From 73161afdf77e2cf90f47c9be0bc970dadedb5d7c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Fri, 15 Feb 2019 16:52:27 +0100
Subject: [PATCH 10/11] CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images
 with too high number of colors
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If a BMP file that defines more colors than can fit into
a palette of color depth defined in the same BMP file is loaded by
SDL_LoadBMP_RW() function, invalid number of colors is set into
resulting SDL surface.

Then if the SDL surface is passed to SDL_DisplayFormat() function to
convert the surface format into a native video format, a buffer
overread will happen in Map1to1() or Map1toN() function
(CVE-2019-7638). (The choice of the mapping function depends on
a actual video hardware.)

In addition SDL_GetRGB() called indirectly from SDL_DisplayFormat()
performs the same buffer overread (CVE-2019-7636).

There is also probably a buffer overwrite when the SDL_LoadBMP_RW()
loads colors from a file.

This patch fixes it by refusing loading such badly damaged BMP files.

CVE-2019-7638
https://bugzilla.libsdl.org/show_bug.cgi?id=4500
CVE-2019-7636
https://bugzilla.libsdl.org/show_bug.cgi?id=4499

Signed-off-by: Petr Písař <ppisar@redhat.com>
---
 src/video/SDL_bmp.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
index 8acae3bcb..8eadc5f66 100644
--- a/src/video/SDL_bmp.c
+++ b/src/video/SDL_bmp.c
@@ -233,6 +233,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
 	if ( palette ) {
 		if ( biClrUsed == 0 ) {
 			biClrUsed = 1 << biBitCount;
+		} else if ( biClrUsed > (1 << biBitCount) ) {
+			SDL_SetError("BMP file has an invalid number of colors");
+			was_error = SDL_TRUE;
+			goto done;
 		}
 		if ( biSize == 12 ) {
 			for ( i = 0; i < (int)biClrUsed; ++i ) {
-- 
2.21.0