diff options
| author | Petr Písař <ppisar@redhat.com> | 2019-02-15 16:52:27 +0100 |
|---|---|---|
| committer | Wim Taymans <wtaymans@redhat.com> | 2020-02-14 13:02:37 +0100 |
| commit | 762c1eb5a1a0e72a8120cfee5699820a73e82152 (patch) | |
| tree | 927dcffe11a6d803f2a502bba0ae12436cb75288 | |
| parent | 1423e12e0bcf5cc43804ac5b31156a4acc316ea9 (diff) | |
CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images with too high number of colors
If a BMP file that defines more colors than can fit into
a palette of color depth defined in the same BMP file is loaded by
SDL_LoadBMP_RW() function, invalid number of colors is set into
resulting SDL surface.
Then if the SDL surface is passed to SDL_DisplayFormat() function to
convert the surface format into a native video format, a buffer
overread will happen in Map1to1() or Map1toN() function
(CVE-2019-7638). (The choice of the mapping function depends on
a actual video hardware.)
In addition SDL_GetRGB() called indirectly from SDL_DisplayFormat()
performs the same buffer overread (CVE-2019-7636).
There is also probably a buffer overwrite when the SDL_LoadBMP_RW()
loads colors from a file.
This patch fixes it by refusing loading such badly damaged BMP files.
CVE-2019-7638
https://bugzilla.libsdl.org/show_bug.cgi?id=4500
CVE-2019-7636
https://bugzilla.libsdl.org/show_bug.cgi?id=4499
Signed-off-by: Petr Písař <ppisar@redhat.com>
| -rw-r--r-- | src/video/SDL_bmp.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c index c1f1a24f5c..118181b515 100644 --- a/src/video/SDL_bmp.c +++ b/src/video/SDL_bmp.c @@ -238,6 +238,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) if ( palette ) { if ( biClrUsed == 0 ) { biClrUsed = 1 << biBitCount; + } else if ( biClrUsed > (1 << biBitCount) ) { + SDL_SetError("BMP file has an invalid number of colors"); + was_error = SDL_TRUE; + goto done; } if ( biSize == 12 ) { for ( i = 0; i < (int)biClrUsed; ++i ) { |