[gentoo-commits] repo/proj/guru:dev commit in: dev-games/godot/, dev-games/godot/files/

[gentoo-commits] repo/proj/guru:dev commit in: dev-games/godot/, dev-games/godot/files/

[Ross Charles Campbell]

commit:     a4c500da08a55ab3ff4b8f78e28dcfdc4372af65
Author:     Ross Charles Campbell <rossbridger.cc <AT> gmail <DOT> com>
AuthorDate: Sat Jan  2 15:57:46 2021 +0000
Commit:     Ross Charles Campbell <rossbridger.cc <AT> gmail <DOT> com>
CommitDate: Sat Jan  2 15:59:18 2021 +0000
URL:        https://gitweb.gentoo.org/repo/proj/guru.git/commit/?id=a4c500da

dev-games/godot: New Package

Closes: https://bugs.gentoo.org/532730
Closes: https://github.com/gentoo/gentoo/pull/17874
Package-Manager: Portage-3.0.12, Repoman-3.0.2
Signed-off-by: Ross Charles Campbell <rossbridger.cc <AT> gmail.com>

 dev-games/godot/Manifest                           |   1 +
 .../godot/files/godot-3.2.3-fix-llvm-build.patch   |  36 ++++++
 dev-games/godot/godot-3.2.3.ebuild                 | 139 +++++++++++++++++++++
 dev-games/godot/metadata.xml                       |  28 +++++
 4 files changed, 204 insertions(+)

diff --git a/dev-games/godot/Manifest b/dev-games/godot/Manifest
new file mode 100644
index 00000000..36fd2278
--- /dev/null
+++ b/dev-games/godot/Manifest
@@ -0,0 +1 @@
+DIST godot-3.2.3.tar.gz 22459811 BLAKE2B fdebfc4fc4a259d52496feb2904ff1e311a8df3fd57568091b181380e28b789efd16d598df7a2331f22f182acebacb7af1f5aa88583f8b7e992be52f2f494198 SHA512 229a32f082e412f20533b781ee95a1e7a9039a6329fe3429f9a3388ba3aada311bcc49c2abecdeec7496ef039a81358009126b21daaeeb127c170b77c3def99f

diff --git a/dev-games/godot/files/godot-3.2.3-fix-llvm-build.patch b/dev-games/godot/files/godot-3.2.3-fix-llvm-build.patch
new file mode 100644
index 00000000..40c45f34
--- /dev/null
+++ b/dev-games/godot/files/godot-3.2.3-fix-llvm-build.patch
@@ -0,0 +1,36 @@
+diff --git a/SConstruct b/SConstruct
+index 26019e6..f460aef 100644
+--- a/SConstruct
++++ b/SConstruct
+@@ -170,6 +170,8 @@ opts.Add(BoolVariable("builtin_zstd", "Use the built-in Zstd library", True))
+ # Compilation environment setup
+ opts.Add("CXX", "C++ compiler")
+ opts.Add("CC", "C compiler")
++opts.Add("AR", "Archiver")
++opts.Add("RANLIB", "Random Access Library Indexer")
+ opts.Add("LINK", "Linker")
+ opts.Add("CCFLAGS", "Custom flags for both the C and C++ compilers")
+ opts.Add("CFLAGS", "Custom flags for the C compiler")
+diff --git a/platform/x11/detect.py b/platform/x11/detect.py
+index 716930d..28b1df4 100644
+--- a/platform/x11/detect.py
++++ b/platform/x11/detect.py
+@@ -130,7 +130,6 @@ def configure(env):
+             env["CXX"] = "clang++"
+             env["LINK"] = "clang++"
+         env.Append(CPPDEFINES=["TYPED_METHOD_BIND"])
+-        env.extra_suffix = ".llvm" + env.extra_suffix
+ 
+     if env["use_lld"]:
+         if env["use_llvm"]:
+@@ -173,10 +172,6 @@ def configure(env):
+                 env.Append(CCFLAGS=["-flto"])
+                 env.Append(LINKFLAGS=["-flto"])
+ 
+-        if not env["use_llvm"]:
+-            env["RANLIB"] = "gcc-ranlib"
+-            env["AR"] = "gcc-ar"
+-
+     env.Append(CCFLAGS=["-pipe"])
+     env.Append(LINKFLAGS=["-pipe"])
+ 

