Subject: fix Heap-Buffer Overflow in Blit1to4 (IMG_bmp.c) Author: Sam Lantinga Origin: upstream, https://hg.libsdl.org/SDL_image/rev/03bd33e8cb49 --- a/IMG_bmp.c 2019-07-27 13:21:50.074165775 -0300 +++ b/IMG_bmp.c 2019-07-27 13:21:50.070165813 -0300 @@ -374,6 +374,14 @@ ExpandBMP = biBitCount; biBitCount = 8; break; + case 2: + case 3: + case 5: + case 6: + case 7: + SDL_SetError("%d-bpp BMP images are not supported", biBitCount); + was_error = SDL_TRUE; + goto done; default: ExpandBMP = 0; break; @@ -514,13 +522,19 @@ if ( i%(8/ExpandBMP) == 0 ) { if ( !SDL_RWread(src, &pixel, 1, 1) ) { IMG_SetError("Error reading from BMP"); + was_error = SDL_TRUE; + goto done; + } + } + bits[i] = (pixel >> shift); + if (bits[i] >= biClrUsed) { + IMG_SetError("A BMP image contains a pixel with a color out of the palette"); was_error = SDL_TRUE; goto done; } + pixel <<= ExpandBMP; } - *(bits+i) = (pixel>>shift); - pixel <<= ExpandBMP; - } } + } break; default: @@ -529,6 +543,15 @@ was_error = SDL_TRUE; goto done; } + if (biBitCount == 8 && palette && biClrUsed < (1 << biBitCount)) { + for (i = 0; i < surface->w; ++i) { + if (bits[i] >= biClrUsed) { + SDL_SetError("A BMP image contains a pixel with a color out of the palette"); + was_error = SDL_TRUE; + goto done; + } + } + } #if SDL_BYTEORDER == SDL_BIG_ENDIAN /* Byte-swap the pixels if needed. Note that the 24bpp case has already been taken care of above. */