We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

This has recently been FIXED, added here for reference for all parties.

On June 17th, two security issues were reported to the SDL team in regards of (1) a Buffer Overflow in video/SDL_blit_N.c and (2) an Integer Overflow leading to Heap Corruption in video/SDL_blit_copy.c. As a result of both of these issues, an attacker could crash/DOS/take control of the application via an especially crafted .BMP file.

A patch was quickly released by the team.

*DETAILS*
After analysis of the PoC, both of the issues were fixed by doing several changes in three different parts of video/SDL_surface.c, which prevents the bad input from reaching the exploitable functions.

Changed in SDL_surface.c
- Function SDL_CalculatePitch()
- Function SDL_CreateRGBSurfaceWithFormat()
- SDL_COMPILE_TIME_ASSERT()
Changeset: https://hg.libsdl.org/SDL/rev/3f9b4e92c1d9

For reference, these have been assigned CVE IDs CVE-2020-14409 for the Integer Overflow/Heap Corruption and CVE-2020-14410 for the Out-of-Bounds Read BoF.

----
Carlos Andres Ramirez Catano