We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 4499

Summary: Heap-Buffer Overflow in SDL_GetRGB pertaining to SDL_pixels.c
Product: SDL Reporter: Radue <epitectus.agamemon>
Component: videoAssignee: Sam Lantinga <slouken>
Status: RESOLVED FIXED QA Contact: Sam Lantinga <slouken>
Severity: critical    
Priority: P2 CC: ppisar
Version: HG 2.1   
Hardware: x86_64   
OS: Linux   
Attachments: PoC

Description Radue 2019-02-07 23:16:54 UTC 
A heap-buffer overflow vulnerability was discovered in SDL-1.2.15 library.

Asan report: 

=================================================================
==22885==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200006b7c8 at pc 0x7ff12191f442 bp 0x7ffc642d4e90 sp 0x7ffc642d4e88
READ of size 1 at 0x60200006b7c8 thread T0
    #0 0x7ff12191f441 in SDL_GetRGB /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_pixels.c:416:8
    #1 0x7ff12192d2fa in SDL_ConvertSurface /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_surface.c:877:4
    #2 0x7ff121932a40 in SDL_DisplayFormat /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_video.c:946:9
    #3 0x4dba11 in LoadSprite /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/testsprite.c:41:9
    #4 0x4dbc8f in main /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/testsprite.c:98:7
    #5 0x7ff12060682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #6 0x435528 in _start (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/testsprite+0x435528)

0x60200006b7c8 is located 8 bytes to the left of 16-byte region [0x60200006b7d0,0x60200006b7e0)
freed by thread T0 here:
    #0 0x4bc212 in __interceptor_free (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/testsprite+0x4bc212)
    #1 0x7ff1203c8dc7  (/usr/lib/x86_64-linux-gnu/libxcb.so.1+0xadc7)

previously allocated by thread T0 here:
    #0 0x4bc4f2 in malloc (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/testsprite+0x4bc4f2)
    #1 0x7ff1203ca2aa  (/usr/lib/x86_64-linux-gnu/libxcb.so.1+0xc2aa)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_pixels.c:416 SDL_GetRGB
Shadow bytes around the buggy address:
  0x0c04800056a0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c04800056b0: fa fa 00 00 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c04800056c0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c04800056d0: fa fa 00 04 fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c04800056e0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
=>0x0c04800056f0: fa fa fd fd fa fa fd fd fa[fa]fd fd fa fa fd fd
  0x0c0480005700: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480005710: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480005720: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480005730: fa fa fd fd fa fa 00 fa fa fa 00 00 fa fa fd fd
  0x0c0480005740: fa fa fd fd fa fa fd fd fa fa 07 fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22885==ABORTING
Comment 1 Radue 2019-02-08 08:38:46 UTC 
Created attachment 3605 [details]
PoC
Comment 2 Radue 2019-02-08 08:39:29 UTC 
PoC: See attachment

Reproducing steps: 

1. Download SDL-1.2.15 library
2. ./configure with Asan enabled
3. ./make
4. sudo make install
5. cd examples
6. ./configure with Asan enabled
7. make
8. ./testsprite PoC
Comment 3 Radue 2019-02-10 14:57:33 UTC 
Assigned CVE-2019-7636 by MITRE.
Comment 4 Petr Pisar 2019-02-18 13:49:32 UTC 
This POC BMP image has invalid number of colors (biClrUsed=3, biBitCount=0). In my case this results into invalid write when parsing the BMP file:

==7124== Invalid write of size 1
==7124==    at 0x483F7B3: memmove (vg_replace_strmem.c:1271)
==7124==    by 0x4AE06EA: _IO_file_xsgetn (in /usr/lib64/libc-2.29.so)
==7124==    by 0x4AD4FE6: fread (in /usr/lib64/libc-2.29.so)
==7124==    by 0x4859F70: stdio_read (SDL_rwops.c:336)
==7124==    by 0x487EAF1: SDL_LoadBMP_RW (SDL_bmp.c:246)
==7124==    by 0x401359: LoadSprite (testsprite.c:36)
==7124==    by 0x401B25: main (testsprite.c:224)

In case of the original report, SDL_GetRGB() function reads from 
fmt->palette->colors[] array that is badly allocated because of the invalid number of colors.

A fix for this issue is covered by patch for bug #4500.