From 28b1433b4bd7982524f2418420e8cc01786df5c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Fri, 15 Feb 2019 16:52:27 +0100 Subject: [PATCH] CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images with too high number of colors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If a BMP file that defines more colors than can fit into a palette of color depth defined in the same BMP file is loaded by SDL_LoadBMP_RW() function, invalid number of colors is set into resulting SDL surface. Then if the SDL surface is passed to SDL_DisplayFormat() function to convert the surface format into a native video format, a buffer overread will happen in Map1to1() or Map1toN() function (CVE-2019-7638). (The choice of the mapping function depends on a actual video hardware.) In addition SDL_GetRGB() called indirectly from SDL_DisplayFormat() performs the same buffer overread (CVE-2019-7636). There is also probably a buffer overwrite when the SDL_LoadBMP_RW() loads colors from a file. This patch fixes it by refusing loading such badly damaged BMP files. CVE-2019-7638 https://bugzilla.libsdl.org/show_bug.cgi?id=4500 CVE-2019-7636 https://bugzilla.libsdl.org/show_bug.cgi?id=4499 Signed-off-by: Petr Písař --- src/video/SDL_bmp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c index d56cfd8..3accded 100644 --- a/src/video/SDL_bmp.c +++ b/src/video/SDL_bmp.c @@ -233,6 +233,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) if ( palette ) { if ( biClrUsed == 0 ) { biClrUsed = 1 << biBitCount; + } else if ( biClrUsed > (1 << biBitCount) ) { + SDL_SetError("BMP file has an invalid number of colors"); + was_error = SDL_TRUE; + goto done; } if ( biSize == 12 ) { for ( i = 0; i < (int)biClrUsed; ++i ) { -- 2.20.1