We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 4627

Summary: an out-of-bounds read in function SDL_FreePalette_REAL at SDL_pixels.c:731-9
Product: SDL_image Reporter: pwd <teamseri0us360>
Component: miscAssignee: Sam Lantinga <slouken>
Status: RESOLVED FIXED QA Contact: Sam Lantinga <slouken>
Severity: normal    
Priority: P2 CC: hle
Version: 2.0.4   
Hardware: x86_64   
OS: Linux   
Attachments: poc

Description pwd 2019-05-09 06:46:23 UTC 
Created attachment 3779 [details]
poc

# libsdl2

## version

    libsdl2 2.0.9

## others

    please send email to  teamseri0us360@gmail.com if you have any questions.

---------------------

## SDL_FreePalette_REAL@SDL_pixels.c:731-9___SEGV_UNKNOW

### description

    An issue was discovered in libsdl2 2.0.9 with SDL2_image-2.0.4, There is an out-of-bounds read in function SDL_FreePalette_REAL at SDL_pixels.c:731-9

### commandline

    loadjpg  @@ 

### source

```c
 727     if (!palette) {
 728         SDL_InvalidParamError("palette");
 729         return;
 730     }
> 731     if (--palette->refcount > 0) {
 732         return;
 733     }
 734     SDL_free(palette->colors);
 735     SDL_free(palette);
 736 }

// Breakpoint 2, SDL_FreePalette_REAL (palette=0x60300000efe0) at /src/libsdl2/src/video/SDL_pixels.c:731
// 731         if (--palette->refcount > 0) {
// (gdb) p palette
// $4 = (SDL_Palette *) 0x60300000efe0
// (gdb) c
// Continuing.

// Breakpoint 2, SDL_FreePalette_REAL (palette=0xe7f301010004ff0b) at /src/libsdl2/src/video/SDL_pixels.c:731
// 731         if (--palette->refcount > 0) {
// (gdb) p palette
// $5 = (SDL_Palette *) 0xe7f301010004ff0b
// (gdb)
```

### bug report

```txt
ASAN:DEADLYSIGNAL
=================================================================
==3914==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f61229a1ea0 bp 0x0c0c00001df9 sp 0x7fffa5db4690 T0)
    #0 0x7f61229a1e9f in SDL_FreePalette_REAL /src/libsdl2/src/video/SDL_pixels.c:731:9
    #1 0x7f61229a1e9f in SDL_SetPixelFormatPalette_REAL /src/libsdl2/src/video/SDL_pixels.c:685
    #2 0x7f61229b3f96 in SDL_SetSurfacePalette_REAL /src/libsdl2/src/video/SDL_surface.c:221:9
    #3 0x7f61229b3f96 in SDL_FreeSurface_REAL /src/libsdl2/src/video/SDL_surface.c:1233
    #4 0x7f6122d070b1 in IMG_LoadPCX_RW /src/SDL2_image-2.0.4/IMG_pcx.c:252:13
    #5 0x7f6122cf49bd in IMG_LoadTyped_RW /src/SDL2_image-2.0.4/IMG.c:195:17
    #6 0x7f6122cf3f41 in IMG_Load /src/SDL2_image-2.0.4/IMG.c:136:12
    #7 0x4ea140 in main /src/loadjpg.c:8:37
    #8 0x7f61217fa82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x418a38 in _start (/src/aflbuild/installed/bin/loadjpg+0x418a38)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/libsdl2/src/video/SDL_pixels.c:731:9 in SDL_FreePalette_REAL
==3914==ABORTING

```

### others

    from fuzz project pwd-libsdl2-loadjpg-00
    crash name pwd-libsdl2-loadjpg-00-00000001-20190418.jpg
    Auto-generated by pyspider at 2019-04-18 06:32:03
Comment 1 Hugo Lefeuvre 2019-05-28 14:52:21 UTC 
This issue was assigned CVE-2019-12220.

I confirm that the bug is located in SDL_image.

This issue is very similar to #4621 (CVE-2019-12222) and is fixed by the same patch ([PATCH] pcx: cast size and check calloc return value).
Comment 2 Hugo Lefeuvre 2019-05-28 14:52:54 UTC 
(see https://bugzilla.libsdl.org/show_bug.cgi?id=4621)
Comment 3 Sam Lantinga 2019-06-10 23:21:42 UTC 
This is fixed, thanks!