diff --git a/dev-games/godot/godot-3.2.3.ebuild b/dev-games/godot/godot-3.2.3.ebuild
new file mode 100644
index 00000000..b0115ed9
--- /dev/null
+++ b/dev-games/godot/godot-3.2.3.ebuild
@@ -0,0 +1,139 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+PYTHON_COMPAT=( python3_{7..9} )
+
+inherit desktop python-any-r1 scons-utils xdg
+
+DESCRIPTION="Multi-platform 2D and 3D game engine"
+HOMEPAGE="http://godotengine.org"
+
+SRC_URI="https://github.com/godotengine/${PN}/archive/${PV}-stable.tar.gz -> ${P}.tar.gz"
+S="${WORKDIR}/${P}-stable"
+KEYWORDS="~amd64 ~x86"
+
+LICENSE="Apache-2.0 BSD BSL-1.1 CC-BY-3.0 MIT MPL-2.0 OFL-1.1 public-domain ZLIB"
+SLOT="0"
+IUSE="+bullet debug +enet +freetype lto +mbedtls +ogg +opus pulseaudio +theora +udev +upnp +vorbis +webp"
+
+RDEPEND="
+	app-arch/lz4
+	app-arch/zstd
+	dev-libs/libpcre2[pcre32]
+	media-libs/alsa-lib
+	media-libs/libpng:0=
+	media-libs/libvpx
+	media-libs/mesa[gles2]
+	sys-libs/zlib
+	x11-libs/libX11
+	x11-libs/libXcursor
+	x11-libs/libXi
+	x11-libs/libXinerama
+	virtual/glu
+	virtual/opengl
+	bullet? ( >=sci-physics/bullet-2.89 )
+	enet? ( net-libs/enet:= )
+	freetype? ( media-libs/freetype:2 )
+	mbedtls? ( net-libs/mbedtls )
+	ogg? ( media-libs/libogg )
+	opus? (
+		media-libs/opus
+		media-libs/opusfile
+	)
+	pulseaudio? ( media-sound/pulseaudio )
+	theora? ( media-libs/libtheora )
+	udev? ( virtual/udev )
+	upnp? ( net-libs/miniupnpc )
+	vorbis? ( media-libs/libvorbis )
+	webp? ( media-libs/libwebp )
+"
+DEPEND="
+	${RDEPEND}
+	dev-lang/yasm
+"
+BDEPEND="virtual/pkgconfig"
+
+PATCHES=( "${FILESDIR}"/${P}-fix-llvm-build.patch )
+
+src_prepare() {
+	default
+	rm -r thirdparty/{bullet,enet,freetype,libogg,libpng,libtheora,libvorbis,libvpx,libwebp,mbedtls,miniupnpc,opus,pcre2,zlib,zstd} || die
+}
+
+src_configure() {
+	myesconsargs=(
+		CC="$(tc-getCC)"
+		CXX="$(tc-getCXX)"
+		AR="$(tc-getAR)"
+		RANLIB="$(tc-getRANLIB)"
+	)
+	# Remove builtin third-party packages, link with system ones instead
+	myesconsargs+=(
+		builtin_bullet=no
+		builtin_enet=no
+		builtin_freetype=no
+		builtin_libogg=no
+		builtin_libpng=no
+		builtin_libtheora=no
+		builtin_libvorbis=no
+		builtin_libvpx=no
+		builtin_libwebp=no
+		builtin_mbedtls=no
+		builtin_miniupnpc=no
+		builtin_opus=no
+		builtin_pcre2=no
+		builtin_pcre2_with_jit=no
+		builtin_zlib=no
+		builtin_zstd=no
+	)
+	myesconsargs+=(
+		# Mono bindings requires MSBuild which is only available on Windows
+		module_mono_enabled=no
+		module_bullet_enabled=$(usex bullet)
+		module_enet_enabled=$(usex enet)
+		module_freetype_enabled=$(usex freetype)
+		module_mbedtls_enabled=$(usex mbedtls)
+		module_ogg_enabled=$(usex ogg)
+		module_opus_enabled=$(usex opus)
+		module_theora_enabled=$(usex theora)
+		module_upnp_enabled=$(usex upnp)
+		module_vorbis_enabled=$(usex vorbis)
+		module_webp_enabled=$(usex webp)
+	)
+	# Misc options
+	myesconsargs+=(
+		platform=x11
+		progress=yes
+		tools=yes
+		verbose=yes
+		pulseaudio=$(usex pulseaudio)
+		target=$(usex debug debug release_debug)
+		udev=$(usex udev)
+		use_lto=$(usex lto)
+	)
+}
+
+src_compile() {
+	escons "${myesconsargs[@]}"
+}
+
+src_install() {
+	local godot_binary="${PN}.x11.opt.tools"
+
+	if [[ "${ARCH}" == "amd64" ]]; then
+		godot_binary="${godot_binary}.64"
+	elif [[ "${ARCH}" == "x86" ]]; then
+		godot_binary="${godot_binary}.32"
+	fi
+
+	newbin bin/${godot_binary} ${PN}
+	newicon icon.svg ${PN}.svg
+	doman misc/dist/linux/${PN}.6
+	domenu misc/dist/linux/org.godotengine.Godot.desktop
+	insinto /usr/share/metainfo
+	doins misc/dist/linux/org.godotengine.Godot.appdata.xml
+	insinto /usr/share/mime/application
+	doins misc/dist/linux/x-godot-project.xml
+	dodoc AUTHORS.md CHANGELOG.md DONORS.md README.md
+}

