1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
From: Sam Lantinga <slouken@libsdl.org>
Date: Sun, 5 Dec 2021 11:11:54 +0000
Subject: Fixed CVE-2019-7635 and bug 4498 - Heap-Buffer Overflow in Blit1to4
pertaining to SDL_blit_1.c
The root cause is that the POC BMP file declares 3 colors used and 4
bpp palette, but pixel at line 28 and column 1 (counted from 0) has
color number 3. Then when the image loaded into a surface is passed to
SDL_DisplayFormat(), in order to convert it to a video format, a used
bliting function looks up a color number 3 in a 3-element long color
bliting map. (The map obviously has the same number entries as the
surface format has colors.)
Proper fix should refuse broken BMP images that have a pixel with a
color index higher than declared number of "used" colors. Possibly more
advanced fix could try to relocate the out-of-range color index into a
vacant index (if such exists).
Bug: https://security-tracker.debian.org/tracker/CVE-2019-7635
Origin: upstream, 2.0.5, commit:03bd33e8cb49, commit:https://github.com/libsdl-org/SDL_image/commit/66d067c406bc01b516a2cae804f5d09768f73855
Co-authored-by: Petr Pisar
---
IMG_bmp.c | 32 +++++++++++++++++++++++++++++++-
1 file changed, 31 insertions(+), 1 deletion(-)
diff --git a/IMG_bmp.c b/IMG_bmp.c
index a77d045..e4a394d 100644
--- a/IMG_bmp.c
+++ b/IMG_bmp.c
@@ -292,6 +292,14 @@ static SDL_Surface *LoadBMP_RW (SDL_RWops *src, int freesrc)
ExpandBMP = biBitCount;
biBitCount = 8;
break;
+ case 2:
+ case 3:
+ case 5:
+ case 6:
+ case 7:
+ IMG_SetError("%d-bpp BMP images are not supported", biBitCount);
+ was_error = SDL_TRUE;
+ goto done;
default:
ExpandBMP = 0;
break;
@@ -444,7 +452,12 @@ static SDL_Surface *LoadBMP_RW (SDL_RWops *src, int freesrc)
goto done;
}
}
- *(bits+i) = (pixel>>shift);
+ bits[i] = (pixel >> shift);
+ if (bits[i] >= biClrUsed) {
+ IMG_SetError("A BMP image contains a pixel with a color out of the palette");
+ was_error = SDL_TRUE;
+ goto done;
+ }
pixel <<= ExpandBMP;
} }
break;
@@ -456,6 +469,15 @@ static SDL_Surface *LoadBMP_RW (SDL_RWops *src, int freesrc)
was_error = SDL_TRUE;
goto done;
}
+ if (biBitCount == 8 && palette && biClrUsed < (1 << biBitCount)) {
+ for (i = 0; i < surface->w; ++i) {
+ if (bits[i] >= biClrUsed) {
+ IMG_SetError("A BMP image contains a pixel with a color out of the palette");
+ was_error = SDL_TRUE;
+ goto done;
+ }
+ }
+ }
#if SDL_BYTEORDER == SDL_BIG_ENDIAN
/* Byte-swap the pixels if needed. Note that the 24bpp
case has already been taken care of above. */
@@ -650,6 +672,14 @@ LoadICOCUR_RW(SDL_RWops * src, int type, int freesrc)
Bmask = 0x000000FF;
ExpandBMP = 0;
break;
+ case 2:
+ case 3:
+ case 5:
+ case 6:
+ case 7:
+ SDL_SetError("%d-bpp BMP images are not supported", biBitCount);
+ was_error = SDL_TRUE;
+ goto done;
default:
IMG_SetError("ICO file with unsupported bit count");
was_error = SDL_TRUE;
|
