blob: 51e40ef1cec355829ebadfaf85e6f3f247abe334 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
Fixed bug 4500 - Heap-Buffer Overflow in Map1toN pertaining to SDL_pixels.c
Petr Pisar
The reproducer has these data in BITMAPINFOHEADER:
biSize = 40
biBitCount = 8
biClrUsed = 131075
SDL_LoadBMP_RW() function passes biBitCount as a color depth to SDL_CreateRGBSurface(), thus 256-color pallete is allocated. But then biClrUsed colors are read from a file and stored into the palette. SDL_LoadBMP_RW should report an error if biClrUsed is greater than 2^biBitCount.
Also fixes CVE-2019-7638
diff -r 8586f153eede -r 19d8c3b9c251 src/video/SDL_bmp.c
--- a/src/video/SDL_bmp.c Sun Jan 13 15:27:50 2019 +0100
+++ b/src/video/SDL_bmp.c Mon Feb 18 07:48:23 2019 -0800
@@ -233,6 +233,10 @@
if ( palette ) {
if ( biClrUsed == 0 ) {
biClrUsed = 1 << biBitCount;
+ } else if ( biClrUsed > (1 << biBitCount) ) {
+ SDL_SetError("BMP file has an invalid number of colors");
+ was_error = SDL_TRUE;
+ goto done;
}
if ( biSize == 12 ) {
for ( i = 0; i < (int)biClrUsed; ++i ) {
|