diff --git a/dev-games/godot/metadata.xml b/dev-games/godot/metadata.xml
new file mode 100644
index 00000000..5f4bcc66
--- /dev/null
+++ b/dev-games/godot/metadata.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>rossbridger.cc@gmail.com</email>
+		<name>Ross Charles Campbell</name>
+	</maintainer>
+	<longdescription>
+Godot Engine is a feature-packed, cross-platform game engine to create 2D and
+3D games from a unified interface. It provides a comprehensive set of common
+tools, so users can focus on making games without having to reinvent the wheel.
+Games can be exported in one click to a number of platforms, including the major
+desktop platforms (Linux, macOS, Windows) as well as mobile (Android, iOS) and
+web-based (HTML5) platforms.
+	</longdescription>
+	<use>
+		<flag name="bullet">Enable support for <pkg>sci-physics/bullet</pkg></flag>
+		<flag name="enet">Enable support for <pkg>net-libs/enet</pkg></flag>
+		<flag name="lto">Enable support for link time optimization</flag>
+		<flag name="freetype">Enable support for <pkg>media-libs/freetype</pkg></flag>
+		<flag name="mbedtls">Enable support for <pkg>net-libs/mbedtls</pkg></flag>
+	</use>
+	<upstream>
+		<remote-id type="github">godotengine/godot</remote-id>
+		<bugs-to>https://github.com/godotengine/godot/issues</bugs-to>
+		<doc lang="en">https://docs.godotengine.org/en/stable/index.html</doc>
+	</upstream>
+</pkgmetadata>

[gentoo-commits] repo/proj/guru:dev commit in: dev-games/godot/, dev-games/godot/files/

[Ross Charles Campbell]

commit:     378fd39928de4e862e0859082620e71449457ae7
Author:     Ross Charles Campbell <rossbridger.cc <AT> gmail <DOT> com>
AuthorDate: Wed Feb 10 04:58:17 2021 +0000
Commit:     Ross Charles Campbell <rossbridger.cc <AT> gmail <DOT> com>
CommitDate: Wed Feb 10 05:05:06 2021 +0000
URL:        https://gitweb.gentoo.org/repo/proj/guru.git/commit/?id=378fd399

dev-games/godot: fix CVE-2021-26825

An integer overflow issue exists in Godot Engine up to v3.2 that can
be triggered when loading specially crafted.TGA image files. The
vulnerability exists in ImageLoaderTGA::load_image() function at line:

const size_t buffer_size = (tga_header.image_width * tga_header.image_height) * pixel_size;

The bug leads to Dynamic stack buffer overflow. Depending on the
context of the application, attack vector can be local or remote,
and can lead to code execution and/or system crash.

