We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 3890 - Incomplete fix for CVE-2017-2888
Summary: Incomplete fix for CVE-2017-2888
Status: RESOLVED FIXED
Alias: None
Product: SDL
Classification: Unclassified
Component: video (show other bugs)
Version: HG 2.1
Hardware: x86_64 Linux
: P2 normal
Assignee: Sam Lantinga
QA Contact: Sam Lantinga
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-16 19:32 UTC by Felix Geyer
Modified: 2017-10-16 21:58 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Geyer 2017-10-16 19:32:58 UTC 
http://hg.libsdl.org/SDL/rev/7e0f1498ddb5 tries to fix CVE-2017-2888.
Unfortunately compilers may optimize the second condition "(size / surface->pitch) != surface->h" away.
See https://bugzilla.redhat.com/show_bug.cgi?id=1500623#c2
I've verified that this is also the case on Debian unstable (gcc 7.2).
Comment 1 Ozkan Sezer 2017-10-16 20:42:47 UTC 
Naive question: does making size volatile help with it?
Comment 2 Felix Geyer 2017-10-16 21:16:14 UTC 
(In reply to Ozkan Sezer from comment #1)
> Naive question: does making size volatile help with it?

Yes. It's quite a big hammer, but will avoid the unwanted optimization.
Comment 3 Sam Lantinga 2017-10-16 21:58:39 UTC 
Fixed, thanks!
https://hg.libsdl.org/SDL/rev/81a4950907a0
Comment 4 Sam Lantinga 2017-10-16 21:58:58 UTC 
This will be in for 2.0.7 release.