + *audio_len;
+ 
+ 	/* Get ready... Go! */
+ 	while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
+@@ -382,6 +383,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 			}
+ 
+ 			/* Store the initial sample we start with */
++			if (decoded + 2 > decoded_end) goto invalid_size;
+ 			decoded[0] = (Uint8)(state[c].sample&0xFF);
+ 			decoded[1] = (Uint8)(state[c].sample>>8);
+ 			decoded += 2;
+@@ -392,6 +394,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 		while ( samplesleft > 0 ) {
+ 			for ( c=0; c<channels; ++c ) {
+ 				if (encoded + 4 > encoded_end) goto invalid_size;
++				if (decoded + 4 * 4 * channels > decoded_end)
++					goto invalid_size;
+ 				Fill_IMA_ADPCM_block(decoded, encoded,
+ 						c, channels, &state[c]);
+ 				encoded += 4;
+-- 
+2.20.1
+
diff --git a/libre/sdl/SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch b/libre/sdl/SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
new file mode 100644
index 000000000..767a3b207
--- /dev/null
+++ b/libre/sdl/SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch
@@ -0,0 +1,83 @@
+From 3e2c89e516701f3586dfeadec13932f665371d2a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 15 Feb 2019 10:36:13 +0100
+Subject: [PATCH] CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in
+ InitMS_ADPCM
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it
+could read past the end of chunk data. This patch fixes it.
+
+CVE-2019-7573
+https://bugzilla.libsdl.org/show_bug.cgi?id=4491
+CVE-2019-7576
+https://bugzilla.libsdl.org/show_bug.cgi?id=4490
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/audio/SDL_wave.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 91e89e8..1d446ed 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -44,12 +44,13 @@ static struct MS_ADPCM_decoder {
+ 	struct MS_ADPCM_decodestate state[2];
+ } MS_ADPCM_state;
+ 
+-static int InitMS_ADPCM(WaveFMT *format)
++static int InitMS_ADPCM(WaveFMT *format, int length)
+ {
+-	Uint8 *rogue_feel;
++	Uint8 *rogue_feel, *rogue_feel_end;
+ 	int i;
+ 
+ 	/* Set the rogue pointer to the MS_ADPCM specific data */
++	if (length < sizeof(*format)) goto too_short;
+ 	MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
+ 	MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
+ 	MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
+@@ -58,9 +59,11 @@ static int InitMS_ADPCM(WaveFMT *format)
+ 	MS_ADPCM_state.wavefmt.bitspersample =
+ 					 SDL_SwapLE16(format->bitspersample);
+ 	rogue_feel = (Uint8 *)format+sizeof(*format);
++	rogue_feel_end = (Uint8 *)format + length;
+ 	if ( sizeof(*format) == 16 ) {
+ 		rogue_feel += sizeof(Uint16);
+ 	}
++	if (rogue_feel + 4 > rogue_feel_end) goto too_short;
+ 	MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ 	rogue_feel += sizeof(Uint16);
+ 	MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]);
+@@ -70,12 +73,16 @@ static int InitMS_ADPCM(WaveFMT *format)
+ 		return(-1);
+ 	}
+ 	for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) {
++		if (rogue_feel + 4 > rogue_feel_end) goto too_short;
+ 		MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ 		rogue_feel += sizeof(Uint16);
+ 		MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ 		rogue_feel += sizeof(Uint16);
+ 	}
+ 	return(0);
++too_short:
++	SDL_SetError("Unexpected length of a chunk with a MS ADPCM format");
++	return(-1);
+ }
+ 
+ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
+@@ -485,7 +492,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
+ 			break;
+ 		case MS_ADPCM_CODE:
+ 			/* Try to understand this */
+-			if ( InitMS_ADPCM(format) < 0 ) {
++			if ( InitMS_ADPCM(format, lenread) < 0 ) {
+ 				was_error = 1;
+ 				goto done;
+ 			}
+-- 
+2.20.1
+
diff --git a/libre/sdl/SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch b/libre/sdl/SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
new file mode 100644
index 000000000..0bae80ff8
--- /dev/null
+++ b/libre/sdl/SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch
@@ -0,0 +1,71 @@
+From 9b2eee24768889378032077423cb6a3221a8ad18 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 14 Feb 2019 15:41:47 +0100
+Subject: [PATCH] CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If data chunk was shorter than expected based on a WAV format
+definition, IMA_ADPCM_decode() tried to read past the data chunk
+buffer. This patch fixes it.
