File: CVE-2017-14442.patch

package info (click to toggle)
sdl-image1.2 1.2.12-14
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 7,028 kB
  • sloc: sh: 10,194; ansic: 9,697; objc: 248; csh: 219; makefile: 83
file content (26 lines) | stat: -rw-r--r-- 978 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
 
From: "Ryan C. Gordon" <icculus@icculus.org>
Date: Wed, 24 Jan 2018 13:12:07 -0500
Subject: bmp: don't overflow palette buffer with bogus biClrUsed values.

Bug: https://security-tracker.debian.org/tracker/CVE-2017-14442
Origin: upstream, 2.0.3, commit:37445f6180a8, commit:https://github.com/libsdl-org/SDL_image/commit/071a19952241576f2dcc579a9956e65555776e78
---
 IMG_bmp.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/IMG_bmp.c b/IMG_bmp.c
index 60ba1a5..a77d045 100644
--- a/IMG_bmp.c
+++ b/IMG_bmp.c
@@ -687,6 +687,11 @@ LoadICOCUR_RW(SDL_RWops * src, int type, int freesrc)
         if (biClrUsed == 0) {
             biClrUsed = 1 << biBitCount;
         }
+        if (biClrUsed > SDL_arraysize(palette)) {
+            IMG_SetError("Unsupported or incorrect biClrUsed field");
+            was_error = SDL_TRUE;
+            goto done;
+        }
         for (i = 0; i < (int) biClrUsed; ++i) {
             SDL_RWread(src, &palette[i], 4, 1);
         }