diff options
Diffstat (limited to 'libre/sdl/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch')
-rw-r--r-- | libre/sdl/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch | 56 |
1 files changed, 0 insertions, 56 deletions
diff --git a/libre/sdl/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch b/libre/sdl/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch deleted file mode 100644 index 34d7cc0ed..000000000 --- a/libre/sdl/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 28b1433b4bd7982524f2418420e8cc01786df5c4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> -Date: Fri, 15 Feb 2019 16:52:27 +0100 -Subject: [PATCH] CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images with - too high number of colors -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If a BMP file that defines more colors than can fit into -a palette of color depth defined in the same BMP file is loaded by -SDL_LoadBMP_RW() function, invalid number of colors is set into -resulting SDL surface. - -Then if the SDL surface is passed to SDL_DisplayFormat() function to -convert the surface format into a native video format, a buffer -overread will happen in Map1to1() or Map1toN() function -(CVE-2019-7638). (The choice of the mapping function depends on -a actual video hardware.) - -In addition SDL_GetRGB() called indirectly from SDL_DisplayFormat() -performs the same buffer overread (CVE-2019-7636). - -There is also probably a buffer overwrite when the SDL_LoadBMP_RW() -loads colors from a file. - -This patch fixes it by refusing loading such badly damaged BMP files. - -CVE-2019-7638 -https://bugzilla.libsdl.org/show_bug.cgi?id=4500 -CVE-2019-7636 -https://bugzilla.libsdl.org/show_bug.cgi?id=4499 - -Signed-off-by: Petr Písař <ppisar@redhat.com> ---- - src/video/SDL_bmp.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c -index d56cfd8..3accded 100644 ---- a/src/video/SDL_bmp.c -+++ b/src/video/SDL_bmp.c -@@ -233,6 +233,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) - if ( palette ) { - if ( biClrUsed == 0 ) { - biClrUsed = 1 << biBitCount; -+ } else if ( biClrUsed > (1 << biBitCount) ) { -+ SDL_SetError("BMP file has an invalid number of colors"); -+ was_error = SDL_TRUE; -+ goto done; - } - if ( biSize == 12 ) { - for ( i = 0; i < (int)biClrUsed; ++i ) { --- -2.20.1 - |