Fixed security vulnerability in XCF image loader (thanks Yves!)
authorSam Lantinga <slouken@libsdl.org>
Fri, 06 Oct 2017 15:40:19 -0700
changeset 513318484db0705
parent 512 7ad06019831d
child 514 1e2ce7d6690c
Fixed security vulnerability in XCF image loader (thanks Yves!)
CHANGES.txt
IMG_xcf.c
     1.1 --- a/CHANGES.txt	Mon Sep 18 16:10:17 2017 -0700
     1.2 +++ b/CHANGES.txt	Fri Oct 06 15:40:19 2017 -0700
     1.3 @@ -1,4 +1,6 @@
     1.4  2.0.2:
     1.5 +Yves Younan - Fri, Oct  6, 2017  3:38:38 PM
     1.6 + * Fixed security vulnerability in XCF image loader
     1.7  Alexey - Tue Sep 12 00:41:53 PDT 2017
     1.8   * Added optional support for loading images using Windows Imaging Component
     1.9  Fabian Greffrath - Tue Sep 12 00:15:56 PDT 2017
     2.1 --- a/IMG_xcf.c	Mon Sep 18 16:10:17 2017 -0700
     2.2 +++ b/IMG_xcf.c	Fri Oct 06 15:40:19 2017 -0700
     2.3 @@ -251,6 +251,7 @@
     2.4  }
     2.5  
     2.6  static void xcf_read_property (SDL_RWops * src, xcf_prop * prop) {
     2.7 +  Uint32 len;
     2.8    prop->id = SDL_ReadBE32 (src);
     2.9    prop->length = SDL_ReadBE32 (src);
    2.10  
    2.11 @@ -274,7 +275,12 @@
    2.12      break;
    2.13    case PROP_COMPRESSION:
    2.14    case PROP_COLOR:
    2.15 -    SDL_RWread (src, &prop->data, prop->length, 1);
    2.16 +    if (prop->length > sizeof(prop->data)) {
    2.17 +        len = sizeof(prop->data);
    2.18 +    } else {
    2.19 +        len = prop->length;
    2.20 +    }
    2.21 +    SDL_RWread(src, &prop->data, len, 1);
    2.22      break;
    2.23    case PROP_VISIBLE:
    2.24      prop->data.visible = SDL_ReadBE32 (src);