We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 4497 - Heap Buffer Overflow on SDL_FillRect pertaining to SDL_video
Summary: Heap Buffer Overflow on SDL_FillRect pertaining to SDL_video
Status: RESOLVED FIXED
Alias: None
Product: SDL
Classification: Unclassified
Component: video (show other bugs)
Version: HG 1.2
Hardware: x86_64 Linux
: P2 critical
Assignee: Sam Lantinga
QA Contact: Sam Lantinga
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-07 13:46 UTC by Radue
Modified: 2019-08-01 21:36 UTC (History)
3 users (show)

See Also:

Attachments
Fix (6.78 KB, patch)
2019-02-18 13:19 UTC, Petr Pisar 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Radue 2019-02-07 13:46:27 UTC 
PoC

A heap buffer overflow vulnerability was discovered in SDL-1.2.15 library.

Asan output:

=================================================================
==25760==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f02111c5080 at pc 0x7f0216173b6a bp 0x7ffe2d19de10 sp 0x7ffe2d19de08
WRITE of size 4 at 0x7f02111c5080 thread T0
    #0 0x7f0216173b69 in SDL_FillRect /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_surface.c:610:5
    #1 0x7f0216178d3d in SDL_ClearSurface /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_video.c:507:2
    #2 0x7f0216178d3d in SDL_SetVideoMode /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_video.c:729
    #3 0x4dcf68 in CreateScreen /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/graywin.c:112:11
    #4 0x4dd9d5 in main /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/graywin.c:192:11
    #5 0x7f0214e4e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #6 0x435588 in _start (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/graywin+0x435588)

0x7f02111c5080 is located 0 bytes to the right of 31455360-byte region [0x7f020f3c5800,0x7f02111c5080)
allocated by thread T0 here:
    #0 0x4bc552 in malloc (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/graywin+0x4bc552)
    #1 0x7f02161ada7c in X11_SetupImage /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/x11/SDL_x11image.c:105:20

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_surface.c:610 SDL_FillRect
Shadow bytes around the buggy address:
  0x0fe0c22309c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe0c22309d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe0c22309e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe0c22309f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe0c2230a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe0c2230a10:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe0c2230a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe0c2230a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe0c2230a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe0c2230a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe0c2230a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25760==ABORTING



Reproducing steps: 

1. Download SDL-1.2.15 library
2. ./configure with Asan enabled
3. ./make
4. sudo make install
5. cd examples
6. ./configure with Asan enabled
7. make
8. cd test
9. ./graywin -width 21312312313123213213213
Comment 1 Radue 2019-02-10 14:58:42 UTC 
Assigned CVE-2019-7637 by MITRE.
Comment 2 Petr Pisar 2019-02-18 11:13:55 UTC 
Width value from "./graywin -width 21312312313123213213213" command is misinterpreted (atoi()) as -1 and then passed as Uint16 argument to CreateScreen() function. Since then the width has value 65535 and travels to SDL_CalculatePitch() where width (65535) is multiplied by BytesPerPixel (4) and the result is stored into Uint16 pitch. Here is the root cause because the pitch is clamped as 65532. As a result SDL_Surface with a pitch smaller than width * BytesPerPixel is created, too small pixel buffer is allocated and when the SDL_Surface is processed in SDL_FillRect a buffer overflow occurs.
Comment 3 Petr Pisar 2019-02-18 13:19:39 UTC 
Created attachment 3630 [details]
Fix
Comment 4 Sam Lantinga 2019-03-17 02:17:42 UTC 
Fixed, thanks!
https://hg.libsdl.org/SDL/rev/9b0e5c555c0f
Comment 5 Anselmo L. S. Melo 2019-06-27 23:11:34 UTC 
According to the description of CVE-2019-7637, this issue also affects SDL2 <= 2.0.9. Is that accurate?
Comment 6 Sam Lantinga 2019-07-01 06:41:52 UTC 
No, SDL 2.0 is not vulnerable, this was fixed here:
https://hg.libsdl.org/SDL/rev/81a4950907a0
Comment 7 Ozkan Sezer 2019-08-01 21:36:39 UTC 
(In reply to Sam Lantinga from comment #4)
> Fixed, thanks!
> https://hg.libsdl.org/SDL/rev/9b0e5c555c0f

This patch made copy+paste mistakes which resulted in
windows versions failing to set video mode. Fixed now:
https://hg.libsdl.org/SDL/rev/32075e9e2135