xpm: backport security and bug fixes from main 2.0 branch: SDL-1.2
authorOzkan Sezer <sezeroz@gmail.com>
Wed, 10 Jul 2019 23:51:28 +0300
branchSDL-1.2
changeset 6798d6699dd9d74
parent 678 776aa1fbe453
child 680 a3a7cac00d5f
xpm: backport security and bug fixes from main 2.0 branch:
TALOS-2019-0843: XPM image color code code execution vulnerability
TALOS-2019-0844: XPM image colorhash parsing Code Execution Vulnerability
mainstream commits:
https://hg.libsdl.org/SDL_image/rev/95fc7da55247
https://hg.libsdl.org/SDL_image/rev/26061e601c81
IMG_xpm.c
     1.1 --- a/IMG_xpm.c	Wed Jul 10 23:44:50 2019 +0300
     1.2 +++ b/IMG_xpm.c	Wed Jul 10 23:51:28 2019 +0300
     1.3 @@ -106,7 +106,7 @@
     1.4  
     1.5  	/* we know how many entries we need, so we can allocate
     1.6  	   everything here */
     1.7 -	hash = (struct color_hash *)malloc(sizeof *hash);
     1.8 +	hash = (struct color_hash *)calloc(1, sizeof(*hash));
     1.9  	if(!hash)
    1.10  		return NULL;
    1.11  
    1.12 @@ -115,15 +115,29 @@
    1.13  		;
    1.14  	hash->size = s;
    1.15  	hash->maxnum = maxnum;
    1.16 +
    1.17  	bytes = hash->size * sizeof(struct hash_entry **);
    1.18 -	hash->entries = NULL;	/* in case malloc fails */
    1.19 -	hash->table = (struct hash_entry **)malloc(bytes);
    1.20 +	/* Check for overflow */
    1.21 +	if ((bytes / sizeof(struct hash_entry **)) != hash->size) {
    1.22 +		IMG_SetError("memory allocation overflow");
    1.23 +		free(hash);
    1.24 +		return NULL;
    1.25 +	}
    1.26 +	hash->table = (struct hash_entry **)calloc(1, bytes);
    1.27  	if(!hash->table) {
    1.28  		free(hash);
    1.29  		return NULL;
    1.30  	}
    1.31 -	memset(hash->table, 0, bytes);
    1.32 -	hash->entries = (struct hash_entry *)malloc(maxnum * sizeof(struct hash_entry));
    1.33 +
    1.34 +	bytes = maxnum * sizeof(struct hash_entry);
    1.35 +	/* Check for overflow */
    1.36 +	if ((bytes / sizeof(struct hash_entry)) != maxnum) {
    1.37 +		IMG_SetError("memory allocation overflow");
    1.38 +		free(hash->table);
    1.39 +		free(hash);
    1.40 +		return NULL;
    1.41 +	}
    1.42 +	hash->entries = (struct hash_entry *)calloc(1, bytes);
    1.43  	if(!hash->entries) {
    1.44  		free(hash->table);
    1.45  		free(hash);
    1.46 @@ -362,6 +376,11 @@
    1.47  		goto done;
    1.48  	}
    1.49  
    1.50 +	/* Check for allocation overflow */
    1.51 +	if ((size_t)(ncolors * cpp)/cpp != ncolors) {
    1.52 +		error = "Invalid color specification";
    1.53 +		goto done;
    1.54 +	}
    1.55  	keystrings = (char *)malloc(ncolors * cpp);
    1.56  	if(!keystrings) {
    1.57  		error = "Out of memory";
    1.58 @@ -429,8 +448,9 @@
    1.59  				c->g = (Uint8)(rgb >> 8);
    1.60  				c->b = (Uint8)(rgb);
    1.61  				pixel = index;
    1.62 -			} else
    1.63 +			} else {
    1.64  				pixel = rgb;
    1.65 +			}
    1.66  			add_colorhash(colors, nextkey, cpp, pixel);
    1.67  			nextkey += cpp;
    1.68  			if(rgb == 0xffffffff)