1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
|
# HG changeset patch
# User Sam Lantinga <slouken@libsdl.org>
# Date 1507329619 25200
# Node ID 318484db0705d07d4d1f4c0a1d3d5ea69f6ba2b0
# Parent 7ad06019831d474380fd5a63e518d21219031519
Fixed security vulnerability in XCF image loader (thanks Yves!)
diff -r 7ad06019831d -r 318484db0705 IMG_xcf.c
--- a/IMG_xcf.c Mon Sep 18 16:10:17 2017 -0700
+++ b/IMG_xcf.c Fri Oct 06 15:40:19 2017 -0700
@@ -251,6 +251,7 @@
}
static void xcf_read_property (SDL_RWops * src, xcf_prop * prop) {
+ Uint32 len;
prop->id = SDL_ReadBE32 (src);
prop->length = SDL_ReadBE32 (src);
@@ -274,7 +275,12 @@
break;
case PROP_COMPRESSION:
case PROP_COLOR:
- SDL_RWread (src, &prop->data, prop->length, 1);
+ if (prop->length > sizeof(prop->data)) {
+ len = sizeof(prop->data);
+ } else {
+ len = prop->length;
+ }
+ SDL_RWread(src, &prop->data, len, 1);
break;
case PROP_VISIBLE:
prop->data.visible = SDL_ReadBE32 (src);
|