1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
From: "Ryan C. Gordon" <icculus@icculus.org>
Date: Sat, 27 Jan 2018 17:27:55 -0500
Subject: xcf: deal with bogus data in rle tile decoding.
Bug: https://security-tracker.debian.org/tracker/CVE-2017-14448
Origin: backport, 2.0.3, commit:7df1580f1695, commit:https://github.com/libsdl-org/SDL_image/commit/8b6b94de1e4d228fef91a70f7f3bc4fc26d79cb2
---
IMG_xcf.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/IMG_xcf.c b/IMG_xcf.c
index b0a4901..8a65507 100644
--- a/IMG_xcf.c
+++ b/IMG_xcf.c
@@ -476,6 +476,7 @@ static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp,
reallen = SDL_RWread (src, t, 1, len);
data = (unsigned char *) malloc (x*y*bpp);
+ data = (unsigned char *) calloc (1, x*y*bpp);
for (i = 0; i < bpp; i++) {
d = data + i;
size = x*y;
@@ -492,6 +493,12 @@ static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp,
t += 2;
}
+ if (((size_t) (t - load) + length) >= len) {
+ break; /* bogus data */
+ } else if (length > size) {
+ break; /* bogus data */
+ }
+
count += length;
size -= length;
@@ -507,6 +514,12 @@ static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp,
t += 2;
}
+ if (((size_t) (t - load)) >= len) {
+ break; /* bogus data */
+ } else if (length > size) {
+ break; /* bogus data */
+ }
+
count += length;
size -= length;
@@ -518,6 +531,10 @@ static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp,
}
}
}
+
+ if (size > 0) {
+ break; /* just drop out, untouched data initialized to zero. */
+ }
}
free (load);
|