+
+CVE-2019-7574
+https://bugzilla.libsdl.org/show_bug.cgi?id=4496
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/audio/SDL_wave.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index b6c49de..2968b3d 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -334,7 +334,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
+ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ 	struct IMA_ADPCM_decodestate *state;
+-	Uint8 *freeable, *encoded, *decoded;
++	Uint8 *freeable, *encoded, *encoded_end, *decoded;
+ 	Sint32 encoded_len, samplesleft;
+ 	unsigned int c, channels;
+ 
+@@ -350,6 +350,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 	/* Allocate the proper sized output buffer */
+ 	encoded_len = *audio_len;
+ 	encoded = *audio_buf;
++	encoded_end = encoded + encoded_len;
+ 	freeable = *audio_buf;
+ 	*audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) * 
+ 				IMA_ADPCM_state.wSamplesPerBlock*
+@@ -365,6 +366,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 	while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
+ 		/* Grab the initial information for this block */
+ 		for ( c=0; c<channels; ++c ) {
++			if (encoded + 4 > encoded_end) goto invalid_size;
+ 			/* Fill the state information for this block */
+ 			state[c].sample = ((encoded[1]<<8)|encoded[0]);
+ 			encoded += 2;
+@@ -387,6 +389,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 		samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
+ 		while ( samplesleft > 0 ) {
+ 			for ( c=0; c<channels; ++c ) {
++				if (encoded + 4 > encoded_end) goto invalid_size;
+ 				Fill_IMA_ADPCM_block(decoded, encoded,
+ 						c, channels, &state[c]);
+ 				encoded += 4;
+@@ -398,6 +401,10 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 	}
+ 	SDL_free(freeable);
+ 	return(0);
++invalid_size:
++	SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder");
++	SDL_free(freeable);
++	return(-1);
+ }
+ 
+ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
+-- 
+2.20.1
+
diff --git a/libre/sdl/SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch b/libre/sdl/SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
new file mode 100644
index 000000000..53965aa2f
--- /dev/null
+++ b/libre/sdl/SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch
@@ -0,0 +1,84 @@
+From e1f80cadb079e35103e6eebf160a818815c823df Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 14 Feb 2019 14:51:52 +0100
+Subject: [PATCH] CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a WAV format defines shorter audio stream and decoded MS ADPCM data chunk
+is longer, decoding continued past the output audio buffer.
+
+This fix is based on a patch from
+<https://bugzilla.libsdl.org/show_bug.cgi?id=4492>.
+
+https://bugzilla.libsdl.org/show_bug.cgi?id=4493
+CVE-2019-7575
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/audio/SDL_wave.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index e42d01c..b6c49de 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
+ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ 	struct MS_ADPCM_decodestate *state[2];
+-	Uint8 *freeable, *encoded, *encoded_end, *decoded;
++	Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+ 	Sint32 encoded_len, samplesleft;
+ 	Sint8 nybble, stereo;
+ 	Sint16 *coeff[2];
+@@ -135,6 +135,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 		return(-1);
+ 	}
+ 	decoded = *audio_buf;
++	decoded_end = decoded + *audio_len;
+ 
+ 	/* Get ready... Go! */
+ 	stereo = (MS_ADPCM_state.wavefmt.channels == 2);
+@@ -142,7 +143,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 	state[1] = &MS_ADPCM_state.state[stereo];
+ 	while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
+ 		/* Grab the initial information for this block */
+-		if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
++		if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size;
+ 		state[0]->hPredictor = *encoded++;
+ 		if ( stereo ) {
+ 			state[1]->hPredictor = *encoded++;
+@@ -169,6 +170,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 		coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
+ 
+ 		/* Store the two initial samples we start with */
++		if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size;
+ 		decoded[0] = state[0]->iSamp2&0xFF;
+ 		decoded[1] = state[0]->iSamp2>>8;
+ 		decoded += 2;
+@@ -190,7 +192,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 		samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
+ 					MS_ADPCM_state.wavefmt.channels;
+ 		while ( samplesleft > 0 ) {
+-			if (encoded + 1 > encoded_end) goto too_short;
++			if (encoded + 1 > encoded_end) goto invalid_size;
++			if (decoded + 4 > decoded_end) goto invalid_size;
+ 
+ 			nybble = (*encoded)>>4;
+ 			new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
+@@ -213,8 +216,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 	}
+ 	SDL_free(freeable);
+ 	return(0);
+-too_short:
+-	SDL_SetError("Too short chunk for a MS ADPCM decoder");
++invalid_size:
++	SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
+ 	SDL_free(freeable);
+ 	return(-1);
+ }
+-- 
+2.20.1
+
diff --git a/libre/sdl/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch b/libre/sdl/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
new file mode 100644
index 000000000..23cbf9819
--- /dev/null
+++ b/libre/sdl/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch
@@ -0,0 +1,75 @@
+From ac3d0d365b1f01a6782565feda0c7432a5795671 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 14 Feb 2019 14:12:22 +0100
+Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If RIFF/WAV data chunk length is shorter then expected for an audio
+format defined in preceeding RIFF/WAV format headers, a buffer
+overread can happen.
