We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 5200

Summary: CVE-2020-14409 and CVE-2020-14410
Product: SDL Reporter: Carlos Andres Ramirez <antaigroupltda>
Component: videoAssignee: Sam Lantinga <slouken>
Status: RESOLVED FIXED QA Contact: Sam Lantinga <slouken>
Severity: critical    
Priority: P2    
Version: 2.0.12   
Hardware: x86_64   
OS: All   

Description Carlos Andres Ramirez 2020-06-19 03:26:05 UTC
This has recently been FIXED, added here for reference for all parties.

On June 17th, two security issues were reported to the SDL team in regards of (1) a Buffer Overflow in video/SDL_blit_N.c and (2) an Integer Overflow leading to Heap Corruption in video/SDL_blit_copy.c. As a result of both of these issues, an attacker could crash/DOS/take control of the application via an especially crafted .BMP file.

A patch was quickly released by the team.

*DETAILS*
After analysis of the PoC, both of the issues were fixed by doing several changes in three different parts of video/SDL_surface.c, which prevents the bad input from reaching the exploitable functions.

Changed in SDL_surface.c
- Function SDL_CalculatePitch()
- Function SDL_CreateRGBSurfaceWithFormat()
- SDL_COMPILE_TIME_ASSERT()
Changeset: https://hg.libsdl.org/SDL/rev/3f9b4e92c1d9

For reference, these have been assigned CVE IDs CVE-2020-14409 for the Integer Overflow/Heap Corruption and CVE-2020-14410 for the Out-of-Bounds Read BoF.

----
Carlos Andres Ramirez Catano
Comment 1 Sam Lantinga 2020-06-19 17:35:53 UTC
Thanks for the report!

FYI, the change to SDL_COMPILE_TIME_ASSERT() was not necessary and was rolled back in a later commit.