1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
From: Sam Lantinga <slouken@libsdl.org>
Date: Mon, 10 Jun 2019 23:50:21 -0700
Subject: Fixed TALOS-2019-0843 - XPM image color code code execution
vulnerability
By providing a sufficiently large ncolors and cpp value, the buffer
allocation size can overflow into a size too small to hold the color
code string. This causes the memcpy to cause a heap overflow, potentially
resulting in code execution.
Bug: https://security-tracker.debian.org/tracker/CVE-2019-5059
Origin: backport, 2.0.5, commit:https://github.com/libsdl-org/SDL_image/commit/52b9d17eaf7b121c92328ce5d70c22be5739b0be
---
IMG_xpm.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/IMG_xpm.c b/IMG_xpm.c
index 486992f..438b78a 100644
--- a/IMG_xpm.c
+++ b/IMG_xpm.c
@@ -359,6 +359,11 @@ static SDL_Surface *load_xpm(char **xpm, SDL_RWops *src)
goto done;
}
+ /* Check for allocation overflow */
+ if ((size_t)(ncolors * cpp)/cpp != ncolors) {
+ error = "Invalid color specification";
+ goto done;
+ }
keystrings = malloc(ncolors * cpp);
if(!keystrings) {
error = "Out of memory";
|