+
+This patch fixes it by checking a MS ADPCM data to be decoded are not
+past the initialized buffer.
+
+CVE-2019-7577
+Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/audio/SDL_wave.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index b4ad6c7..e42d01c 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
+ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ 	struct MS_ADPCM_decodestate *state[2];
+-	Uint8 *freeable, *encoded, *decoded;
++	Uint8 *freeable, *encoded, *encoded_end, *decoded;
+ 	Sint32 encoded_len, samplesleft;
+ 	Sint8 nybble, stereo;
+ 	Sint16 *coeff[2];
+@@ -124,6 +124,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 	/* Allocate the proper sized output buffer */
+ 	encoded_len = *audio_len;
+ 	encoded = *audio_buf;
++	encoded_end = encoded + encoded_len;
+ 	freeable = *audio_buf;
+ 	*audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) * 
+ 				MS_ADPCM_state.wSamplesPerBlock*
+@@ -141,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 	state[1] = &MS_ADPCM_state.state[stereo];
+ 	while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
+ 		/* Grab the initial information for this block */
++		if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
+ 		state[0]->hPredictor = *encoded++;
+ 		if ( stereo ) {
+ 			state[1]->hPredictor = *encoded++;
+@@ -188,6 +190,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 		samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
+ 					MS_ADPCM_state.wavefmt.channels;
+ 		while ( samplesleft > 0 ) {
++			if (encoded + 1 > encoded_end) goto too_short;
++
+ 			nybble = (*encoded)>>4;
+ 			new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
+ 			decoded[0] = new_sample&0xFF;
+@@ -209,6 +213,10 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 	}
+ 	SDL_free(freeable);
+ 	return(0);
++too_short:
++	SDL_SetError("Too short chunk for a MS ADPCM decoder");
++	SDL_free(freeable);
++	return(-1);
+ }
+ 
+ struct IMA_ADPCM_decodestate {
+-- 
+2.20.1
+
diff --git a/libre/sdl/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch b/libre/sdl/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
new file mode 100644
index 000000000..06b429cb6
--- /dev/null
+++ b/libre/sdl/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch
@@ -0,0 +1,57 @@
+From 69cd6157644cb0a5c9edd7b5920232c2ca31c151 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Tue, 12 Mar 2019 16:21:41 +0100
+Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble and
+ MS_ADPCM_decode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a chunk of RIFF/WAV file with MS ADPCM encoding contains an invalid
+predictor (a valid predictor's value is between 0 and 6 inclusive),
+a buffer overread can happen when the predictor is used as an index
+into an array of MS ADPCM coefficients.
+
+The overead happens when indexing MS_ADPCM_state.aCoeff[] array in
+MS_ADPCM_decode() and later when dereferencing a coef pointer in
+MS_ADPCM_nibble().
+
+This patch fixes it by checking the MS ADPCM predictor values fit
+into the valid range.
+
+CVE-2019-7577
+Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/audio/SDL_wave.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 08f65cb..5f93651 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -155,6 +155,9 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 		if ( stereo ) {
+ 			state[1]->hPredictor = *encoded++;
+ 		}
++		if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) {
++			goto invalid_predictor;
++		}
+ 		state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
+ 		encoded += sizeof(Sint16);
+ 		if ( stereo ) {
+@@ -227,6 +230,10 @@ invalid_size:
+ 	SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
+ 	SDL_free(freeable);
+ 	return(-1);
++invalid_predictor:
++	SDL_SetError("Invalid predictor value for a MS ADPCM decoder");
++	SDL_free(freeable);
++	return(-1);
+ }
+ 
+ struct IMA_ADPCM_decodestate {
+-- 
+2.20.1
+
diff --git a/libre/sdl/SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch b/libre/sdl/SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
new file mode 100644
index 000000000..b0a89de20
--- /dev/null
+++ b/libre/sdl/SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch
@@ -0,0 +1,67 @@
+From 0eb76f6cabcffa2104e34c26e0f41e6de95356ff Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 15 Feb 2019 10:56:59 +0100
+Subject: [PATCH] CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it
+could read past the end of chunk data. This patch fixes it.
