From a1d3817782c40c141f167a4a7f1bedcabca6be31 Mon Sep 17 00:00:00 2001
From: jasper <jasper@openbsd.org>
Date: Mon, 31 Mar 2008 21:19:17 +0000
Subject: [PATCH] SECURITY FIX for http://secunia.com/advisories/28640/

Patches were taken from libsdl's svn.
---
 devel/sdl-image/Makefile                |  4 ++--
 devel/sdl-image/patches/patch-IMG_gif_c | 14 ++++++++++++
 devel/sdl-image/patches/patch-IMG_lbm_c | 29 +++++++++++++++++++++++++
 3 files changed, 45 insertions(+), 2 deletions(-)
 create mode 100644 devel/sdl-image/patches/patch-IMG_gif_c
 create mode 100644 devel/sdl-image/patches/patch-IMG_lbm_c

diff --git a/devel/sdl-image/Makefile b/devel/sdl-image/Makefile
index 11b024277b7..d802676a85a 100644
--- a/devel/sdl-image/Makefile
+++ b/devel/sdl-image/Makefile
@@ -1,8 +1,8 @@
-# $OpenBSD: Makefile,v 1.26 2007/10/14 08:22:17 winiger Exp $
+# $OpenBSD: Makefile,v 1.27 2008/03/31 21:19:17 jasper Exp $
 
 COMMENT=	SDL image library
 DISTNAME=	SDL_image-1.2.4
-PKGNAME=	${DISTNAME:L:S/_/-/}p3
+PKGNAME=	${DISTNAME:L:S/_/-/}p4
 SHARED_LIBS=	SDL_image 2.0
 CATEGORIES=	devel graphics
 MASTER_SITES=	ftp://ftp.fr.freebsd.org/pub/FreeBSD/distfiles/ \
diff --git a/devel/sdl-image/patches/patch-IMG_gif_c b/devel/sdl-image/patches/patch-IMG_gif_c
new file mode 100644
index 00000000000..4aa395ec4fe
--- /dev/null
+++ b/devel/sdl-image/patches/patch-IMG_gif_c
@@ -0,0 +1,14 @@
+$OpenBSD: patch-IMG_gif_c,v 1.1 2008/03/31 21:19:17 jasper Exp $
+--- IMG_gif.c.orig	Fri Mar 28 18:36:08 2008
++++ IMG_gif.c	Fri Mar 28 18:36:54 2008
+@@ -406,6 +406,10 @@ LWZReadByte(SDL_RWops *src, int flag, int input_code_s
+     static int stack[(1 << (MAX_LWZ_BITS)) * 2], *sp;
+     register int i;
+ 
++    /* Fixed buffer overflow found by Michael Skladnikiewicz */
++    if (input_code_size > MAX_LWZ_BITS)
++        return -1;
++
+     if (flag) {
+ 	set_code_size = input_code_size;
+ 	code_size = set_code_size + 1;
diff --git a/devel/sdl-image/patches/patch-IMG_lbm_c b/devel/sdl-image/patches/patch-IMG_lbm_c
new file mode 100644
index 00000000000..15e034cc94d
--- /dev/null
+++ b/devel/sdl-image/patches/patch-IMG_lbm_c
@@ -0,0 +1,29 @@
+$OpenBSD: patch-IMG_lbm_c,v 1.1 2008/03/31 21:19:17 jasper Exp $
+--- IMG_lbm.c.orig	Fri Mar 28 18:37:11 2008
++++ IMG_lbm.c	Fri Mar 28 18:39:09 2008
+@@ -30,6 +30,7 @@
+    EHB and HAM (specific Amiga graphic chip modes) support added by Marc Le Douarain
+    (http://www.multimania.com/mavati) in December 2003.
+    Stencil and colorkey fixes by David Raulo (david.raulo AT free DOT fr) in February 2004.
++   Buffer overflow fix in RLE decompression by David Raulo in January 2008.
+ */
+ 
+ #include <stdio.h>
+@@ -321,7 +322,7 @@ SDL_Surface *IMG_LoadLBM_RW( SDL_RWops *src )
+ 						count ^= 0xFF;
+ 						count += 2; /* now it */
+ 
+-						if ( !SDL_RWread( src, &color, 1, 1 ) )
++						if ( ( count > remainingbytes ) || !SDL_RWread( src, &color, 1, 1 ) )
+ 						{
+ 						   error="error reading BODY chunk";
+ 							goto done;
+@@ -332,7 +333,7 @@ SDL_Surface *IMG_LoadLBM_RW( SDL_RWops *src )
+ 					{
+ 						++count;
+ 
+-						if ( !SDL_RWread( src, ptr, count, 1 ) )
++						if ( ( count > remainingbytes ) || !SDL_RWread( src, ptr, count, 1 ) )
+ 						{
+ 						   error="error reading BODY chunk";
+ 							goto done;