From e7723676825cd2b2ffef3316ec1879d7726618f2 Mon Sep 17 00:00:00 2001 From: Sam Lantinga Date: Fri, 6 Oct 2017 15:40:19 -0700 Subject: [PATCH] Fixed security vulnerability in XCF image loader (thanks Yves!) --- CHANGES.txt | 2 ++ IMG_xcf.c | 8 +++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGES.txt b/CHANGES.txt index 2c7eb4dd..8fecf555 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,4 +1,6 @@ 2.0.2: +Yves Younan - Fri, Oct 6, 2017 3:38:38 PM + * Fixed security vulnerability in XCF image loader Alexey - Tue Sep 12 00:41:53 PDT 2017 * Added optional support for loading images using Windows Imaging Component Fabian Greffrath - Tue Sep 12 00:15:56 PDT 2017 diff --git a/IMG_xcf.c b/IMG_xcf.c index b575d1da..1ced7d67 100644 --- a/IMG_xcf.c +++ b/IMG_xcf.c @@ -251,6 +251,7 @@ static Uint32 Swap32 (Uint32 v) { } static void xcf_read_property (SDL_RWops * src, xcf_prop * prop) { + Uint32 len; prop->id = SDL_ReadBE32 (src); prop->length = SDL_ReadBE32 (src); @@ -274,7 +275,12 @@ static void xcf_read_property (SDL_RWops * src, xcf_prop * prop) { break; case PROP_COMPRESSION: case PROP_COLOR: - SDL_RWread (src, &prop->data, prop->length, 1); + if (prop->length > sizeof(prop->data)) { + len = sizeof(prop->data); + } else { + len = prop->length; + } + SDL_RWread(src, &prop->data, len, 1); break; case PROP_VISIBLE: prop->data.visible = SDL_ReadBE32 (src);