+
+CVE-2019-7578
+https://bugzilla.libsdl.org/show_bug.cgi?id=4494
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/audio/SDL_wave.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 1d446ed..08f65cb 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -240,11 +240,12 @@ static struct IMA_ADPCM_decoder {
+ 	struct IMA_ADPCM_decodestate state[2];
+ } IMA_ADPCM_state;
+ 
+-static int InitIMA_ADPCM(WaveFMT *format)
++static int InitIMA_ADPCM(WaveFMT *format, int length)
+ {
+-	Uint8 *rogue_feel;
++	Uint8 *rogue_feel, *rogue_feel_end;
+ 
+ 	/* Set the rogue pointer to the IMA_ADPCM specific data */
++	if (length < sizeof(*format)) goto too_short;
+ 	IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
+ 	IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
+ 	IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
+@@ -253,11 +254,16 @@ static int InitIMA_ADPCM(WaveFMT *format)
+ 	IMA_ADPCM_state.wavefmt.bitspersample =
+ 					 SDL_SwapLE16(format->bitspersample);
+ 	rogue_feel = (Uint8 *)format+sizeof(*format);
++	rogue_feel_end = (Uint8 *)format + length;
+ 	if ( sizeof(*format) == 16 ) {
+ 		rogue_feel += sizeof(Uint16);
+ 	}
++	if (rogue_feel + 2 > rogue_feel_end) goto too_short;
+ 	IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ 	return(0);
++too_short:
++	SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format");
++	return(-1);
+ }
+ 
+ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
+@@ -500,7 +506,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
+ 			break;
+ 		case IMA_ADPCM_CODE:
+ 			/* Try to understand this */
+-			if ( InitIMA_ADPCM(format) < 0 ) {
++			if ( InitIMA_ADPCM(format, lenread) < 0 ) {
+ 				was_error = 1;
+ 				goto done;
+ 			}
+-- 
+2.20.1
+
diff --git a/libre/sdl/SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch b/libre/sdl/SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
new file mode 100644
index 000000000..fb899d5f3
--- /dev/null
+++ b/libre/sdl/SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch
@@ -0,0 +1,67 @@
+From beef32b0e510371f3c968d22a1e3d48abbf366c6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Tue, 19 Feb 2019 14:52:52 +0100
+Subject: [PATCH] CVE-2019-7635: Reject BMP images with pixel colors out the
+ palette
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a 1-, 4-, or 8-bit per pixel BMP image declares less used colors
+than the palette offers an SDL_Surface with a palette of the indicated
+number of used colors is created. If some of the image's pixel
+refer to a color number higher then the maximal used colors, a subsequent
+bliting operation on the surface will look up a color past a blit map
+(that is based on the palette) memory. I.e. passing such SDL_Surface
+to e.g. an SDL_DisplayFormat() function will result in a buffer overread in
+a blit function.
+
+This patch fixes it by validing each pixel's color to be less than the
+maximal color number in the palette. A validation failure raises an
+error from a SDL_LoadBMP_RW() function.
