Package: sdl-image1.2 / 1.2.12-12

IMG_pcx-out-of-bounds.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
Description: fix multiple OOB issues in IMG_pcx.c
 This patches addresses following issues: CVE-2019-12222, CVE-2019-12221,
 CVE-2019-12220, CVE-2019-12219 and CVE-2019-12217.
Author: Sam Lantinga <slouken@libsdl.org>, Hugo Lefeuvre <hle@debian.org>
Origin: upstream, https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34
--- a/IMG_pcx.c	2019-07-23 11:56:00.765397153 -0300
+++ b/IMG_pcx.c	2019-07-23 11:51:23.082490857 -0300
@@ -148,18 +148,17 @@
 		goto done;
 
 	bpl = pcxh.NPlanes * pcxh.BytesPerLine;
-	if (bpl < 0 || bpl > surface->pitch) {
-		error = "bytes per line is too large (corrupt?)";
+	buf = (Uint8 *)SDL_calloc(bpl, 1);
+	if ( !buf ) {
+		error = "Out of memory";
 		goto done;
 	}
-	buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
 	row = surface->pixels;
 	for ( y=0; y<surface->h; ++y ) {
 		/* decode a scan line to a temporary buffer first */
 		int i;
-		Uint8 *dst = buf;
 		if ( pcxh.Encoding == 0 ) {
-			if(!SDL_RWread(src, dst, bpl, 1)) {
+			if(!SDL_RWread(src, buf, bpl, 1)) {
 				error = "file truncated";
 				goto done;
 			}
@@ -180,7 +179,7 @@
 						}
 					}
 				}
-				dst[i] = ch;
+				buf[i] = ch;
 				count--;
 			}
 		}
@@ -202,13 +201,21 @@
 					}
 				}
 			}
+		} else if ( src_bits == 8 ) {
+			/* directly copy buf content to row */
+			Uint8 *innerSrc = buf;
+			int x;
+			Uint8 *dst = row;
+			for ( x = 0; x < width; x++ ) {
+				*dst++ = *innerSrc++;
+			}
  		} else if(src_bits == 24) {
 			/* de-interlace planes */
 			Uint8 *src = buf;
 			int plane;
 			for(plane = 0; plane < pcxh.NPlanes; plane++) {
 				int x;
-				dst = row + plane;
+				Uint8 *dst = row + plane;
 				for(x = 0; x < width; x++) {
 					if ( dst >= row+surface->pitch ) {
 						error = "decoding out of bounds (corrupt?)";
@@ -218,8 +225,6 @@
 					dst += pcxh.NPlanes;
 				}
 			}
-		} else {
-			SDL_memcpy(row, buf, bpl);
 		}
 
 		row += surface->pitch;