aboutsummaryrefslogtreecommitdiffstats
path: root/main/sdl/0001-CVE-2019-7636.patch
blob: 51e40ef1cec355829ebadfaf85e6f3f247abe334 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Fixed bug 4500 - Heap-Buffer Overflow in Map1toN pertaining to SDL_pixels.c

Petr Pisar

The reproducer has these data in BITMAPINFOHEADER:

biSize = 40
biBitCount = 8
biClrUsed = 131075

SDL_LoadBMP_RW() function passes biBitCount as a color depth to SDL_CreateRGBSurface(), thus 256-color pallete is allocated. But then biClrUsed colors are read from a file and stored into the palette. SDL_LoadBMP_RW should report an error if biClrUsed is greater than 2^biBitCount.

Also fixes CVE-2019-7638

diff -r 8586f153eede -r 19d8c3b9c251 src/video/SDL_bmp.c
--- a/src/video/SDL_bmp.c	Sun Jan 13 15:27:50 2019 +0100
+++ b/src/video/SDL_bmp.c	Mon Feb 18 07:48:23 2019 -0800
@@ -233,6 +233,10 @@
 	if ( palette ) {
 		if ( biClrUsed == 0 ) {
 			biClrUsed = 1 << biBitCount;
+		} else if ( biClrUsed > (1 << biBitCount) ) {
+			SDL_SetError("BMP file has an invalid number of colors");
+			was_error = SDL_TRUE;
+			goto done;
 		}
 		if ( biSize == 12 ) {
 			for ( i = 0; i < (int)biClrUsed; ++i ) {