+
+CVE-2019-7635
+https://bugzilla.libsdl.org/show_bug.cgi?id=4498
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/video/SDL_bmp.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
+index 3accded..8eadc5f 100644
+--- a/src/video/SDL_bmp.c
++++ b/src/video/SDL_bmp.c
+@@ -300,6 +300,12 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
+ 				}
+ 				*(bits+i) = (pixel>>shift);
+ 				pixel <<= ExpandBMP;
++				if ( bits[i] >= biClrUsed ) {
++					SDL_SetError(
++						"A BMP image contains a pixel with a color out of the palette");
++					was_error = SDL_TRUE;
++					goto done;
++				}
+ 			} }
+ 			break;
+ 
+@@ -310,6 +316,16 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
+ 				was_error = SDL_TRUE;
+ 				goto done;
+ 			}
++			if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) {
++				for ( i=0; i<surface->w; ++i ) {
++					if ( bits[i] >= biClrUsed ) {
++						SDL_SetError(
++							"A BMP image contains a pixel with a color out of the palette");
++						was_error = SDL_TRUE;
++						goto done;
++					}
++				}
++			}
+ #if SDL_BYTEORDER == SDL_BIG_ENDIAN
+ 			/* Byte-swap the pixels if needed. Note that the 24bpp
+ 			   case has already been taken care of above. */
+-- 
+2.20.1
+
diff --git a/libre/sdl/SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch b/libre/sdl/SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
new file mode 100644
index 000000000..44197df63
--- /dev/null
+++ b/libre/sdl/SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch
@@ -0,0 +1,209 @@
+From cc50d843089c8cf386c3e0f9cb2fae0b258a9b7b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Mon, 18 Feb 2019 13:53:16 +0100
+Subject: [PATCH] CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a too large width is passed to SDL_SetVideoMode() the width travels
+to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by
+BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch
+variable. During this arithmetics an integer overflow can happen (e.g.
+the value is clamped as 65532). As a result SDL_Surface with a pitch
+smaller than width * BytesPerPixel is created, too small pixel buffer
+is allocated and when the SDL_Surface is processed in SDL_FillRect()
+a buffer overflow occurs.
+
+This can be reproduced with "./graywin -width 21312312313123213213213"
+command.
+
+This patch fixes is by using a very careful arithmetics in
+SDL_CalculatePitch(). If an overflow is detected, an error is reported
+back as a special 0 value. We assume that 0-width surfaces do not
+occur in the wild. Since SDL_CalculatePitch() is a private function,
+we can change the semantics.
+
+CVE-2019-7637
+https://bugzilla.libsdl.org/show_bug.cgi?id=4497
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/video/SDL_pixels.c          | 41 +++++++++++++++++++++++++++------
+ src/video/gapi/SDL_gapivideo.c  |  3 +++
+ src/video/nanox/SDL_nxvideo.c   |  4 ++++
+ src/video/ps2gs/SDL_gsvideo.c   |  3 +++
+ src/video/ps3/SDL_ps3video.c    |  3 +++
+ src/video/windib/SDL_dibvideo.c |  3 +++
+ src/video/windx5/SDL_dx5video.c |  3 +++
+ src/video/x11/SDL_x11video.c    |  4 ++++
+ 8 files changed, 57 insertions(+), 7 deletions(-)
+
+diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c
+index 1a7fd51..44626b7 100644
+--- a/src/video/SDL_pixels.c
++++ b/src/video/SDL_pixels.c
+@@ -286,26 +286,53 @@ void SDL_DitherColors(SDL_Color *colors, int bpp)
+ 	}
+ }
+ /* 
+- * Calculate the pad-aligned scanline width of a surface
++ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of
++ * an error.
+  */
+ Uint16 SDL_CalculatePitch(SDL_Surface *surface)
+ {
+-	Uint16 pitch;
++	unsigned int pitch = 0;
+ 
+ 	/* Surface should be 4-byte aligned for speed */
+-	pitch = surface->w*surface->format->BytesPerPixel;
++	/* The code tries to prevent from an Uint16 overflow. */;
++	for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) {
++		pitch += (unsigned int)surface->w;
++		if (pitch < surface->w) {
++			SDL_SetError("A scanline is too wide");