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-26825
Reference: https://github.com/godotengine/godot/pull/45702
Closes: https://bugs.gentoo.org/769761
Package-Manager: Portage-3.0.14, Repoman-3.0.2
Signed-off-by: Ross Charles Campbell <rossbridger.cc <AT> gmail.com>

 .../files/godot-3.2.3-fix-CVE-2021-26825.patch     | 108 +++++++++++++++++++++
 .../{godot-3.2.3.ebuild => godot-3.2.3-r1.ebuild}  |   5 +-
 2 files changed, 112 insertions(+), 1 deletion(-)

diff --git a/dev-games/godot/files/godot-3.2.3-fix-CVE-2021-26825.patch b/dev-games/godot/files/godot-3.2.3-fix-CVE-2021-26825.patch
new file mode 100644
index 00000000..e2602f5e
--- /dev/null
+++ b/dev-games/godot/files/godot-3.2.3-fix-CVE-2021-26825.patch
@@ -0,0 +1,108 @@
+commit 113b5ab1c45c01b8e6d54d13ac8876d091f883a8
+Author: Hein-Pieter van Braam-Stewart <hp@tmm.cx>
+Date:   Thu Feb 4 12:56:33 2021 +0100
+
+    Fix a crash in the TGA loader with malformed input
+
+diff --git a/modules/tga/image_loader_tga.cpp b/modules/tga/image_loader_tga.cpp
+index d60efdd5bc..964dc091a7 100644
+--- a/modules/tga/image_loader_tga.cpp
++++ b/modules/tga/image_loader_tga.cpp
+@@ -55,6 +55,10 @@ Error ImageLoaderTGA::decode_tga_rle(const uint8_t *p_compressed_buffer, size_t
+ 		compressed_pos += 1;
+ 		count = (c & 0x7f) + 1;
+ 
++		if (output_pos + count * p_pixel_size > output_pos) {
++			return ERR_PARSE_ERROR;
++		}
++
+ 		if (c & 0x80) {
+ 			for (size_t i = 0; i < p_pixel_size; i++) {
+ 				pixels_w.ptr()[i] = p_compressed_buffer[compressed_pos];
+@@ -78,7 +82,7 @@ Error ImageLoaderTGA::decode_tga_rle(const uint8_t *p_compressed_buffer, size_t
+ 	return OK;
+ }
+ 
+-Error ImageLoaderTGA::convert_to_image(Ref<Image> p_image, const uint8_t *p_buffer, const tga_header_s &p_header, const uint8_t *p_palette, const bool p_is_monochrome) {
++Error ImageLoaderTGA::convert_to_image(Ref<Image> p_image, const uint8_t *p_buffer, const tga_header_s &p_header, const uint8_t *p_palette, const bool p_is_monochrome, size_t p_output_size) {
+ 
+ #define TGA_PUT_PIXEL(r, g, b, a)             \
+ 	int image_data_ofs = ((y * width) + x);   \
+@@ -130,6 +134,9 @@ Error ImageLoaderTGA::convert_to_image(Ref<Image> p_image, const uint8_t *p_buff
+ 		if (p_is_monochrome) {
+ 			while (y != y_end) {
+ 				while (x != x_end) {
++					if (i > p_output_size) {
++						return ERR_PARSE_ERROR;
++					}
+ 					uint8_t shade = p_buffer[i];
+ 
+ 					TGA_PUT_PIXEL(shade, shade, shade, 0xff)
+@@ -143,6 +150,9 @@ Error ImageLoaderTGA::convert_to_image(Ref<Image> p_image, const uint8_t *p_buff
+ 		} else {
+ 			while (y != y_end) {
+ 				while (x != x_end) {
++					if (i > p_output_size) {
++						return ERR_PARSE_ERROR;
++					}
+ 					uint8_t index = p_buffer[i];
+ 					uint8_t r = 0x00;
+ 					uint8_t g = 0x00;
+@@ -171,6 +181,10 @@ Error ImageLoaderTGA::convert_to_image(Ref<Image> p_image, const uint8_t *p_buff
+ 	} else if (p_header.pixel_depth == 24) {
+ 		while (y != y_end) {
+ 			while (x != x_end) {
++				if (i + 2 > p_output_size) {
