aboutsummaryrefslogtreecommitdiffstats
path: root/main/sdl/0001-CVE-2019-7636.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/sdl/0001-CVE-2019-7636.patch')
-rw-r--r--main/sdl/0001-CVE-2019-7636.patch29
1 files changed, 29 insertions, 0 deletions
diff --git a/main/sdl/0001-CVE-2019-7636.patch b/main/sdl/0001-CVE-2019-7636.patch
new file mode 100644
index 0000000000..51e40ef1ce
--- /dev/null
+++ b/main/sdl/0001-CVE-2019-7636.patch
@@ -0,0 +1,29 @@
+Fixed bug 4500 - Heap-Buffer Overflow in Map1toN pertaining to SDL_pixels.c
+
+Petr Pisar
+
+The reproducer has these data in BITMAPINFOHEADER:
+
+biSize = 40
+biBitCount = 8
+biClrUsed = 131075
+
+SDL_LoadBMP_RW() function passes biBitCount as a color depth to SDL_CreateRGBSurface(), thus 256-color pallete is allocated. But then biClrUsed colors are read from a file and stored into the palette. SDL_LoadBMP_RW should report an error if biClrUsed is greater than 2^biBitCount.
+
+Also fixes CVE-2019-7638
+
+diff -r 8586f153eede -r 19d8c3b9c251 src/video/SDL_bmp.c
+--- a/src/video/SDL_bmp.c Sun Jan 13 15:27:50 2019 +0100
++++ b/src/video/SDL_bmp.c Mon Feb 18 07:48:23 2019 -0800
+@@ -233,6 +233,10 @@
+ if ( palette ) {
+ if ( biClrUsed == 0 ) {
+ biClrUsed = 1 << biBitCount;
++ } else if ( biClrUsed > (1 << biBitCount) ) {
++ SDL_SetError("BMP file has an invalid number of colors");
++ was_error = SDL_TRUE;
++ goto done;
+ }
+ if ( biSize == 12 ) {
+ for ( i = 0; i < (int)biClrUsed; ++i ) {
+