++			return(0);
++		}
++	}
+ 	switch (surface->format->BitsPerPixel) {
+ 		case 1:
+-			pitch = (pitch+7)/8;
++			if (pitch % 8) {
++				pitch = pitch / 8 + 1;
++			} else {
++				pitch = pitch / 8;
++			}
+ 			break;
+ 		case 4:
+-			pitch = (pitch+1)/2;
++			if (pitch % 2) {
++				pitch = pitch / 2 + 1;
++			} else {
++				pitch = pitch / 2;
++			}
+ 			break;
+ 		default:
+ 			break;
+ 	}
+-	pitch = (pitch + 3) & ~3;	/* 4-byte aligning */
+-	return(pitch);
++	/* 4-byte aligning */
++	if (pitch & 3) {
++		if (pitch + 3 < pitch) {
++			SDL_SetError("A scanline is too wide");
++			return(0);
++		}
++		pitch = (pitch + 3) & ~3;
++	}
++	if (pitch > 0xFFFF) {
++		SDL_SetError("A scanline is too wide");
++		return(0);
++	}
++	return((Uint16)pitch);
+ }
+ /*
+  * Match an RGB value to a particular palette index
+diff --git a/src/video/gapi/SDL_gapivideo.c b/src/video/gapi/SDL_gapivideo.c
+index 86deadc..8a06485 100644
+--- a/src/video/gapi/SDL_gapivideo.c
++++ b/src/video/gapi/SDL_gapivideo.c
+@@ -733,6 +733,9 @@ SDL_Surface *GAPI_SetVideoMode(_THIS, SDL_Surface *current,
+ 	video->w = gapi->w = width;
+ 	video->h = gapi->h = height;
+ 	video->pitch = SDL_CalculatePitch(video); 
++	if (!current->pitch) {
++		return(NULL);
++	}
+ 
+ 	/* Small fix for WinCE/Win32 - when activating window
+ 	   SDL_VideoSurface is equal to zero, so activating code
+diff --git a/src/video/nanox/SDL_nxvideo.c b/src/video/nanox/SDL_nxvideo.c
+index b188e09..cbdd09a 100644
+--- a/src/video/nanox/SDL_nxvideo.c
++++ b/src/video/nanox/SDL_nxvideo.c
+@@ -378,6 +378,10 @@ SDL_Surface * NX_SetVideoMode (_THIS, SDL_Surface * current,
+         current -> w = width ;
+         current -> h = height ;
+         current -> pitch = SDL_CalculatePitch (current) ;
++        if (!current->pitch) {
++            current = NULL;
++            goto done;
++        }
+         NX_ResizeImage (this, current, flags) ;
+     }
+ 
+diff --git a/src/video/ps2gs/SDL_gsvideo.c b/src/video/ps2gs/SDL_gsvideo.c
+index e172c60..3290866 100644
+--- a/src/video/ps2gs/SDL_gsvideo.c
++++ b/src/video/ps2gs/SDL_gsvideo.c
+@@ -479,6 +479,9 @@ static SDL_Surface *GS_SetVideoMode(_THIS, SDL_Surface *current,
+ 	current->w = width;
+ 	current->h = height;
+ 	current->pitch = SDL_CalculatePitch(current);
++	if (!current->pitch) {
++		return(NULL);
++	}
+ 
+ 	/* Memory map the DMA area for block memory transfer */
+ 	if ( ! mapped_mem ) {
+diff --git a/src/video/ps3/SDL_ps3video.c b/src/video/ps3/SDL_ps3video.c
+index d5519e0..17848e3 100644
+--- a/src/video/ps3/SDL_ps3video.c
++++ b/src/video/ps3/SDL_ps3video.c
+@@ -339,6 +339,9 @@ static SDL_Surface *PS3_SetVideoMode(_THIS, SDL_Surface * current, int width, in
+ 	current->w = width;
+ 	current->h = height;
+ 	current->pitch = SDL_CalculatePitch(current);
++	if (!current->pitch) {
++		return(NULL);
++	}
+ 
+ 	/* Alloc aligned mem for current->pixels */
+ 	s_pixels = memalign(16, current->h * current->pitch);
+diff --git a/src/video/windib/SDL_dibvideo.c b/src/video/windib/SDL_dibvideo.c
+index 6187bfc..86ebb12 100644
+--- a/src/video/windib/SDL_dibvideo.c
++++ b/src/video/windib/SDL_dibvideo.c
+@@ -675,6 +675,9 @@ SDL_Surface *DIB_SetVideoMode(_THIS, SDL_Surface *current,
+ 	video->w = width;
+ 	video->h = height;
+ 	video->pitch = SDL_CalculatePitch(video);
++	if (!current->pitch) {
++		return(NULL);
++	}
+ 
+ 	/* Small fix for WinCE/Win32 - when activating window
+ 	   SDL_VideoSurface is equal to zero, so activating code
+diff --git a/src/video/windx5/SDL_dx5video.c b/src/video/windx5/SDL_dx5video.c
+index f80ca97..39fc4fc 100644
+--- a/src/video/windx5/SDL_dx5video.c
++++ b/src/video/windx5/SDL_dx5video.c
+@@ -1127,6 +1127,9 @@ SDL_Surface *DX5_SetVideoMode(_THIS, SDL_Surface *current,
+ 		video->w = width;
+ 		video->h = height;
+ 		video->pitch = SDL_CalculatePitch(video);
++		if (!current->pitch) {
++			return(NULL);
++		}
+ 
+ #ifndef NO_CHANGEDISPLAYSETTINGS
+ 		/* Set fullscreen mode if appropriate.