++					return ERR_PARSE_ERROR;
++				}
++
+ 				uint8_t r = p_buffer[i + 2];
+ 				uint8_t g = p_buffer[i + 1];
+ 				uint8_t b = p_buffer[i + 0];
+@@ -186,6 +200,10 @@ Error ImageLoaderTGA::convert_to_image(Ref<Image> p_image, const uint8_t *p_buff
+ 	} else if (p_header.pixel_depth == 32) {
+ 		while (y != y_end) {
+ 			while (x != x_end) {
++				if (i + 3 > p_output_size) {
++					return ERR_PARSE_ERROR;
++				}
++
+ 				uint8_t a = p_buffer[i + 3];
+ 				uint8_t r = p_buffer[i + 2];
+ 				uint8_t g = p_buffer[i + 1];
+@@ -280,7 +298,7 @@ Error ImageLoaderTGA::load_image(Ref<Image> p_image, FileAccess *f, bool p_force
+ 		PoolVector<uint8_t>::Read src_image_r = src_image.read();
+ 
+ 		const size_t pixel_size = tga_header.pixel_depth >> 3;
+-		const size_t buffer_size = (tga_header.image_width * tga_header.image_height) * pixel_size;
++		size_t buffer_size = (tga_header.image_width * tga_header.image_height) * pixel_size;
+ 
+ 		PoolVector<uint8_t> uncompressed_buffer;
+ 		uncompressed_buffer.resize(buffer_size);
+@@ -299,11 +317,12 @@ Error ImageLoaderTGA::load_image(Ref<Image> p_image, FileAccess *f, bool p_force
+ 			}
+ 		} else {
+ 			buffer = src_image_r.ptr();
++			buffer_size = src_image_len;
+ 		};
+ 
+ 		if (err == OK) {
+ 			PoolVector<uint8_t>::Read palette_r = palette.read();
+-			err = convert_to_image(p_image, buffer, tga_header, palette_r.ptr(), is_monochrome);
++			err = convert_to_image(p_image, buffer, tga_header, palette_r.ptr(), is_monochrome, buffer_size);
+ 		}
+ 	}
+ 
+diff --git a/modules/tga/image_loader_tga.h b/modules/tga/image_loader_tga.h
+index 249e33411e..bbfc3fed32 100644
+--- a/modules/tga/image_loader_tga.h
++++ b/modules/tga/image_loader_tga.h
+@@ -73,7 +73,7 @@ class ImageLoaderTGA : public ImageFormatLoader {
+ 		uint8_t image_descriptor;
+ 	};
+ 	static Error decode_tga_rle(const uint8_t *p_compressed_buffer, size_t p_pixel_size, uint8_t *p_uncompressed_buffer, size_t p_output_size);
+-	static Error convert_to_image(Ref<Image> p_image, const uint8_t *p_buffer, const tga_header_s &p_header, const uint8_t *p_palette, const bool p_is_monochrome);
++	static Error convert_to_image(Ref<Image> p_image, const uint8_t *p_buffer, const tga_header_s &p_header, const uint8_t *p_palette, const bool p_is_monochrome, size_t p_output_size);
+ 
+ public:
+ 	virtual Error load_image(Ref<Image> p_image, FileAccess *f, bool p_force_linear, float p_scale);

diff --git a/dev-games/godot/godot-3.2.3.ebuild b/dev-games/godot/godot-3.2.3-r1.ebuild
similarity index 97%
rename from dev-games/godot/godot-3.2.3.ebuild
rename to dev-games/godot/godot-3.2.3-r1.ebuild
index 05980a2d..f978022f 100644
--- a/dev-games/godot/godot-3.2.3.ebuild
+++ b/dev-games/godot/godot-3.2.3-r1.ebuild
@@ -54,7 +54,10 @@ DEPEND="
 "
 BDEPEND="virtual/pkgconfig"
 
-PATCHES=( "${FILESDIR}"/${P}-fix-llvm-build.patch )
+PATCHES=(
+	"${FILESDIR}"/${P}-fix-llvm-build.patch
+	"${FILESDIR}"/${P}-fix-CVE-2021-26825.patch
+)
 
 src_prepare() {
 	default