1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
From: Sam Lantinga <slouken@libsdl.org>
Date: Fri, 6 Oct 2017 15:40:19 -0700
Subject: Fixed security vulnerability in XCF image loader (thanks Yves!)
Originally hg commit 318484db0705d07d4d1f4c0a1d3d5ea69f6ba2b0.
Bug: https://security-tracker.debian.org/tracker/CVE-2017-2887
Origin: backport, 2.0.2, commit:https://github.com/libsdl-org/SDL_image/commit/e7723676825cd2b2ffef3316ec1879d7726618f2
---
IMG_xcf.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/IMG_xcf.c b/IMG_xcf.c
index 1dced65..b0a4901 100644
--- a/IMG_xcf.c
+++ b/IMG_xcf.c
@@ -251,6 +251,7 @@ static Uint32 Swap32 (Uint32 v) {
}
static void xcf_read_property (SDL_RWops * src, xcf_prop * prop) {
+ Uint32 len;
prop->id = SDL_ReadBE32 (src);
prop->length = SDL_ReadBE32 (src);
@@ -274,7 +275,12 @@ static void xcf_read_property (SDL_RWops * src, xcf_prop * prop) {
break;
case PROP_COMPRESSION:
case PROP_COLOR:
- SDL_RWread (src, &prop->data, prop->length, 1);
+ if (prop->length > sizeof(prop->data)) {
+ len = sizeof(prop->data);
+ } else {
+ len = prop->length;
+ }
+ SDL_RWread(src, &prop->data, len, 1);
break;
case PROP_VISIBLE:
prop->data.visible = SDL_ReadBE32 (src);
|