+diff --git a/src/video/x11/SDL_x11video.c b/src/video/x11/SDL_x11video.c
+index 79e60f9..45d1f79 100644
+--- a/src/video/x11/SDL_x11video.c
++++ b/src/video/x11/SDL_x11video.c
+@@ -1220,6 +1220,10 @@ SDL_Surface *X11_SetVideoMode(_THIS, SDL_Surface *current,
+ 		current->w = width;
+ 		current->h = height;
+ 		current->pitch = SDL_CalculatePitch(current);
++		if (!current->pitch) {
++			current = NULL;
++			goto done;
++		}
+ 		if (X11_ResizeImage(this, current, flags) < 0) {
+ 			current = NULL;
+ 			goto done;
+-- 
+2.20.1
+
diff --git a/libre/sdl/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch b/libre/sdl/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
new file mode 100644
index 000000000..34d7cc0ed
--- /dev/null
+++ b/libre/sdl/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch
@@ -0,0 +1,56 @@
+From 28b1433b4bd7982524f2418420e8cc01786df5c4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 15 Feb 2019 16:52:27 +0100
+Subject: [PATCH] CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images with
+ too high number of colors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a BMP file that defines more colors than can fit into
+a palette of color depth defined in the same BMP file is loaded by
+SDL_LoadBMP_RW() function, invalid number of colors is set into
+resulting SDL surface.
+
+Then if the SDL surface is passed to SDL_DisplayFormat() function to
+convert the surface format into a native video format, a buffer
+overread will happen in Map1to1() or Map1toN() function
+(CVE-2019-7638). (The choice of the mapping function depends on
+a actual video hardware.)
+
+In addition SDL_GetRGB() called indirectly from SDL_DisplayFormat()
+performs the same buffer overread (CVE-2019-7636).
+
+There is also probably a buffer overwrite when the SDL_LoadBMP_RW()
+loads colors from a file.
+
+This patch fixes it by refusing loading such badly damaged BMP files.
+
+CVE-2019-7638
+https://bugzilla.libsdl.org/show_bug.cgi?id=4500
+CVE-2019-7636
+https://bugzilla.libsdl.org/show_bug.cgi?id=4499
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/video/SDL_bmp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
+index d56cfd8..3accded 100644
+--- a/src/video/SDL_bmp.c
++++ b/src/video/SDL_bmp.c
+@@ -233,6 +233,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
+ 	if ( palette ) {
+ 		if ( biClrUsed == 0 ) {
+ 			biClrUsed = 1 << biBitCount;
++		} else if ( biClrUsed > (1 << biBitCount) ) {
++			SDL_SetError("BMP file has an invalid number of colors");
++			was_error = SDL_TRUE;
++			goto done;
+ 		}
+ 		if ( biSize == 12 ) {
+ 			for ( i = 0; i < (int)biClrUsed; ++i ) {
+-- 
+2.20.1
+
diff --git a/libre/sdl/SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch b/libre/sdl/SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch
new file mode 100644
index 000000000..a590606f0
--- /dev/null
+++ b/libre/sdl/SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch
@@ -0,0 +1,42 @@
+From 70c3d0e97755e1b208ceba2ae012877797f15627 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 21 Feb 2019 10:57:41 +0100
+Subject: [PATCH] Reject 2, 3, 5, 6, 7-bpp BMP images
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BMP decoder assumes less than 8 bit depth images have 1 or 4 bits
+per pixel. No other depths are correctly translated to an 8bpp
+surface.
+
+This patch rejects loading these images.
+
+https://bugzilla.libsdl.org/show_bug.cgi?id=4498
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/video/SDL_bmp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
+index 8eadc5f..758d4bb 100644
+--- a/src/video/SDL_bmp.c
++++ b/src/video/SDL_bmp.c
+@@ -163,6 +163,14 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
+ 			ExpandBMP = biBitCount;
+ 			biBitCount = 8;
+ 			break;
++		case 2:
++		case 3:
++		case 5:
++		case 6:
++		case 7:
++			SDL_SetError("%d-bpp BMP images are not supported", biBitCount);
++			was_error = SDL_TRUE;
++			goto done;
+ 		default:
+ 			ExpandBMP = 0;
+ 			break;
+-- 
+2.20.1
+