Package: sdl-image1.2 / 1.2.12-5+deb8u1

CVE-2017-14448.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Description: xcf: deal with bogus data in rle tile decoding.
Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7df1580f1695

--- a/IMG_xcf.c
+++ b/IMG_xcf.c
@@ -470,6 +470,7 @@ static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp,
   reallen = SDL_RWread (src, t, 1, len);
 
   data = (unsigned char *) malloc (x*y*bpp);
+  data = (unsigned char *) calloc (1, x*y*bpp);
   for (i = 0; i < bpp; i++) {
     d    = data + i;
     size = x*y;
@@ -486,6 +487,12 @@ static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp,
 	  t += 2;
 	}
 
+	if (((size_t) (t - load) + length) >= len) {
+		break;  /* bogus data */
+	} else if (length > size) {
+		break;  /* bogus data */
+	}
+
 	count += length;
 	size -= length;
 
@@ -501,6 +508,12 @@ static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp,
 	  t += 2;
 	}
 
+	if (((size_t) (t - load)) >= len) {
+		break;  /* bogus data */
+	} else if (length > size) {
+		break;  /* bogus data */
+	}
+
 	count += length;
 	size -= length;
 
@@ -512,6 +525,10 @@ static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp,
 	}
       }
     }
+
+    if (size > 0) {
+      break;  /* just drop out, untouched data initialized to zero. */
+    }
   }
 
   free (load);