File: CVE-2018-3838.patch

package info (click to toggle)
libsdl2-image 2.0.0%2Bdfsg-3%2Bdeb8u1
  • links: PTS, VCS
  • area: main
  • in suites: jessie
  • size: 2,140 kB
  • sloc: sh: 10,011; ansic: 9,550; makefile: 89
file content (38 lines) | stat: -rw-r--r-- 981 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
 
# HG changeset patch
# User Ryan C. Gordon <icculus@icculus.org>
# Date 1518038334 18000
# Node ID c5f9cbb5d2bbcb2150ba0596ea56b49efeed660d
# Parent  2938fc80591abeae74b971cbdf966eff3213297e
xcf: Prevent infinite loop and/or buffer overflow on bogus data.

diff -r 2938fc80591a -r c5f9cbb5d2bb IMG_xcf.c
--- a/IMG_xcf.c	Wed Feb 07 15:43:51 2018 -0500
+++ b/IMG_xcf.c	Wed Feb 07 16:18:54 2018 -0500
@@ -483,6 +483,10 @@
   int i, size, count, j, length;
   unsigned char val;
 
+  if (len == 0) {  /* probably bogus data. */
+    return NULL;
+  }
+
   t = load = (unsigned char *) SDL_malloc (len);
   reallen = SDL_RWread (src, t, 1, len);
 
@@ -608,6 +612,16 @@
        ox, oy);
       }
 
+      if (!tile) {
+          if (hierarchy) {
+              free_xcf_hierarchy(hierarchy);
+          }
+          if (level) {
+              free_xcf_level(level);
+          }
+          return 1;
+      }
+
       p8  = tile;
       p16 = (Uint16 *) p8;
       p   = (Uint32 *) p8;