prboom-plus: Add patches for CVE-2019-20797

[Michael Baeuerle <micha%NetBSD.org@localhost>]

Module Name:	pkgsrc-wip
Committed By:	Michael Baeuerle <micha%NetBSD.org@localhost>
Pushed By:	micha
Date:		Tue Jun 2 17:59:41 2020 +0200
Changeset:	9bc1018ba2b3fa95bad116b4f3b720f65bcb4a0b

Modified Files:
	prboom-plus/README
	prboom-plus/distinfo
Added Files:
	prboom-plus/patches/patch-src_SDL_i__network.c
	prboom-plus/patches/patch-src_d__client.c
	prboom-plus/patches/patch-src_d__server.c

Log Message:
prboom-plus: Add patches for CVE-2019-20797

Fix heap buffer overflows in UDP code.

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=9bc1018ba2b3fa95bad116b4f3b720f65bcb4a0b

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 prboom-plus/README                             | 10 +++++++++-
 prboom-plus/distinfo                           |  3 +++
 prboom-plus/patches/patch-src_SDL_i__network.c | 18 ++++++++++++++++++
 prboom-plus/patches/patch-src_d__client.c      | 18 ++++++++++++++++++
 prboom-plus/patches/patch-src_d__server.c      | 18 ++++++++++++++++++
 5 files changed, 66 insertions(+), 1 deletion(-)

diffs:
diff --git a/prboom-plus/README b/prboom-plus/README
index 40ac32939e..af6e257f7f 100644
--- a/prboom-plus/README
+++ b/prboom-plus/README
@@ -5,6 +5,14 @@ This package fixes the following bug in prboom+ 2.5.1.4:
 Loading maps using extended nodes crashes on big endian machines
 (because 32-bit values are imported with wrong byte order).
 
-Bug was reported and is already fixed upstream
+Bug was reported and is already fixed upstream.
+
+=========
+
+If you see crashes in multiplayer games, try this patched version.
+
+This package contains fixes for CVE-2019-20797 backported from 2.5.1.5.
+
+=========
 
 This package will stay in wip until the next release of PrBoom+.
diff --git a/prboom-plus/distinfo b/prboom-plus/distinfo
index 3f5ab8c140..099a7e545d 100644
--- a/prboom-plus/distinfo
+++ b/prboom-plus/distinfo
@@ -4,5 +4,8 @@ SHA1 (prboom-plus-2.5.1.4.tar.gz) = 73b3b46c36aa693059f2762dcd807bfd0490f130
 RMD160 (prboom-plus-2.5.1.4.tar.gz) = ebb834844f6ca38aa55214ae8ee1d0cff5e2d5e8
 SHA512 (prboom-plus-2.5.1.4.tar.gz) = ca342bc2eac05458ed9c40aa781badc81416f25e51de23543f037df547d973dcca7522fb942160b7b797d24b6313a0e111afa11ad887199fbaab06240ffeb716
 Size (prboom-plus-2.5.1.4.tar.gz) = 1627558 bytes
+SHA1 (patch-src_SDL_i__network.c) = 4a46a94d9eed67320d70ef05ff89bda778e84ced
+SHA1 (patch-src_d__client.c) = 8a2e1749d80e5395ad2113411eea4561ceaa799e
+SHA1 (patch-src_d__server.c) = 73ab52a5ca2d4431fc9fff0e70d082f0292ca097
 SHA1 (patch-src_m__swap.h) = 452feff775d3490529f581eebd8b0ac2736df49c
 SHA1 (patch-src_p__setup.c) = b3a61ed7960b84bcf50a33c23f16d0053ee1f014
diff --git a/prboom-plus/patches/patch-src_SDL_i__network.c b/prboom-plus/patches/patch-src_SDL_i__network.c
new file mode 100644
index 0000000000..ad6f634535
--- /dev/null
+++ b/prboom-plus/patches/patch-src_SDL_i__network.c
@@ -0,0 +1,18 @@
+$NetBSD$
+
+Fix heap buffer overflows in UDP code (CVE-2019-20797)
+Backported from:
+https://github.com/coelckers/prboom-plus/commit/1a081d10e6c71a5b5b2db76081227677f06b47b3
+
+--- src/SDL/i_network.c.orig	2014-05-20 04:47:44.000000000 +0000
++++ src/SDL/i_network.c
+@@ -248,7 +248,8 @@ size_t I_GetPacket(packet_header_t* buff
+   checksum=buffer->checksum;
+   buffer->checksum=0;
+   if ( (status!=0) && (len>0)) {
+-    byte psum = ChecksumPacket(buffer, udp_packet->len);
++/*    byte psum = ChecksumPacket(buffer, udp_packet->len); */
++    byte psum = ChecksumPacket(buffer, len); // https://logicaltrust.net/blog/2019/10/prboom1.html
+ /*    fprintf(stderr, "recvlen = %u, stolen = %u, csum = %u, psum = %u\n",
+   udp_packet->len, len, checksum, psum); */
+     if (psum == checksum) return len;
diff --git a/prboom-plus/patches/patch-src_d__client.c b/prboom-plus/patches/patch-src_d__client.c
new file mode 100644
index 0000000000..f63934ecaa
--- /dev/null
+++ b/prboom-plus/patches/patch-src_d__client.c
@@ -0,0 +1,18 @@
+$NetBSD$
+
+Fix heap buffer overflows in UDP code (CVE-2019-20797)
+Backported from:
+https://github.com/coelckers/prboom-plus/commit/1a081d10e6c71a5b5b2db76081227677f06b47b3
+
+--- src/d_client.c.orig	2014-05-20 04:47:44.000000000 +0000
++++ src/d_client.c
+@@ -353,7 +353,8 @@ void NetUpdate(void)
+       int sendtics;
+       remotesend -= xtratics;
+       if (remotesend < 0) remotesend = 0;
+-      sendtics = maketic - remotesend;
++/*      sendtics = maketic - remotesend; */
++      sendtics = MIN(maketic - remotesend, 128); // limit number of sent tics (CVE-2019-20797)
+       {
+   size_t pkt_size = sizeof(packet_header_t) + 2 + sendtics * sizeof(ticcmd_t);
+   packet_header_t *packet = Z_Malloc(pkt_size, PU_STATIC, NULL);
diff --git a/prboom-plus/patches/patch-src_d__server.c b/prboom-plus/patches/patch-src_d__server.c
new file mode 100644
index 0000000000..8e9cbb6fe8
--- /dev/null
+++ b/prboom-plus/patches/patch-src_d__server.c
@@ -0,0 +1,18 @@
+$NetBSD$
+
+Fix heap buffer overflows in UDP code (CVE-2019-20797)
+Backported from:
+https://github.com/coelckers/prboom-plus/commit/1a081d10e6c71a5b5b2db76081227677f06b47b3
+
+--- src/d_server.c.orig	2014-05-20 04:47:44.000000000 +0000
++++ src/d_server.c
+@@ -681,7 +681,8 @@ int main(int argc, char** argv)
+       int tics;
+       if (lowtic <= remoteticto[i]) continue;
+       if ((remoteticto[i] -= xtratics) < 0) remoteticto[i] = 0;
+-      tics = lowtic - remoteticto[i];
++/*      tics = lowtic - remoteticto[i]; */
++      tics = MIN(lowtic - remoteticto[i], 128); // limit number of sent tics (CVE-2019-20797)
+       {
+         byte *p;
+         packet = malloc(sizeof(packet_header_t) + 1 +