diff options
author | Omar Vega Ramos <ovruni@gnu.org.pe> | 2020-04-03 14:03:34 -0500 |
---|---|---|
committer | Omar Vega Ramos <ovruni@gnu.org.pe> | 2020-04-03 14:04:49 -0500 |
commit | 9fc410f3ecdc790c30599ea74cc9d74a8792115d (patch) | |
tree | 6053229bd240fa0d0612c62c84a06d59805a73ac /libre/sdl/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch | |
parent | 6d40c7a496a53725f05ab36599b185ac9b3780bc (diff) | |
download | abslibre-9fc410f3ecdc790c30599ea74cc9d74a8792115d.tar.gz abslibre-9fc410f3ecdc790c30599ea74cc9d74a8792115d.tar.bz2 abslibre-9fc410f3ecdc790c30599ea74cc9d74a8792115d.zip |
sdl-1.2.15-13.parabola1: rebuild
Diffstat (limited to 'libre/sdl/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch')
-rw-r--r-- | libre/sdl/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/libre/sdl/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch b/libre/sdl/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch new file mode 100644 index 000000000..34d7cc0ed --- /dev/null +++ b/libre/sdl/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch @@ -0,0 +1,56 @@ +From 28b1433b4bd7982524f2418420e8cc01786df5c4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> +Date: Fri, 15 Feb 2019 16:52:27 +0100 +Subject: [PATCH] CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images with + too high number of colors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a BMP file that defines more colors than can fit into +a palette of color depth defined in the same BMP file is loaded by +SDL_LoadBMP_RW() function, invalid number of colors is set into +resulting SDL surface. + +Then if the SDL surface is passed to SDL_DisplayFormat() function to +convert the surface format into a native video format, a buffer +overread will happen in Map1to1() or Map1toN() function +(CVE-2019-7638). (The choice of the mapping function depends on +a actual video hardware.) + +In addition SDL_GetRGB() called indirectly from SDL_DisplayFormat() +performs the same buffer overread (CVE-2019-7636). + +There is also probably a buffer overwrite when the SDL_LoadBMP_RW() +loads colors from a file. + +This patch fixes it by refusing loading such badly damaged BMP files. + +CVE-2019-7638 +https://bugzilla.libsdl.org/show_bug.cgi?id=4500 +CVE-2019-7636 +https://bugzilla.libsdl.org/show_bug.cgi?id=4499 + +Signed-off-by: Petr Písař <ppisar@redhat.com> +--- + src/video/SDL_bmp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c +index d56cfd8..3accded 100644 +--- a/src/video/SDL_bmp.c ++++ b/src/video/SDL_bmp.c +@@ -233,6 +233,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) + if ( palette ) { + if ( biClrUsed == 0 ) { + biClrUsed = 1 << biBitCount; ++ } else if ( biClrUsed > (1 << biBitCount) ) { ++ SDL_SetError("BMP file has an invalid number of colors"); ++ was_error = SDL_TRUE; ++ goto done; + } + if ( biSize == 12 ) { + for ( i = 0; i < (int)biClrUsed; ++i ) { +-- +2.20.1 + |