From 73161afdf77e2cf90f47c9be0bc970dadedb5d7c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Fri, 15 Feb 2019 16:52:27 +0100
Subject: [PATCH 10/11] CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images
with too high number of colors
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If a BMP file that defines more colors than can fit into
a palette of color depth defined in the same BMP file is loaded by
SDL_LoadBMP_RW() function, invalid number of colors is set into
resulting SDL surface.
Then if the SDL surface is passed to SDL_DisplayFormat() function to
convert the surface format into a native video format, a buffer
overread will happen in Map1to1() or Map1toN() function
(CVE-2019-7638). (The choice of the mapping function depends on
a actual video hardware.)
In addition SDL_GetRGB() called indirectly from SDL_DisplayFormat()
performs the same buffer overread (CVE-2019-7636).
There is also probably a buffer overwrite when the SDL_LoadBMP_RW()
loads colors from a file.
This patch fixes it by refusing loading such badly damaged BMP files.
CVE-2019-7638
https://bugzilla.libsdl.org/show_bug.cgi?id=4500
CVE-2019-7636
https://bugzilla.libsdl.org/show_bug.cgi?id=4499
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
src/video/SDL_bmp.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
index 8acae3bcb..8eadc5f66 100644
--- a/src/video/SDL_bmp.c
+++ b/src/video/SDL_bmp.c
@@ -233,6 +233,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
if ( palette ) {
if ( biClrUsed == 0 ) {
biClrUsed = 1 << biBitCount;
+ } else if ( biClrUsed > (1 << biBitCount) ) {
+ SDL_SetError("BMP file has an invalid number of colors");
+ was_error = SDL_TRUE;
+ goto done;
}
if ( biSize == 12 ) {
for ( i = 0; i < (int)biClrUsed; ++i ) {
--
2.21.0