Package: sdl-image1.2 / 1.2.12-12

CVE-2019-5059.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Backport of upstream fix:

# HG changeset patch
# User Sam Lantinga <slouken@libsdl.org>
# Date 1560235821 25200
# Node ID 95fc7da55247a4368848144b9374a88a6494fd5c
# Parent  b1a80aec2b1037704b666d716505da6ba968cba9
Fixed TALOS-2019-0843 - XPM image color code code execution vulnerability

By providing a sufficiently large ncolors and cpp value, the buffer allocation size can overflow into a size too small to hold the color code string. This causes the memcpy to cause a heap overflow, potentially resulting in code execution.

--- sdl-image1.2-1.2.12.orig/IMG_xpm.c
+++ sdl-image1.2-1.2.12/IMG_xpm.c
@@ -373,6 +373,11 @@ static SDL_Surface *load_xpm(char **xpm,
 		goto done;
 	}
 
+	/* Check for allocation overflow */
+	if ((size_t)(ncolors * cpp)/cpp != ncolors) {
+		error = "Invalid color specification";
+		goto done;
+	}
 	keystrings = malloc(ncolors * cpp);
 	if(!keystrings) {
 		error = "Out of memory";