File: CVE-2018-3977.patch

package info (click to toggle)
sdl-image1.2 1.2.12-14
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 7,028 kB
  • sloc: sh: 10,194; ansic: 9,697; objc: 248; csh: 219; makefile: 83
file content (25 lines) | stat: -rw-r--r-- 901 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
 
From: "Ryan C. Gordon" <icculus@icculus.org>
Date: Wed, 26 Sep 2018 14:58:31 -0400
Subject: xcf: Fix potential buffer overflow on corrupt or maliciously-crafted
 XCF file.

Bug: https://security-tracker.debian.org/tracker/CVE-2018-3977
Origin: upstream, 2.0.4, commit:170d7d32e4a8, commit:https://github.com/libsdl-org/SDL_image/commit/8373c58aa8c66e67e714e7a7caf8bd54ef162eac
---
 IMG_xcf.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/IMG_xcf.c b/IMG_xcf.c
index 064e641..93b6929 100644
--- a/IMG_xcf.c
+++ b/IMG_xcf.c
@@ -634,6 +634,9 @@ static int do_layer_surface (SDL_Surface * surface, SDL_RWops * src, xcf_header
       p16 = (Uint16 *) p8;
       p   = (Uint32 *) p8;
       for (y=ty; y < ty+oy; y++) {
+	if ((ty >= surface->h) || ((tx+ox) > surface->w)) {
+		break;
+	}
 	row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4);
 	switch (hierarchy->bpp) {
 	case 4: