We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 3890

Summary:	Incomplete fix for CVE-2017-2888
Product:	SDL	Reporter:	Felix Geyer <debfx>
Component:	video	Assignee:	Sam Lantinga <slouken>
Status:	RESOLVED FIXED	QA Contact:	Sam Lantinga <slouken>
Severity:	normal
Priority:	P2	CC:	sezeroz
Version:	HG 2.1
Hardware:	x86_64
OS:	Linux

Description Felix Geyer 2017-10-16 19:32:58 UTC

http://hg.libsdl.org/SDL/rev/7e0f1498ddb5 tries to fix CVE-2017-2888.
Unfortunately compilers may optimize the second condition "(size / surface->pitch) != surface->h" away.
See https://bugzilla.redhat.com/show_bug.cgi?id=1500623#c2
I've verified that this is also the case on Debian unstable (gcc 7.2).

Comment 1 Ozkan Sezer 2017-10-16 20:42:47 UTC

Naive question: does making size volatile help with it?

Comment 2 Felix Geyer 2017-10-16 21:16:14 UTC

(In reply to Ozkan Sezer from comment #1)
> Naive question: does making size volatile help with it?

Yes. It's quite a big hammer, but will avoid the unwanted optimization.

Comment 3 Sam Lantinga 2017-10-16 21:58:39 UTC

Fixed, thanks!
https://hg.libsdl.org/SDL/rev/81a4950907a0

Comment 4 Sam Lantinga 2017-10-16 21:58:58 UTC

This will be in for 2.0.7 release.

We are currently migrating Bugzilla to GitHub issues.Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 3890

We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.