main/sdl2_image/CVE-2018-3839.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

diff --git a/IMG_xcf.c b/IMG_xcf.c
index d759633..cd9b226 100644
--- a/IMG_xcf.c
+++ b/IMG_xcf.c
@@ -585,6 +585,18 @@ static int do_layer_surface (SDL_Surface * surface, SDL_RWops * src, xcf_header
   SDL_RWseek (src, layer->hierarchy_file_offset, RW_SEEK_SET);
   hierarchy = read_xcf_hierarchy (src);
 
+  if (hierarchy->bpp > 4) {  /* unsupported. */
+      SDL_Log("Unknown Gimp image bpp (%u)\n", (unsigned int) hierarchy->bpp);
+      free_xcf_hierarchy(hierarchy);
+      return 1;
+  }
+
+  if ((hierarchy->width > 20000) || (hierarchy->height > 20000)) {  /* arbitrary limit to avoid integer overflow. */
+      SDL_Log("Gimp image too large (%ux%u)\n", (unsigned int) hierarchy->width, (unsigned int) hierarchy->height);
+      free_xcf_hierarchy(hierarchy);
+      return 1;
+  }
+
   level = NULL;
   for (i = 0; hierarchy->level_file_offsets [i]; i++) {
     SDL_RWseek (src, hierarchy->level_file_offsets [i], RW_SEEK_SET);