You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This bug report was migrated from our old Bugzilla tracker.
Reported in version: 2.0.12 Reported for operating system, platform: All, x86_64
Comments on the original bug report:
On 2020-06-19 03:26:05 +0000, Carlos Andres Ramirez wrote:
This has recently been FIXED, added here for reference for all parties.
On June 17th, two security issues were reported to the SDL team in regards of (1) a Buffer Overflow in video/SDL_blit_N.c and (2) an Integer Overflow leading to Heap Corruption in video/SDL_blit_copy.c. As a result of both of these issues, an attacker could crash/DOS/take control of the application via an especially crafted .BMP file.
A patch was quickly released by the team.
DETAILS
After analysis of the PoC, both of the issues were fixed by doing several changes in three different parts of video/SDL_surface.c, which prevents the bad input from reaching the exploitable functions.
For reference, these have been assigned CVE IDs CVE-2020-14409 for the Integer Overflow/Heap Corruption and CVE-2020-14410 for the Out-of-Bounds Read BoF.
Carlos Andres Ramirez Catano
On 2020-06-19 17:35:53 +0000, Sam Lantinga wrote:
Thanks for the report!
FYI, the change to SDL_COMPILE_TIME_ASSERT() was not necessary and was rolled back in a later commit.
The text was updated successfully, but these errors were encountered:
This bug report was migrated from our old Bugzilla tracker.
Reported in version: 2.0.12
Reported for operating system, platform: All, x86_64
Comments on the original bug report:
On 2020-06-19 03:26:05 +0000, Carlos Andres Ramirez wrote:
On 2020-06-19 17:35:53 +0000, Sam Lantinga wrote:
The text was updated successfully, but these errors were encountered: